When I used to teach users about security of their own systems I had a rule that expresses a problem with today's phone apps: If you can't do anything about a particular vulnerability, there is not much point in identifying it to most users. I know that sounds strange to some of you, but let me explain.
There was an article from Cult of Mac on some 14 apps (mostly games) that were found to be open to communications with a malware server. That is not usually a problem on Macs, yet anyone in security knows it can be one. It is just one a user can do very little about. Yes, they can be told to download apps from the App Store and not from third parties, but even that doesn't always work, as this example shows. Still, it is not a problem users can do anything about. The article ends with this: "Still, it’s yet another illustration of why you need to be careful with what you choose to download." Really? How does a user be careful about what they download?
Phishing is popular, and effective, because it is not a problem a user can do much about. The typical user in an office gets 80-90 emails a day. It is true they can look at the address to see if it is someone they know, but they cannot know everyone in a big company. They are being told not to open email attachments from anyone they don't know. That is pretty unrealistic, even if it is good advice. The solution is to do something about attachments, not educate users on what not to open.
In the case of apps, a user can be educated on where to get apps, but if you trust Apple's review of apps, the App store is the place to go. I trust Apple. I don't trust Android apps because they don't get the same level of review. If there is a problem with Apple's apps, then report it to Apple, and users demand tighter controls during the review process. Don't tell users to be more careful about which Apple apps they download. The users should be able to trust Apple too.
We are way past the days when a user could do much about the security of their own phone or computer. Yes, they can buy virus and web protection. They can know why to download from the App Store and not some third party sites. They can get a VPN and a few other things that reduce the typical vulnerabilities, without eliminating them.
I want the hard problems solved, not waved away by blaming users. Somebody get me a tool that will open those attachments, examine them and release them to the user. Demand better reviews of apps from the vendors. When we get a vendor with a product that connects to China and transmits data back there I want to know what vendor that was so I can avoid apps from that company. Apple has to tell me that, or stop the app from downloading until it is patched, neither of which they seem to be doing. We shouldn't have to rely on third-party security companies to identify this kind of problem. It is not sufficient to be better than Android. That doesn't protect us anymore.
No comments:
Post a Comment