App Store Security

Wednesday, October 27, 2010

Mark Gardner


Last Wednesday, 20th October 2010, Steve Jobs of Apple announced a Mac OS app store originally for the next iteration of Mac OS X - Lion. He then went onto announce that it would go live in the current version - Snow Leopard within 90 days.

Operating System App Store’s are not new things - Linux in different flavors has had one for years, but this is the first time one of the more mainstream OS developers has mentioned it, although it is known that Google have an App Store planned for their Chrome OS.

As we have seen with mobile app stores if these work they can produce huge revenue for both OS and App developers alike. The iOS app store which was the first mobile app store of it’s kind now has over 300,000 apps. Therefore, it’s safe to say that if this works - it won’t be the last.

Of course, shopping within applications or via the web even on a desktop OS, is nothing new, what with iTunes store etc. However, this App Store coupled with the iterations for the Lion operating system, really seem to fuse the mobile and the desktop OS’.  Which is where the iPhone began, as a cut down version of Mac OS X.

From a security perspective, this App Store could represent a large risk to your desktop either at home or at work. This is if there is no curation of the applications on the store, and testing before release.

Without curation these stores become a honey pot for malware of all descriptions - we’ve seen it on the phones.

Given the convergence of the Mobile and the Desktop OS’ can we learn anything from our experience’s of protecting a Desktop OS to assist in protecting the mobile? After all, threats to a desktop OS are nothing new.

Apple is having security issues at the moment with it’s Face Time Application for the Mac which is a converging of desktop and mobile. 

This type of vulnerability may only appear when in the wild, not even during testing, given the volume of things to check during a test. 

 From an enterprise security stand point, how do we protect against App Store downloads. Admittedly at the moment Apple’s OS volume is not huge.

Indeed, Wikipedia shows that on average in October 2010, across all the machines Windows has an 88.66% market share for desktops. Using those figures the new app store is going to affect the 7% who use Mac OS X in the first instance.

However, on an enterprise, how do security professionals protect against unwanted downloads from the App store, will there be a curated enterprise approved version, with each individual company choosing their own authorized applications?

If there is who curates it? Apple, Microsoft, Canonical, Google? Or is it left to your company IT department to curate and tell each of these companies which applications they want to see?

Also, is this App store vital to maintain the OS with the security patches etc, now being distributed through this medium, as it is now on the iPhone?

For example in the past two months Microsoft have broken records for the number of patches to the operating system that have been required, many of which have been security patches to prevent vulnerabilities being exploited. Imagine what this number could be with an App store? 

Unverified, untested and unauthorized applications being brought on the enterprise is nothing new, people can download software at home bring it in on a memory stick and load onto their works machine and no-one is any the wiser.

Given a level of control this risk could be removed, but many more risks could be introduced.

This is all speculation, as the clock started ticking one week ago, I guess those companies using  iPhones and iPads or Android devices are already facing this type of risk, and therefore they are potentially ahead of the game, but the face of the desktop and therefore desktop security is changing.

The next game is how to protect against these risks and then how to react if they are exploited.

Cross posted from

Possibly Related Articles:
Enterprise Security
Apple iPhone Application Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.