O’Reilly Security Conference 2016: Acceptable Risks

I was listening to Adrian Ludwig’s talk, titled “Securing 85% of the world’s smartphones”, at this year’s O’Reilly Security Conference in New York when I realized that I may never want to do any financial or other important transactions using a mobile app again. Ludwig is a Googler and the lead engineer for the Android Security group. And since there are about one billion Android devices worldwide, he’s effectively  in charge of the world’s mobile security.

Listening to him, I slowly began to realize he was treating what’s known as potentially harmful applications (PHA) in the Google app marketplace as a statistical problem. While Google does a good job of weeding out bad apps — SMS fraud, call fraud, spyware, ransomware, trojans, etc. — and monitoring devices for infection using SafetyNet,  it’s not perfect.

How not perfect?

That’s where it becomes a matter of statistics and acceptable risk.

He presented stats that show percentages of PHAs at under 1% of all installs. You see more of the results he talked about here.

pha-google

I can’t find numbers on total Google Play installs per year but I’ll guesstimae that it’s probably in the tens of millions. This sounds like one of those Google test questions they used to ask interviewees — “how many barbers are there in the city of Toledo”?

In any case, we could be talking about hundreds of thousand apps infected and who knows how many tens of thousands where there was a successful exploit and stealing of data. I suppose that’s not a huge number when you’re Google, but still.

As with a lot of security stats, you can never really know the full extent of the problem, even for widely publicized corporate breaches. Many companies never go public with their data thefts. My go-to resource for these numbers are the Identity Theft Resource Center, and they’re are up to almost 7000 corporate breaches for 2016. Maybe the true numbers are ten times more? We just don’t know

There are a lot more people than companies so I’m not comforted by these < 1% stats.

This leads to the question of why is it even possible that malware-laden apps are able to find there way to large numbers of consumer devices?

You’d think other makers of consumer goods would have similar problems — over-the-counter drugs, hair dryers, coffee makers, electric light bulbs, etc.

Wait, I know the difference!

Anybody can submit an app to Google, after paying a modest fee.  And if something goes wrong, there’s no way to punish this person or whatever criminal gang is behind the mobileware. They’re a digital-age version of the proverbial snake oil salesmen: when there’s any trouble they leave town and can sell their app under another name.

Hey, Google how about asking developers to put up a bond or some other not insignificant amount of money— say $2000 — that they’ll loose if malware or other intentional security issues are eventually found?