First there was the Path address book tempest. Now there is a concern about apps being able to access photos without permission. It would be a shame if this resulted in more centralized control over apps and longer review processes. What we need instead is some kind of peer produced approach to app security. What I have in mind is something along the lines of what Chris Dixon did with SiteAdvisor for web sites. Some people will (voluntarily?) run software on their mobile handsets that monitors app activity, including which servers these apps communicate with. The results from these “monitors” are aggregated to provide security rankings for applications.
This is not meant to be a substitute for a permissions model but to complement it. I like that apps need to check with me about accessing say my location and I certainly would want the same for my address book. But that still doesn’t tell me anything about where this data goes. Admittedly monitoring what an app does won’t capture what happens once the data reaches servers. For that we will need to rely on other trust models. This is an opportunity for startups like Parse that are providing a backend for mobile apps.
Meanwhile, Mozilla is making a big push around HTML5 apps. With a thankfully growing array of Javascript APIs to device capabilities, these apps will eventually rival native apps. Arguably because all the Javascript is “visible” it might be easier to have security for these apps based on code inspection. But I think that’s a bit of a red herring as people are obfuscating their Javascript. So there too a peer produced monitoring approach would be tremendously helpful.
If there is an initiative like this already out there, I would love to know about it. I think it will be critical to a healthy app ecosystem that doesn’t get choked by a few centralized market places.
