It seems like every couple of weeks we see another report cautioning people about the danger of malicious apps—sneaky software that tracks your location, steals your passwords, runs up phone bills, or worse.
This week’s installment, courtesy of the U.S. Department of Homeland Security, is generating quite a stir. So I thought I’d take a minute to remind people of some of the steps we’ve taken to help protect the Windows Phone Store and its customers.
As a result, malware hasn’t been much of an issue for Windows Phone customers. If you ever do suspect that an app is doing something it shouldn’t, report it to us at firstname.lastname@example.org and we’ll check it out.
Even with all of these preventative measures in place, we do still encourage caution and advise against clicking links, SMS messages, or emails from unfamiliar sources. And we also recommend that you protect the info on your phone by setting up a password. Here’s how to do that—plus more tips for keeping your phone secure.
I know what a persons definition of malware is but I would go as far as to say facebook collecting contact details from phone is malware too, especially if it's a process not specified clearly. Windows Phone needs a feature like CyanogenMod's privacy guard which prevents apps accessing info on your phone.
You should advertise this more. Or is that just tempting fate?
... (oops) screens.
May you could elaborate on the current landscape of mobile threats to better understand the possible problems affected users might run into.
Users will grant apps all the permissions they want, because it is a yes-or-no decision to install the app. Couldn't a different approach be to provide apps with only the data I actually want them to have? Fore example, if WhatsApp wants to copy my contacts to their server, couldn't I just quickly create an app-private, limited copy with only a couple of entries and only some phone numbers? This would be particularly useful for app trials.
Then in turn, more APIs can be opened to apps trusted by the store and contracted third party evaluators and certification authorities, or eventually a certain threshold of users. APIs currently unavailable include reading and processing text messages, profile switching (volume, ring-tones, network, Wi-Fi, NFC) and call history, IIRC.
I hope there is more to that story than the store and the user watching out for suspicious looking apps.
There is a lot the OS and the runtime do to prevent malicious behavior, beginning with the isolation of applications and the mere unavailability of APIs that would allow unattended cost-bearing activities such as dialing or texting.
But as, if and when the platform gains traction, there will be vulnerabilities in common apps and surely holes in the runtime that need to be addressed in advance. It could start with malicious documents, e.g. PDF and phishing with counterfeit
this is one of tons reason I love windowsphone :)
And those are just from the government. ;) sorry couldn't resist