The App Store and the Future of Software: Secure, Sanitized and a Little Sad
May 19, 2011 5:00 AM PT
I think we've reached a tipping point here when it comes to online application downloads. Apple's App Store for iOS started it; I think malware is going to finish it. Pretty soon the vast majority of applications will only be downloaded from a handful of big-name app store curators. On one hand, this is fantastic. On the other, I find it terribly saddening.
When Apple first introduced its App Store for its iPhone, it revolutionized how you get applications onto a smartphone. This isn't to say that their weren't walled gardens for mobile apps and devices before, I'm just saying that Apple's sheer ability to capture mindshare, entice developers, induce consumer adoption, and market the heck out of the capital-A App Store has resulted in a new model where ease of access, app discovery and convenient installation (and billing) will end up ruling the world.
The openness of Android as a platform, on the other hand, has been a key differentiator and growth catalyst for the operating system, all the while also being its Achilles heel. In March Google had to step into its relatively open Android Market and kick out rogue malware Android apps. Even with Google's Android Market, there are at least a half-dozen decent app outlets available to Android users, along with the higher profile Amazon Appstore for Android.
All the world needs is a few more high-profile Android malware programs to hit the market, and Google's approval process might suddenly become more Applesque ... or open the door for, say, Amazon to tout a more secure marketplace. The net result? Consumers start looking for downloads only from curators they trust.
Of course, I must say it's entirely possible that malware might make it through the Apple App Store approval process, but I believe the odds are something akin to being able to successfully throw a sewing needle through a kitchen strainer from 10 feet away. While it is possible, a nefarious malware peddler would likely look at spending their time in areas that would present higher odds of a return on their investment.
Microsoft Gets Smart
In an IEBlog post describing Microsoft's SmartScreen Application Reputation in IE9, Microsoft revealed an eye-popping stat: one out of every 14 PC downloads contain malware.
Of course, Microsoft also notes that since the release of IE8, SmartScreen has blocked 1.5 billion attempted malware attacks.
More interesting than that is the way that Microsoft strives to use reputation modeling for possible downloads to identify "safe" or risky downloads ... and advise IE9 users accordingly. Microsoft presents some very interesting technology for blocking the problem of malware, but I must say, SmartScreen is mostly a defensive sort of position.
What is a more effective way? Creating a whole download ecosystem populated only with safe, malware-free applications or files for download.
In a backhanded way, Apple is already heading in this direction. While it is, again, theoretically possible for a malware-laden app to make it into the Mac OS X App Store, it would have to be extremely sophisticated ... likely very patient, too. If a malware app revealed itself to be nasty too quickly, Apple would pull the plug and poof, no more downloads. No, the malware app would need to not only seem to offer something of value to consumers, but also hide out long enough to be downloaded many times from the Mac App Store. So this is entirely possible, but not very likely. From a bad-guy perspective, it would be like trying to steal wallets from a pack of rugby players vs. going after the purses of senior citizens.
Some bad guys like challenges, but I believe that the worst offenders tend to look for easy targets.
Enter MACDefender Malware
Through some SEO poisoning attacks and social engineering, the MACDefender malware app entices consumers to install it. Once installed, it makes users think they are infected by launching a bunch of porn sites and prompting users to enter their credit card information to clean their Macs. Nasty little bugger, of course.
There are two takeaways here: 1) Maybe Mac OS X owners really do need legitimate anti-virus, anti-malware applications, and 2) Maybe Mac owners should forget downloading anything or installing anything that doesn't come directly from Apple ... through the non-Safari browser Mac App Store application or iTunes, that is.
What do I tell kids, adults, and any PC or Mac newbie? Don't download apps unless you know exactly what you're getting and who it's from; don't launch apps or files from random friends with stupid funny videos sent to you in email; and for adults, be really careful about downloading any porn, particularly anything that purports to contain naked photos of any hot celebrity.
Where Does This Leave Us?
What started out as a good way to find new apps and ensure that the application installation and removal process actually worked well for the Mac experience -- the Mac OS X App Store -- has now turned into my default filter mechanism. If I find an app, even from what appears to be a reputable seller online, I've got a huge hurdle in front of me before I buy direct and download.
First, even big companies like Adobe have created problems for me when it comes to installation and licensing issues with their programs. Second, I simply want to remove as many elements of risk as possible, and while that includes code possibly hidden inside the applications I download, it also includes reducing the number of times I send out my name, address and credit card number.
This really sucks for legitimate developers because it reduces their possible avenues to market (even though the Apple model tends to increase the overall opportunity, at the cost of choice).
In some ways, it sucks for regular consumers, too. The dark underbelly of easy application downloads will drive consumers toward known download sources. In the new future, I'm less likely to think solutions like Microsoft's SmartScreen will be enough. Instead, or maybe in addition, we're heading toward a place where almost all software is going to be downloaded from Apple, Amazon.com, Microsoft or Google, or served up from the cloud from known, reputable sources. Most consumers will learn to use those sources, which will force developers to play ball with the rules the curators create, which will in turn make it harder for malware peddlers to squeak their apps into the world.
And the downside? We'll have a more generally sanitized computing experience because big-brand names won't provide access to subversive, fringe application. If you're the kind of person who wants everyone to wear white shirts with black ties, you don't understand why sanitization is a bad thing.
It's a bit of a Catch-22, of course, and I don't believe the direction in which we're heading will change any time soon.