Is Apple's screening process a reasonable control against malware on an iPad?
Was hanging out with some friends at The Open Eye, Carrboro's legendary coffee shop the other day and my friend, J., was telling me about the latest app he had for sale at the iPhone store. I tell ya, he's going to make a pile of passive income there. Anyway, our conversation turned to whether he needed to incorporate or whether it's OK to register his apps as an individual and treat his side business as a sole proprietorship.
We pointed out to him that the main reason he'd need to incorporate is to protect himself from liability. We asked, "What if someone purchases your app and then sues you for damages, claiming your app did something bad or even claimed it was malware?" To which J. replied that that he didn't have to worry about that because the standard terms for apps in the App Store indemnified him from stuff like that. Huh? Wow!
Now I'm not a lawyer and I have not ever laid eyes on the terms of sale for any of the apps I have purchased from the App Store. But let's take that at face value for a second. Does this situation mean it's more or less likely that "bad" apps will find their way to the App Store? Is this a free pass/safe haven for malware writers?
Hardly. The mitigating control here is that Apple reviews every app that goes into the App Store. Also, they can yank apps from the App Store at any time. To my knowledge, Apple has never specified what sorts of security checks are done on Apps that are submitted to the store. I've been told they check to make sure the app is "well behaved," but statements like that are generally interpreted to mean that the app plays nice with other apps on the device and doesn't hog network resources.
It's an important issue because IT shops have to decide whether or not iPads should be allowed on to their networks or not. I've heard stories that Apple gave free iPads to a bunch of Fortune 500 CEOs. I can just imagine the conversations that have ensued. (And no, I have no idea of our CEO was given one or what he did with it if he got it.)
As an IT manager, you have to ask yourself, what's the risk of letting an iPad on to the network? Is it the same risk as letting an end user attach his home PC to the corporate network? Is it the same risk as letting an end user connect his smart phone on to the corporate network? How would you know?
One way would be to look at the metrics. How many apps in Apple's App Store have ever done Bad Things and had to be pulled because they were malware? How many apps from the App Store ever had to be pulled because they damaged data or other apps on the same device or the network? How many apps on the App Store ever hogged computing resources so badly they constituted a denial of service?
For regular PCs, this is impossible because the software can come from anywhere. But the Apple App store is a well controlled environment. Metrics could be collected and published on these topics.
So my question is as follows:
Are Apple's application review procedures sufficient to mitigate the risk of malware/misbehaved apps? Is this a good enough control against the risk of malware to warrant letting iPads on to the IT network? Are there any metrics that could be produced about the track record of apps on the App Store that would lend some weight/credence to the idea that Apple's vetting process is an adequate security control?
I'd love to hear your thoughts in the comments.