Tuesday, February 21, 2012

Disinfected for Your Convenience

Social application Path took contacts data impolitely, without asking first.

We know that because somebody snooped unencrypted data, but it was almost OK because it is social application. There are some others applications that did the same. What we don't know is how many application with totally unsocial purpose passed App Store's manual checks and sent data somewhere encrypted without being detected.

iOS security concepts are made for utopian world, were app vendors play nice according to prescribed rules and army of dedicated persons checks what they did, just to be on the safe side. When user installs app, he doesn't have to think about it; everything is in nice and disinfected for his convenience.Harsh reality is that none of the human activities work that way. Cars are being recalled, toys are toxic, you inbox is full of ads for fake Viagra, and "financial product" in which you invested left you without a dime. Someone always want to earn some money in less than decent way, and regulators are usually one step behind.

Apple's answer was to add alert when some application tries to read contacts. Fine; but what about all other data, which resides on smartphone?

I read a lots of ideas how to fix iOS security model, including:
  • do nothing; it will reduce usability (yeah, but what about privacy and financial damage?)
  • add another alert (how many one can stand, if you include future permissions for security holes not exploited yet - calendar anybody?)
  • add optional permission grants (you either believe application or not; if not, why grant anything - although always ask / always allow could make sense)
Android forces applications to declare whatever permissions they need and enforces them at OS level, providing very robust security framework. The downside of this solution is that is shifts responsibility from market to end user; if you can make educated guess are requested permissions sensible, then you are good; if not, you are standing naked in the open. So how to blend best of the both world? How to combine two opposites, security and ease of use?

Here is a thought:
  • introduce mandatory permission list in application (Android)
  • if there are some fishy permissions, do more thorough manual application check (iOS)
  • at OS level, block operations not declared in permission list (Android)
Let's see how this works for different cases:
  • If application does what it should and manual review passed, there is no need to bother user with permissions.
  • If application does something fishy, review will see unusual permissions in list and do more thorough review.
  • If application is malicious and tries to hide something, it will be blocked at OS level.
This will provide reasonable level of safety without bothering user with strange questions.