A good reputation is not enough

Posted by Faustine Tournay on November 15, 2016
Find me on:

Fotolia_104787823_Subscription_Monthly_M.jpg

 

At the beginning, reputation for websites was created to ease the users’ experience, giving them a quick security audit. The website’s score was based on criterion such as the age of it or its location changes. Security companies send numerous requests to estimate the level of riskiness of a website. Users can then protect themselves from the most malicious websites. However, it’s not that simple.

First, because of the fact that nowadays, becoming a hacker is an easy task that can be accomplished by – almost – anyone, it does not require any special skills anymore. Then, there is the new nature of threats, such as the Apps model, its diversity, which made things a bit more complicated. Our use of internet has evolved, mobility is the new keyword and the way to secure our data has to change.

 

Why are threats greater than before?

 

Let’s focus on the Apps issue and its flow; we got outnumbered quickly, making it way too hard to control them individually. We don’t intend to say that every App developer is a hacker who wants to steal your data, but sometimes, breaches are included into templates that are commonly used by them. Also, the endless flow of Apps leaves no time to analyze by hand each piece of code to make sure it is free from any threat.

Furthermore, clones of well-known Apps can be found more easily than the original one, tricking the user into downloading a malware. In a word, threats are coming from many sources and are in constant evolution; released too quickly to detect a breach beforehand and involving way too many criteria to be classified safe or not just by reputation. One last thing to be taken into account, let’s imagine that every time someone wants to release an App, he or she is faced with a three weeks delay to make sure it is safe enough for the user? It would represent a huge loss for companies.

 

What are the solutions?

 

As we saw before, a notation of websites’ technological level appeared; reputation. Easy to use and quite immediate, this score is giving a prediction in the form of a number or a percentage to quantify, evaluate whether the App is safe or not. However, the first downside with this method is obviously the lack of precision and the subjectivity of the notation criterion.

Reputation score is based on a superficial analysis of a website or an app; if it has recorded security breaches, recent updates, uses an API… It is a good start that helped a first approach to blacklist apps, but what is the reality? What is in the code? Scoring systems will never fully guarantee the security of an app: “there is a 50% chance it is safe”. Or not.

The impossibility to conclude with certainty is a bet none wants to take. To quantify a risk is complex and takes more than one number. Thus, the best option to evaluate the safety of an App remains in the exhaustive knowledge of its behavior, what is it doing with the data it is retrieving.

 

The need for a new vision

 

As hackers are evolving as much as the threats are growing, a new vision for securing our mobile devices is needed. The immediacy of mobile applications coupled with the fact that they are used as much by companies as by individuals implies more accessibility to our data.

Obviously, an App needs access to data in order to function properly, and we cannot forbid every single one that tries to retrieve our contacts. Nonetheless, the way they use it and where they send some pieces of information characterizes the real nature of an App, more than a reputation score. A security solution should go deeper and must be able to conclude if the application is safe or not.

As a matter of fact, looking at the core of those Apps, uncovering their behaviors on a real-time basis is the key to a safer mobile environment. Everyone should be ready to take that turn already.

 

Learn how

 

Enregistrer

Topics: Mobile Application Security