Mobile vendors go their own way on security at FTC event

Mobile phone makers were in agreement that the security and privacy of their customer was their top concern. But that was about all they could agree on

ftccontrolpanel_0.jpgImage credit: Paul Roberts
Mobile Security forum hosted by the FTC, June 4, 2013

Security executives from some of the U.S.'s biggest phone makers agreed that the security and privacy of their customer was their top concern. But that was about all they could agree on at a mobile security forum hosted by the FTC.

The panel discussion on Tuesday brought together executives from Google, Apple, Microsoft, Blackberry and The Mozilla Foundation to discuss ways to build more secure mobile devices. But the discussion, "Building Security into Modern Mobile Platforms" did more to highlight disagreement between some of the nation's biggest mobile phone players about how to best deal with mobile malware, malicious applications and threats to customers' privacy.

Despite the attention given to malicious programs for mobile devices, panel members agreed that mobile malware was a niche problem. A much bigger challenge came from data-snarfing applications that users download and install willingly on their devices. However, different vendors had wildly different takes on how to address that problem.

Speaking for iPhone maker Apple, Jane Hovarth, the Director of Global Privacy at Apple said that her company's approach to thwarting malware and privacy abusing applications relies on serious vetting of application developers and real-time prompts to users that identify the data requested and the reason the mobile application needs access to the data.

The Mozilla Foundation, which is working on its own mobile operating system, Firefox OS, said that company would follow a similar approach in its forthcoming operating system using a feature it calls "data intention."

However, other vendors expressed skepticism about real-time user consent features. Geir Olsen, a principal program manager at Microsoft, said that frequent requests and notifications merely irritated mobile device users, and were akin to "getting between a mother bear and her cub" – a sentiment echoed by Adrian Ludwig of Google's Android Security team and others.

Adrian Stone, the head of security response at Blackberry, said that his company was looking for ways to create incentives for application developers to build secure code and not to abuse permissions. Blackberry has a closed application ecosystem by default, but permits "side loading" of applications from other sources and is experimenting with ways to communicate the trust level of the application to shoppers, he said.

Though panel members agreed on many points, sparks flew between Google and other panel members over the merits of that company's more open ecosystem, which allows Android device owners to synch their phone to third party marketplaces.

Addressing Apple's contention that its curated App Store was more secure, Ludwig said that Google was committed to giving its users "choice" and that "curating is not about choice." Google is focused on what Ludwig called "transparency" – giving users the information they need about what applications do, and then leaving them to make up their minds.

The choice for Google was philosophical rather than technical, Ludwig said: analyzing the behavior of the million or so Android applications isn't a challenge to a company of Google's size and capabilities. The company already employs 300 engineers focused on security and is tackling much more complex problems than scanning for malicious apps, he said.

Still, the search giant is facing a growing chorus of concerns and criticisms that focus on its fast-growing Android mobile application ecosystem, which now ships on 75% of mobile handsets. Google's own data shows that the Android install base is fragmented, with only around 30% of handsets running the latest version of the Android OS, and around 40% running "Gingerbread," a two year old version.

In April, the American Civil Liberties Union (ACLU) filed a complaint with the FTC urging the Commission to stem an epidemic of unpatched and insecure Android mobile devices – a public scourge that the ACLU blames on recalcitrant wireless carriers.

But Ludwig defended his company's hands-off and decentralized ecosystem, saying that many reports of mobile malware (like the recent "Bad News" malware on Google Play) were overblown, and that the benefits far outweigh the costs.

"The whole reason to make information accessible is so users can find what they want. There may be instances in which a provider may not be comfortable with an application that lots of people want. Google doesn't want to play the (gatekeeper) role," he said.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon