Enisa issues advice for safer App Store and Android Market use

EU security agency Enisa has added its voice to those urging caution when using online smartphone app stores, calling for industry-wide co-operation between platform operators, developers and device owners to reduce the risk of malware infection.

The report highlighted "five lines of defence" which it said should be put in place to boost security on increasingly popular stores such as Google's Android Market.

Enisa argued that app stores should review apps before they are admitted, check them with automatic static and dynamic analysis tools and review them manually.

Apple famously vets apps vigorously, while Google is often criticised for taking too lax an approach with Android Market.

Secondly, Enisa called on app store providers to create a reputation system for apps and developers.

"App stores could take into account the reputation of the same app in other app stores," the report explained.

"A point of concern is that most users rate apps for their functionality and not for their security, so there should be a separate channel for security and privacy issues."

Thirdly, Enisa urged smartphone platform providers to support the remote removal of apps by app stores, and that stores should have an "app revocation mechanism" for malware and insecure applications.

On the device security side, smartphone owners are urged to install and run apps in sandboxes initially to reduce the risk of infection.

Finally, in what could be seen by Apple as a justification of its closed environment, Enisa recommended that smartphone platform vendors allow access only to one or more designated app stores to prevent drive-by download attacks.

"The approach to this issue is crucial. If users can easily install from untrusted app stores, then it is easy for attackers to bypass the defences of the good app stores (with drive-by download attacks, for example)," the report argued.

"On the other hand, overly restrictive jails encourage users to break the jail, possibly introducing higher risks than those originally mitigated by the jail. Jails should, for example, not be used to stifle legitimate competition."

The risk to smartphone users, while still relatively low, is certainly increasing. New statistics from German security vendor G Data published on Monday revealed that mobile malware in the first half of 2011 had risen by over 270 per cent year on year.