Sideloading, or, the downloading of mobile apps from sources outside an authorized app store, is in the news again. There are a number serious proposals to allow sideloading now in circulation as a way around the market domination of mobile app distribution by a small number of companies. These have resurfaced understandable concern since malware is a very real threat to the sensitive personal data held on smartphones and sideloading is an effective way for malware to sneak in.
The good news is, there’s a way to have the proverbial cake and eat it too—using tried and true cybersecurity technology. Open yet trusted distribution services using open cybersecurity systems based on public key infrastructure (PKI) have been in use for decades and form the basis for trusted distribution of such things as entertainment content as well as personal computer and smart TV apps. By adopting this system for the mobile app distribution ecosystem, we could bring about a new dawn for the mobile app ecosystem, one that helps protect end users while encouraging more diversity and competition amongst app store operators.
Secure open systems based on tried and true technology
PKI is a proven standard for providing trust in open systems (note that in this case, open systems are those that are open to all willing and legitimate participants and shouldn’t be conflated with open source). For example, PKI-based e-commerce certificates for Secure Sockets Layer (SSL) encrypted connections (the security tech behind the lock icon) in browsers have been in use since Netscape’s first browser was released in 1994. PKI based systems generally rely on a WebTrust-certified root of trust supported by secure hardware and other strongly protected cryptographic elements so the entire system is well-secured.
A properly architected and run open system is a trusted system. Security does rely on protecting secrets but ‘security by obscurity,’ where nearly all aspects of the system remains opaque, does not work. Vulnerabilities will always exist and without insufficient review, these vulnerabilities will then be known only to bad actors with the time and incentive to study these systems. Well-vetted open systems based on mature open standards such as PKI use tested protocols for recovery when vulnerabilities are identified, making them the best approach for cybersecurity resiliency.
Bringing benefit to consumers and app developers
Security systems bring the most benefit to consumers when openness, visibility, effectiveness, and ease of use intersect. Key-based physical locks and PKI-based security for e-commerce are two notable examples. If a PKI-based open system were adopted for use by the mobile app distribution ecosystem, it would create a level playing field and allow multiple parties, including a variety of mobile device OEMs in the market, to create their own store fronts with their own custom solutions. Consumers will benefit through having a variety of choices from specialized yet competitive app stores they can safely, securely, and easily access. App developers will also benefit from the efficiencies brought on by app store competition and can pass on these benefits to their customers. A win-win situation all around.
For more details, see the Distributed trust management for app store diversity white paper or the executive overview.
About Julian Durand
Julian Durand is VP of Intertrust Secure Systems and product owner of Intertrust PKI (iPKI). He earned his engineering degree from Carleton University, and his MBA from the University of Southern California (USC). He is also a Certified Information Systems Security Professional (CISSP) and inventor with 10 issued patents.
