The iOS and Android platforms use code signing to validate the veracity of an application. Sandboxing also limits exposure to the underlying device processes. Both companies oversee a controlled mobile application store, but security firms have identified malicious apps getting past the vetting process in both stores. Apple doesn't say how it vets apps for security. Google uses Bouncer, a static analysis code-scanning tool to check its apps.
"Both iOS and Android platforms have built in security features such as kill switches to remove identified malware applications from mobile phones," Veracode said. "Since the risk and attack models are slightly different, enterprises should consider a multi-pronged approach to applying preventative security controls."
Veracode said enterprises could set up an app store, supporting a zero-trust model for adopting mobile applications. All apps would be treated as potentially malicious until they are thoroughly reviewed for bugs and the kind of data they collect.
PUBLISHED APRIL 11, 2013