Mobile Device Security: Are App Stores Doing Enough?

What poses the greatest cybersecurity threat to your mobile phone or tablet? According to a Capitol professor, it’s something that each of us has on our devices. Something we couldn’t remove even if we wanted to.

The app store.

We love our apps. They fill our lives with music, games, and information. They wake us up, tell us how to get to our destinations, locate recipes for us, track our exercise regimens, and monitor our overall health. During the first quarter of 2018 alone, Google Play hosted nearly 4 million apps, while Apple hosted around 2 million.

According to Dr. Jason M. Pittman, however, app stores by their very nature pose a cybersecurity threat.

“App stores provide a many-to-many distribution threat vector; there are many applications in an app store and many devices with app stores. Keep in mind that app stores are native apps on these phones and are not removable – yet they are vectors for 100% of the on-device security issues -- e.g., other apps,” Pittman says.

Both Apple and Google Play put apps through a review process and set rules for developers. Even so, the FTC has flagged popular apps such as Credit Karma and Fandango for failing to protect user credit card data, while a breach disclosed by Uber earlier this year compromised the personal data of more than 20 million users. And those are just three examples.

Moreover, mobile device users are increasingly turning to third party app stores, such as Cydia or Tencent. Developers like the quick approval process and comparative lack of constraints found among some of these third-party stores – but that freedom comes with increased security risk.

“An app store is the primary channel for loading software onto a mobile device. That alone creates a focal point for threat agents. Indeed, we see this manifested in realized compromises coming through apps rather than, say, network-based attacks," Pittman says.

What can consumers do? Being careful about what apps you purchase and download is a start – but hardly enough to mitigate the risk.

“Due diligence on the part of the consumer is a strong but partial measure,” he says. “The best we can do is force device manufacturers to provide more transparent and robust controls through their app review process – that is, the security reviews conducted prior to apps appearing in the app stores.”

App stores fit the definition of a malicious threat, Pittman says – but it’s a threat many of us have no choice but to accept.

"All apps coming through a store are questionable. Yet a mobile device is largely impotent without an app store. Would you buy a smartphone that you had to sideload all of the software onto? If so, how would you find that software? You'd have no basis in the form of rating comparisons, other user feedback, and so on. If we accept that we cannot function optimally without the app store, we have to cede control and trust to the app store.”

“Thus, I think the correct path is to push the manufacturer to be more transparent in their app review processes, and increase the robustness of those security controls.”