Introducing security at application level is a sure-fire way of offsetting Android’s shoddy dev craftsmanship
Google recently released patches that set out to tackle the latest month of Android security blunders, ten of which have been classed as high priority. But even these last-ditch attempts to ensure the security of users’ devices fall short of the vulnerabilities they are faced with, as for now the patches only apply to Nexus devices.
According to Tom Lysemose Hansen, founder and CTO at Norwegian app security firm Promon, developers should protect each app individually, rather than only relying on the unstable protection offered by Android. Hansen commented on the contradiction of attempting to establish perennial security, while leaning on the crutch of regular patching:
“App security shouldn’t be a game of one-upmanship with reams of customer data sacrificed at each turn. As well as securing against the most recent flare-up of malware, developers must also account for future threats. Although hackers’ techniques have become increasingly sophisticated, their success comes down to their use of a variety of approaches: they need only succeed once.”
Hansen continued: “Patching can be effective, but in the wake of a successful attack on a device, it’s like shutting the gate after the horse has bolted. That the user is still made to rely on inconsistently released patches is absurd. Instead app developers must pick up the slack left by the inadequate security offered by Android’s OS and ensure multiple layers of defence so users are not made to bear the brunt of future malware.”
Hansen commented that users can’t rely on just patching, and until this culture is addressed, developers must introduce security at the level of the application:
“Google’s monthly updates serve as a bulletin reminder that this is not about to change, and that effective security can only be achieved if the defence is multi-layered, in particular by adding security at the level of each individual application. In the current climate, app developers should regard their applications as the first and last point of defence and ensure that these are self-defending and self-regulating from the outset. Operating systems like Android will always be inherently insecure, which no level of patching can cure. Hence, adequate protection is only offered when threats are dealt with as and when they appear, by in-built protection offered by the application itself.”