The App Store giveth and the App Store taketh away

The other day, the JoshMeister blogged about the Mac App Store and the effect of its approval delays in getting critical security updates to users.

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue. Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11. Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

As the app store model becomes more popular on both smartphones and PCs, it's important to explore issues like this. What the JoshMeister doesn't mention is that centralized app markets can also help encourage users to keep software updated. It's much easier to have a single marketplace app, once per day or week, say "here are all the apps that have updates, click to update them all" than to have to manage each app individually. If this encourages users to keep their apps up to date, that's a positive thing for security.

Of course, this model requires two conditions to work effectively from a security standpoint. First, the updates have to be made available to users through the store in a timely fashion. Second, the updates have to be screened to ensure they're not violating the market's standards (e.g., they're not badware). Based on the delays observed with the Opera updates and other submissions to the Mac App Store, it seems that there is some tension between these two conditions. If critical updates for known vulnerabilities take substantially longer to get to users via the store than they would through an app's only automatic update mechanism, something needs to be fixed.

One potential improvement could be to allow vendors to flag certain app updates as containing high priority security fixes. The store could then prioritize those updates for approval. Of course, this could (and probably would) be abused on occasion by vendors trying to rush updates out to users, but I'd like to think such abuse wouldn't be so frequent as to be a major problem.

Another approach would be to prioritize approval of updates based on the popularity of the application. This would ensure that the most widespread apps would get patched more quickly than less used apps. I don't generally like options that give established vendors preferential treatment over new entrants to the market, but experience teaches us that criminals like to target badware at widely installed software.

Of course, the cynical side of me says that Apple and other operators of app markets care more about getting new apps into the market than getting security updates out to users. After all, new apps mean new revenue opportunities, as well as bragging rights. ("We have x apps in our store; our competitors only have y.") On the other hand, just as supermarkets get bad press and lose customers if they fail to take recalled products off the shelves, application stores may find their reputations suffering if users start facing security threats that could have been avoided. Here's hoping this will be enough incentive to get those stores to find solutions to getting critical updates out to users quickly and safely.

Apple pushes false update, then backtracks

Posted on September 30, 2009 - 12:50 by mweinstein

Bloggers such as Ed Zott reported this week that Apple once again used its Apple Software Update tool to offer "updates" to software that was not installed on the user's computer:
Under the Updates heading, Apple says I need the iPhone Configuration Utility. Oh really? Why, for heaven’s sake? I’ve never plugged an iPhone (or an iPod or any other Apple-branded hardware) into this computer. I have absolutely no need for this program. It will do nothing except take up disk space and memory and potentially represent a vector for security issues.
Ed updated the post about a day later to indicate that Apple had changed its behavior:
The iPhone configuration utility has apparently been removed from the Updates list. The contents of the New Software section are unchanged however, with QuickTime and iTunes both being selected by default when using the Apple Software Update utility. Thanks to Gregg Keizer of Computerworld for the tip.
StopBadware readers may recall that Apple found itself on the wrong side of the community last year, when Apple Software Update started pitching Safari and iTunes as "updates," when the apps were not installed on users' computers. They changed their behavior after a community backlash that included pressure from Some felt at the time that Apple did not go far enough in changing the language of the tool, pointing out that these optional application installs were still selected by default in the update tool. However, this is the first time since then that we've heard about another false update. One presumes it was a mistake on Apple's part, but even so, Apple should know better after last year's experience.

Openness versus consumer protection? Android, iPhone, and transparency

Posted on January 30, 2009 - 16:22 by egeorge

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google's Android application market. It's unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it - Google's own testing showed no malicious behavior - but the application disappeared from the Android Market anyway.
Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain's "Future of the Internet" blog, writes:
[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.
Contrast the Apple iTunes App Store, which pre-screens applications. It's unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out - including, controversially, competitors to some applications designed by Apple.
Elisabeth continues:
Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)
Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness - and can help foster a more secure internet for us all. 
Disclosure: Google is one of StopBadware's sponsors.