Don’t assume you’re safe playing in the sandbox

Very basically, sandboxing for those of you that don’t know, tries to control the rights of an application through permissions , or entitlements as Apple calls them, so that they don’t automatically have full control over the whole computer or smartphone. Sandboxing however gives the user a false sense of security “by implying that apps which run in a sandbox are automatically not malicious – which simply is not true.” On top of that the majority of malware dies not get onto a device through applications but rather through “drive by downloads”; again basically- surfing the wrong place. Another downfall of the sandboxing method of “protection” is that most users slide right past the permissions part of installing an application and simply click ‘ok’ to everything. Furthermore in the Andriod market the applications are not curated or vetted (examined by someone to make sure it’s safe) so a developer could install nearly anything within an application. Don’t think you’re safe if you use an iPhone however…even with the scrutiny there are still major holes

You think I’m blowing smoke up your. ..app…then just watch this video.

http://www.youtube.com/watch?v=ynTtuwQYNmk&feature=player_embedded

I could go on with my views about smartphone apps and malware but you’d be better off reading this article for yourself. Honestly I think anyone that either has a smartphone or is interested in security should definitely read it.

http://www.guardian.co.uk/technology/blog/2011/nov/08/sandboxing-malware-failure

Advertisements

4 thoughts on “Don’t assume you’re safe playing in the sandbox

  1. While you do make some good points, you fail to realize the users responsibility in this field. You state, “Another downfall of the sandboxing method of “protection” is that most users slide right past the permissions part of installing an application and simply click ‘ok’ to everything”.

    This is where the vast majority of problems occur, the user knowingly giving permission for the malicious activity to occur. Had the user not been so dimwitted the damage of the malicious software could have easily been avoided. Perhaps instead of pointing the blame at the designers realize the fact that it is indeed the user giving permission for the malicious activity to take place.

    • While I do completely agree that the user has a responsibility for their own protection, I also feel that the reality is most users do not think security when they get an app. I think most users (remember that most users are not computer security people) simple assume a level of safety when they download an app or purchase a device. The developers of both the apps and the devices are most definitely aware of this. If what I am interpreting what you are saying correctly then my question is this…should an information security professional at a company make sure every person in that company knows the dangers of unsafe computing practices by informing them or should he/she just assume that everyone knows already and point fingers when something goes wrong?

      What I believe you failed to understand was the point of the article…and my post. The point was that people are lulled into a false sense of security by these apps. Not that the user has no responsibility.

      • I would argue that there is not a lulling into a false sense of security, simply a lack of awareness, caring, and responsibility of the user.

        To your point of, “should an information security professional at a company make sure every person in that company knows the dangers of unsafe computing practices by informing them or should he/she just assume that everyone knows already and point fingers when something goes wrong?”

        I am saying that the company should make sure every person in the company knows the dangers of unsafe computing practices. It is not finger pointing when something goes wrong, it is when the user knowingly chooses to ignore blatant and flagrant warnings that at some point they must take responsibility for their own actions (and hopefully learn from their mistakes). When it is made quite apparent to the user the risks of their actions I do not feel it is proper to look to the designers to further try to solve the problem for the user. The user is made well aware of the possible risks and knowingly makes the decision to accept those risks and/or ignore the warning.

  2. I dont think you can ever be completely safe on the internet. There are just basic rules and ways that you can conduct youself online to keep yourself safe. Such as not clicking on certain links and not putting personal information in online. You should create an online persona that you can use for websites that you want to register for and not want to put your personal info in for.

Comments are closed.