Cryptography Reference
In-Depth Information
effort is required to account for the tremendous number of submissions while
guaranteeing enough security of applications provided by these online markets.
Currently available security mechanisms already start to fail with preventing
malware that spies on user data, and this will get worse in the future. The
combination of manual and automatic analysis of applications seems to be
successful, but variants for tricking reviewers into wrong decisions are far from
being exhausted, yet. Encrypted payloads and the delayed installation or activation
of spyware on top of “legally” installed applications are just two trivial examples
which can and are being exploited by spy and adware developers. This is eased by
the fact that almost every person can become a licensed developer: After paying a
rather nominal amount of money, one can use the online platform to distribute
malware if accepted by the market reviewing process. Thus, the server-side
security mechanisms of online markets are of limited use to control the spreading
of malware. Numerous examples demonstrate on basically all platforms the
deficiencies of this model [EGC+09, FS10b, Mills10, VS10].
This threat is further aggravated by the customer of such applications, combined
with the insufficient permission system of many Smartphone operating systems:
The installation process of new software currently requires the interaction of the
user. An application asks for certain permissions during installation, and an often
long list of technical permission requests lacking a rationale is presented to the
user. These permissions are usually approved since the details of these requests
tend to exceed the expertise of the user.
If such interaction is not required (see Symbian OS, BlackBerry, iOS) the decision
on the permission approval is either delayed to the time of use, or it is delegated to
a third-party which designed or administrates the device. In the latter case, the
system can be either too restrictive, which decreases user satisfaction, or the
permissions are set to relaxed, which will put the system at risk. If the user has to
approve permissions during runtime, the lack of expertise and impatience of users
will often put the system and data at risk.
Thus, we argue that the current offline and online security mechanisms
implemented in the application markets and the end-user devices are too coarse
grained to be effective with detecting ad- or spyware.
10.3.5 Dialers
Personal computers originally connected to the Internet using modems on the
plain old telephone system and automatic dialers were a popular threat at that
time. The costs induced by such attacks were often huge since as expensive
services were used. With the technological advancement and the decrease in
communication cost, these attacks became negligible.
Search WWH ::
Custom Search