Not So Great Expectations: Why Application Markets Haven't Failed Security

Application markets have rapidly become a widely popular mechanism for expanding the features and utility of mobile devices such as cell phones. The cottage industries that sprung up around these markets serve millions of Patrick McDaniel and William Enck Pennsylvania State University applications daily to a ready user audience. Markets entice developers by placing low economic and technical barriers to entry, thereby fostering fast-paced innovation. They streamline purchase and installation to serve even the most casual users with ease. Simply put, markets make producing and consuming applications easy. Markets also present obvious security concerns-users are trained to download applications with impunity from a huge number of developers about which they know little. Moreover, these applications often request nearly unfettered access to the data and device interfaces (for example, texting, voice-dialing, or GPS location), which seems to invite malicious applications and questionable functionality. Not surprisingly, such fears have been substantiated. A recent discovery of numerous applications sharing GPS locations and other personal information with online advertisers is just one example of dubious features found in market applications. The public reaction to these stories is often the same: users and pundits decry markets for their failure to properly vet the applications or developers. This underscores the widely held expectation that security is the market's responsibility.