To protect consumers, Congress should secure the app store supply chain

The Open App Markets Act, a bill that would, among many other things, require device makers to allow for the installation of unvetted applications on users’ mobile devices, won the approval of the U.S. Senate Judiciary Committee earlier this month.

This legislation would confront the “walled garden” app distribution model, in which applications can only be installed from official app stores, that has been in place since the early days of smartphones. While many have focused on the potential benefits to consumers from app store competition, this part of the proposed legislation introduces unintended, but potentially significant, device security risks by allowing app deliveries through unsupervised channels.

The move away from today’s “walled garden” model introduces new security risks to users, who may turn to stores with a greater volume of malicious apps. App stores run by Apple, Microsoft, Google and other large software companies screen the apps sold in their stores for malware and vulnerabilities.

While such screenings may be imperfect, particularly when they lack human review, the controlled nature of these stores greatly reduces the ability of malicious cyber actors to use apps to steal user data or commit fraud.

A free app isn’t free if the result is an empty bank account.

By comparison, poorly regulated app stores, like many found in China, are breeding grounds for compromised apps filled with malware. Inadequately regulated app stores lacking the most basic of security checks increase the risk to consumers by making it easier for users to download a compromised app that may steal their data or defraud them.

App stores have become a central part of the modern software supply chain. The apps they provide to consumers offer a range of financial, health, and personal services that are both vital to our everyday lives and laced with highly sensitive data.

Individuals and smaller enterprises are at higher risk of having their data stolen or being defrauded by malicious apps because they lack the resources that larger companies use to control what software can be installed on their devices.

The recent Flubot malware attack, for example, leveraged targeted text messages to direct recipients to download a malicious app to their phones that allowed attackers to steal financial information and intercept text messages. The malware, which required users to allow for the installation of apps from outside of Google’s app store, is demonstrative of how compromised apps can wreak havoc on unsuspecting users.

Flubot is only part of a greater trend toward using compromised software to steal sensitive data or ransom data. The danger posed by this trend would only be magnified by a move toward unregulated marketplaces lacking the app review and security screening in place in official stores.

Permitting the unfettered “side-loading” of apps — the installation of apps from outside an official app store — creates even greater risk, allowing for the installation of apps from anywhere on the web. While this may grant users access to more free apps, it also creates significant opportunities for attacks to trick users into installing apps filled with malware. A free app isn’t free if the result is an empty bank account.

Fortunately, Congress can impose security standards on the new app stores that can help protect consumer end users.

First, they can require stores to have a base level of security review and monitoring of apps, including human review. Human review helps to ensure that the permissions used by the app reflect the app’s advertising, a step vital to preventing malicious apps from doing things they aren’t supposed to.

Second, the U.S. and other governments should abandon plans to mandate unrestricted “side-loading” — the risk to the average end user is simply too great when they can install an unknown app in a few clicks with no understanding of accompanying security risks.

Finally, some users may choose to stick with official app stores to reduce the risk of installing a malicious app, but for users that decide to install apps from outside those stores, they must also practice good device hygiene to reduce their risk by blocking the installation of apps from untrustworthy sources and avoiding apps from the open web or untrustworthy app stores.

The risks posed by malicious apps will always exist, but policy-makers and users can do more to ensure that an increasingly competitive app store space minimizes the threat to users’ personal data. Adding baseline security standards, like those outlined above, to existing proposals can help to minimize the security risks posed by a new world of app store choice.