Our mobile devices are a window to the world, and we need them and the infrastructure they rely on to remain secure so our personal data is safe. While mobile app stores like Apple’s App Store and the Google Play store vet apps to ensure the average user’s safety and security, government devices and others interacting with sensitive data often need additional layers of protection. Businesses like ACT | The App Association member Quokka provide these services to the Cybersecurity and Infrastructure Security Agency (CISA), which provides recommendations to many government agencies. Recently, the App Association and Quokka briefed congressional staff on the importance of vetting for mobile apps.
In this briefing, Graham Dufault, general counsel of the App Association, gave a brief overview of how security works on mobile devices. In the overview, Graham focused especially on how important it is for the major app stores to review apps for the “permissions” they seek from consumers. For example, a broad set of bad actors can be prevented or removed from the app stores and our smartphones simply by looking at the kinds of sensitive personal information they seek from users and matching them against the stated purpose of the apps they make. When a flashlight app wants access to a user’s location at all times along with contacts and messaging information, a red flag is raised. We cannot take for granted that app stores will bar the clearly malicious apps from their marketplaces. Graham described how the major antitrust bills like the Open App Markets Act (OAMA) and American Innovation and Choice Online Act (AICOA) would eliminate the permission review functions, handicapping the crux of mobile security as it exists now.
Ilya Dreytser, head of sales and customer engineering at Quokka, built on this background, highlighting Quokka’s cutting-edge technology and showing attendees how they enable government and private sector clients to leverage their tools to detect, prevent, and manage risks to mobile devices. Quokka’s technology takes a deeper look at apps than the app stores’ reviews do, uncovering where, geographically, sensitive information is sent and exactly what kinds of building blocks (including software development kits or SDKs) the developer used to construct the app. These measures are critical in arming Quokka’s clients with situational awareness of the potential risks certain apps may pose to their workers’ devices. This is especially important for government agencies with employees handling sensitive personal information or information that may affect national security on their smartphones. Equipped with more granular information about mobile security risks, Quokka enables agencies and other clients to adopt the right measures to prevent and deter the theft of sensitive information and keep bad actors out of critical infrastructure.
Ilya challenged attendees to think: “How many of you go into your phone and check what apps do and don’t have permission to do? Many users don’t do that, and once they give that permission, the data is out the door.” And once you give the app certain permissions, those permissions carry over to subsequent updates, which could contain hidden malware. Drawing attention to this crucial security concern helps illustrate for policymakers the extent to which mobile security measures would suffer if mobile app review were to be declared presumptively illegal by measures like OAMA or AICOA.
For more food for thought, check out our thread on X.com (and make sure to follow @actmembers and @Quokka_io)!