App Guarden: Resilient Application Stores

Application stores are set to become the dominant model for software distribution. After only four years, they are incredibly successful. In 2012, Apple's App Store and Google's Play Store each topped 25 billion app downloads. App stores not only offer apps and media content, they also have near total control on phones and tablets that connect to them. Hundreds of millions of people place their trust in app store and device security every day. Unfortunately, this trust is sometimes misplaced and is starting to be eroded.

Also in 2012, mobile malware took off: tens of thousands of rogue apps have been found `in the wild', including premium-rate SMS-sending apps, mobile botnets that are orchestrated to attack others, Trojans that steal passwords, and spyware that monitors users' activities. Legitimate apps and mobile operating systems have also had flaws leading to exploits and information leaks. And as the Wired reporter Mat Honan discovered painfully this summer, the convenience of cloud backed-up synchronized devices means that a single break-in can destroy your data everywhere, in one fell swoop.

App stores of the future, and the devices they control, must be better defended and resilient under attack. Users and data owners need justifiable confidence that apps will behave well and will not cause damage, whether by accident through bugs, or by intention through malicious design. Security should be ever present but unobtrusive, not impacting performance or causing crashes, not forever downloading patches, not demanding complex decisions, and not in the hands of just one party.

Our research will examine a number of improvements to app stores and mobile device operating systems which will take us closer to future generation, secure app stores.

For example, we will design algorithms that will automatically analyse apps to ensure they are safe. At the moment, this has to be done manually by malware analysts in expensive, time-consuming and sometimes unreliable ways. Another improvement is to add "digital evidence" to apps. Digital evidence can guarantee that an app is safe and it can be checked automatically, even on a phone. Evidence establishes that the code is safe, whereas the current state-of-the-art in industry is code signing, which at best only says where the code has come from. Finally, we want to find natural, user-friendly security policies: rather than the user examining a long list of complicated permissions as currently happens in Android, we want to have a set of sensible policies for different types of app. Under the bonnet the controls will actually be more precise than at present: with our solution, a game, for example, would not be allowed to access anywhere on the Internet, just the few places that it really needs to go; a text-messaging app might only be allowed to send messages to contacts from a users address book, not unknown numbers that might be premium-rate.

0. Overview

Smart phones and tablets are rapidly pervading everyday life and even starting to play a role in national infrastructure. They are administered through app stores, which are set to become the dominant model for software distribution.

To help deliver on the UK Cyber Security Strategy, our research will provide new foundations for a resilient, symbiotic system of app store and devices that reduces risks to individuals, data owners and wider society. We will ensure impact by a number of routes, engaging directly with three major industry players as well as with several SMEs.

1. Who will benefit from this research?

The medium and long-term beneficiaries of this research will be parties who have a stake in the app store distribution model of software and who rely on software delivered that way:

- Private sector, such as developers of mobile operating systems and their app stores (e.g., Google, RIM); app developers (e.g., Kotikan); security and anti-malware companies (e.g., McAfee, Metaforic); and emerging new ventures that supply or run custom app stores. Further out, corporates including banks will benefit from better platform security, giving them confidence to enable more risky functionality in apps.

- Government and public sector, many parts of which will deploy apps to provide access to records for citizens (e.g., NHS, HMRC, DVLA and other parts of direct.gov). There are obvious concerns over information leaks. Apps can be more risky than web interfaces because they often run on devices which provide API access to personal information.

- UK citizens, such as end users of smartphones or tablets, with privacy and security concerns.

- The UK nation state, in the sense of organisations involved in defence against malicious software attacking national infrastructure, in particular GCHQ and CESG.

- Our researchers and project students, for the RAs and project students involved in our programme: they will learn new skills, gain experiences, forge collaborations, and be prepared for the job market.

By feeding into possible secure app store initiatives within the large providers and smaller organisations, the project may help the advance the global competitiveness of the UK's IT industry and our reputation as a secure place to do business.

2. How will they benefit from the research?

- We will enable technology that gives private sector companies competitive advantage, by making security improvements to existing app stores and mobile operating systems, or new opportunities, by selling custom app stores or novel security products.

- Our security policies and analyses will help app stores defend themselves against malware and accidental errors, also ensuring developers produce better secured applications; these improvements will result in better security for government, companies and private individuals. They will be better protected against data loss and privacy intrusion.

- The technology will empower users and distributors of mobile software to better understand security implications of downloaded software, instead of blindly trusting it.