The Federal Trade Commission is seeking comments from the public to further explore issues raised by last year’s FTC forum examining the state of mobile security. Panelists at the forum discussed a number of complex issues that warrant further public input.
Held on June 4, 2013, the FTC’s mobile security forum consisted of a day-long series of panel discussions and presentations that addressed a wide array of security issues in the mobile arena, including current and potential future threats to user privacy and security, the role that mobile platform providers can play to mitigate mobile threats and ensure the privacy and security of end-users, the unique security challenges posed by the complexity of the mobile ecosystem and the role that telecommunications companies, third-party developers, and other members of the ecosystem can play in securing consumer products and services, and the efficacy and utility of consumer-facing mobile security products, such as authentication and antivirus products.
To expand the record on these issues with an eye towards a report, the FTC invites comment from the public on the following topics:
Secure Platform Design: Commenters may interpret the term “platform” broadly to include mobile operating system providers, device manufacturers, app stores, or others that maintain two-sided markets for third-party developers and consumers. In some cases, a platform may serve several of these roles (e.g., providing a mobile operating system and an app store).
• How can platforms create robust development environments while limiting the potential for abuse by privacy-infringing or malicious third-party applications? Commenters may interpret the term “application” broadly to include any mobile software (e.g., native, web-based, etc.) that has access, via a platform, to consumers’ personal information or device resources.
• Have particular design approaches proven more or less effective than others in protecting consumer privacy and security?
• What, if any, are the trade-offs between different approaches to providing developers with access to consumers’ personal information or device resources?
Secure Distribution Channels:
• What role should platforms play in creating secure distribution channels, such as app stores, for mobile applications?
• Is application review and testing scalable given the explosive growth of mobile applications? What techniques have proven effective in detecting malicious or privacy-infringing applications?
• Do smaller players in the mobile ecosystem, such as third-party app stores, have the resources to deploy such techniques?
• Does limiting application distribution to a single channel provide substantial security benefits? What, if any, are the trade-offs of this approach?
• What are potential alternative approaches to detecting or impeding malicious or privacy-infringing applications on end-user devices?
Secure Development Practices:
• What resources (e.g., application programming interfaces, development guides, testing tools, etc.) are available for third-party developers interested in secure application development?
• Is the developer community taking advantage of these resources? Are they making common security mistakes?
• Do consumers have the information they need to evaluate the security of an application? Are they aware of potential security risks (e.g., the insecure transmission of data)? Are there ways to make the security of applications more transparent to the end-user?
• What more can platforms and other industry players do to ensure that third-party developers have the resources and incentives necessary to implement secure development practices?
Security Lifecycle and Updates:
• What is the security lifecycle of a mobile device – that is, how long is a mobile device supported with respect to security? Do companies distinguish between a mobile device’s general product lifecycle and its security lifecycle? What factors – technical, policy, or business – affect the length of a mobile device’s security lifecycle?
• What are consumer expectations with respect to the security lifecycle of their mobile devices? Do consumers have the appropriate information (e.g., at the time of purchase) to factor security into their device purchasing decision? Do consumers receive notice when a device has reached “end-of-life” with respect to security support?
• What are the challenges in creating, testing, and distributing security updates to end-user devices? What, if any, are the implications of slow update cycles? Are there steps that platforms, manufacturers, telecommunications carriers, and other players can take to streamline this process?