In my first segment of the “Securing Your Mobile Device” series, I talked about some very simple configuration changes that should be immediate, but standard across every Smartphone platform. Now that we’ve set a passcode on our handset and disabled some services that might lend our new mobile device to the curiosity of the run-of-the-mill snooping miscreant, let’s take a look at what might be the next thing we need to consider with our new handset. (For my BlackBerry, Windows Mobile and Symbian readers, hang with me for a few seconds as I set this all up.  The information will still apply to you.)

One of the first things I did when I got my Android (besides rooting it) was to check out the apps that I could tinker with from the Android Market.  I’m sure the same could be said for my iPhone friends and the iTunes App Store.   I found all kinds of goodies that I thought would be fun to play with.  There was an app to manage my backgrounds, several useful ones to better my keyboard (hint!) and typing experience, apps for managing RSS feeds, some mobile news roundups, tools and utilities for me to manage the innards of my device, some connectivity tools and I even came across one that would teach me the secrets of the Kama Sutra.  The point is that there are now over 20,000 apps in the Android Market that users can either pay for (often at a reasonable price) or simply download free of charge.  Android and iPhone users will undoubtedly spend hours upon hours in the first few months of owning their device looking for apps to streamline their daily routine and interactions.

You can venture onto any Android or iPhone forum and you’ll likely find a handful of threads taking on the never ending debate of whether iPhone’s closed app ecosystem is better than Android’s more open approach of allowing the community to regulate malicious apps.  There are valid points on both sides of this argument, but the debaters are as likely to be swayed as I am when debating politics with someone on the other side of the aisle, which is absolutely not.

As far as security is concerned, when considering the stark differences in approaches between Apple and Android, there are several truths that must not be lost in all of the noise.  The most important thing that a user must remember when taking advantage of the convenience of finding apps in their respective repositories is that they (the user) are ultimately responsible for ensuring that they are downloading apps from reputable developers.  By policy, Apple requires a fairly stringent review process for any developer that wishes to share their application with the iPhone user.  In contrast, Android relies on the community to regulate apps by putting great emphasis on the user review and feedback process to weed out broken or malicious apps.  Both approaches have worked…for the most part.

In the waning months of 2009, we heard about an iPhone game developer that is now being sued by Apple for distributing a game that was also harvesting sensitive device information.  This application made it past the review process.  At the very end of December, some nefarious Android developer was able to sneak bank phishing applications into the Android Market.  The app was quickly identified as malicious and removed, but the damage had already been done.  Couple these malicious apps with the news that our Global Threat Center regularly reports about spyware and worms affecting both the iPhone and Android and the heated debate between the two sides becomes absolutely moot.  What becomes important is the fact that attackers will keep trying and will eventually succeed at getting their malicious applications into the repositories.

Whether you’re working with a device that is tethered to a particular app repository, or you have bypassed those repositories by rooting or jailbreaking your device to get unapproved apps, or (wake up WinMo, BlackBerry and Symbian users!!!) your device doesn’t necessarily have a single, well known repository, you need to make sure that the app you’re installing makes sense.  The Android and BlackBerry platforms require applications to declare the permissions that an application has access to during installation.

Unfortunately, we still have PC users in the world who fall for Nigerian scams or click on unsolicited links.  They just don’t get it.  Sometimes I wonder if they ever will.   That also means that we’ll have users who will download mobile banking applications from app repositories that do not come directly from the specific banking institution.  We’ll also have users who will be socially engineered into installing an application that says it does one thing, but will do something entirely different underneath. I can’t properly explain all of the things that one should look for when trying to determine whether a mobile app is malicious or not.  What I can pass on is that users need to be aware that just because an application can be downloaded and installed, doesn’t mean that it should be…even when it’s coming from one of the fabled app repositories that we continually hear about.

Use common sense when it comes to picking and installing applications.  Think long and hard about what each type of permission that is being requested could possibly allow that application to do.  Read the ratings and reviews that are associated with each app before paying for it or downloading it…and heed their warnings.  Think long and hard about the type of information or credentials the application is asking you to input in order for it to function.  Does it make sense for an application to be developed by a person named “Droid09” and published to the Android Market that is supposed to connect to, say, Bank of America?  And does it make sense for that application to ask you for your account information if it does nothing more than open a web browser and take you to Bank of America’s online banking website?

Until consumers perform their due diligence when choosing which applications to install, the threat of malicious developers slipping malicious apps past the screening systems will continue to be there.