Combating accidentally dangerous mobile apps requires taking initiative

Shane Schick

His presentation at the RSA conference in Europe last week was called "Opening the Kimono," and according to Michael Sutton, that's the best way to describe how vulnerable consumers are beginning to feel after downloading certain kinds of mobile apps.

Sutton is vice president of security research at Zscaler, a San Jose, Calif.-based firm that offers a cloud-based gateway that scans traffic for enterprise customers, but his presentation would probably have been of interest to anyone who has ever downloaded something to his or her smartphone without giving it a lot of thought. According to Zscaler's ThreatLabZ division, 10 percent of mobile apps expose logins and passwords, a quarter leave personal information open for the taking and 40 percent communicate with third-parties that users may or may not know about. In response, the company has created the Zscaler Application Profiler (ZAP), which will scan traffic from an app installed on a user's device and score the app based on how risky it is and the degree to which privacy and security might be compromised. The idea is that if more people use ZAP, the scores will get better and better as the database of iOS and Android app security grows. Sutton debuted ZAP at the RSA conference.

"It's not designed to be a silver bullet and solve all their problems but to do things they were previously unable to do," Sutton said. "The big goal is to create awareness of how many security and privacy problems are in these apps because this isn't well understood."

Maybe not, but data from the Pew Internet and American Life project, among other studies, show a growing predisposition among users to either uninstall apps that worry them, or simply avoid them in the first place. Sutton compares the situation to the early days of Web application development more than 10 years ago, where the average company didn't have a lot of internal resources to do the necessary security testing.

"Media reports on mobile security tend to cover the malicious attacks, but there are lots of perfectly legitimate apps that were unintentionally made vulnerable," he said. "For a lot of users, an app is a black box. They trust that the developer knew what [sic] they were doing."

Much like other free online assessment systems that give users information on everything from mortgage prices to fitness levels, ZAP is really a marketing tool for Zscaler, which could highlight the benefits among organizations for using its services. The tricky part is getting consumers to be proactive about using the tool to do a quick check before they download and install new apps. It can be difficult to foster that kind of habit among everyday smartphone users, but imagine for a moment that it happens. How might regular security audits by consumers change the expectations around privacy and risk for developers? To what extent would developers even consider trying a tool like ZAP before they released a new product to the public?

Whether or not a tool like ZAP is involved, a conversation about putting security first would be beneficial across all levels, including the vendors behind the app stores.

"There is no doubt in my mind that if I can do a scan on an app in 30 seconds, they could do the same," Sutton said. "Google  (NASDAQ:GOOG) is more focused on intentionally malicious applications. Apple (NASDAQ:AAPL) is more focused on user experience than anything else--you can get an app banned from the App Store if it doesn't look and feel right, but not because of its risk profile."

It's not a question of putting the onus solely on the app stores, the developers or even consumers, really. Nothing will change until we treat privacy and security as a shared responsibility.--Shane