Jun 24

Open for Business?

Category: InfoSec

I recently was asked by to comment on the raft of Android recently discovered. During that interview I mentioned some concepts around the open vs closed models and wanted to expand on this thinking a little further.

As you may know the Google Android platform has been open since 2008, and as such has a healthy following of developers and an open list of problems that anyone can view and contribute fixes for. Contrary to this, has, and most likely always will be closed and the intellectual property of , and therefore is managed by an army of developers working directly for . Other than these two business models being the polar opposites of each other, the devices themselves do share some common ground, an example of which is they are both based on a * base and both allow anyone to develop an application for their platform.

So which is better, open or closed? Both have equal merits and demerits, but for me the key one we need to consider is the security of the applications. Given a platform is ultimately a portable computer in your hand that you can transition a significant amount of daily communications to, in any corporate environment you need to be thinking about how you maintain the security of that . For the purposes of this article I am going to discount all the other major security problems with both platforms and specifically look at the apps. To this end I want to create the abstraction between the platforms and the application environments as people seem to confuse these two and blur the lines, and forget that we aren’t talking “open-source” as both platforms are in fact “open-shop”.

If your app store is 100% open, as we have seen with Android, anyone can release any app into it without any form of control or security audit. This, as we saw, resulted in a number of applications having more functions that the user subscribed to, and left the devices open to abuse from those individuals that would make money from negative actions. In a corporate environment this means that you have got to control what apps get put on the phone, and create a whitelist and policy enforcement system, which as we all know, we cause the end user to get upset as their freedom of choice is restricted. For the general consumer this means that they, at some stage, will likely end up getting literally robbed blind by their smartphone, because, in an open model, there is no one controlling what gets onto their device for them.

The other end of the spectrum is of course where we are with Apple. Onerous quality , technical and security checks and numerous caveats to adhere to, before your app even gets into the store. But this conversely reduces the risk to business and the consumer equally. In this model, Apple takes control and responsibility for securing the applications on their platform, and minimising the risk to the user. I of course, still would recommend in any corporate environment the use of policy enforcement and approved applications, but you’re at least starting for a better place, and don’t need to do a full source code review of every app your planning to use just to make sure it’s not a Trojan of some kind!

So which model is right?

To be honest, both have their merits and both have their flaws, but I still, personally, favour Apples approach, to err on the side of caution and ensure that the apps they release are 100% up to the task. Let’s face it, developers are known for cutting corners where they can to save a few lines of code, so someone cracking the whip on quality and security can’t be all bad now, can it.

No comments

No Comments

Leave a comment