Whether the installation of an app poses a risk or not depends largely on the security processes in the respective app store. We have examined various prominent app stores and checked their security measures. The results are surprising.
The success of mobile apps for smartphones and tablets is not only causing the number of app offers to rise steadily. The app marketplaces are also growing. A current example is the Amazon Appstore for Android. This raises the question, especially for Android users, which stores should be used. The security of the store also plays an important role in the decision. There are still significant differences that users should be aware of.
Dangerous vulnerabilities in App Stores
App stores offer the possibility to distribute apps among tablet and smartphone users. If the security processes in the app store are not right, not only serious app developers, but also data spies and Internet criminals can use it.
Apps with spamming, spyware and malware character are regularly detected in various App Stores. This shows that weaknesses in the security concept of app stores are actively exploited.
ENISA recommendation partly not implemented
ENISA (European Network and Information Security Agency) had already published a recommendation for security measures in app stores in September 2011. On the part of the App Store operators, this includes in particular automatic or manual app reviews, a system for determining and displaying app reputation, and secure login for app developers.
The following study uses the ENISA recommendation as a reference. It shows that various app stores have not consistently implemented the recommended security measures – with possible critical consequences for app security.
False identity of the app developer
If an app store does not sufficiently verify the identity of the app developer, reputation concepts are of little help in the security evaluation of an app. Data thieves can fake the identity of a known app developer and offer and distribute malicious apps in his name via the insufficiently protected app marketplace. Developer user accounts do not necessarily guarantee the authenticity of the identity, but they make it difficult to assume the identity of an already registered developer.
To verify the identity of the developers, Samsung Apps, for example, requires registration with a comprehensive profile and assigns each app provider a separate user account. With Google Play, identities can be verified via the access data for the Google account. Finally, Apple’s App Store requires an Apple ID for the developer to submit apps. This makes it difficult to take over a legitimate developer account.
But not all stores place value on security here: The app marketplace Mobiload, for example, allows apps to be submitted for publication without a developer’s own user account. Since there is no provision for authentication of the developer when uploading the app, it is not easy to determine whether a new app actually comes from an already known developer.