Native App Security

Full Title and Meme

An application that is installed on a user's computing device with full power to act as the user.

Context

• The day when a personal computer was for running application for the user is long gone, never to return.
• Today a personal computer depends on cloud based service for nearly all of its functionality.
• Some of those sites are willing to use a trusted User Agent, typically a web browser from a well-known and trusted vendor for rendering its content.
• The first of the Laws of Security tell us that when an attacker gets to run their code on your computer, it is not longer just your computer any longer.
• For the case where the user is not forced to allow an application to run on their personal device, see the page Web Site Security.
• Android App list of Data Categories that require User Consent. https://support.google.com/googleplay/answer/6270602?hl=en
• Apple iPhone App Requesting Permission: https://developer.apple.com/design/human-interface-guidelines/ios/app-architecture/requesting-permission/
• Apple iPhone app Requesting Authorization to use System Features: https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy
• Apple CKContainer manages all attempts to access user data on the device or in iCloud. https://developer.apple.com/documentation/cloudkit/ckcontainer
• Windows (UWP) settings are on all Windows 10 computer, but do not seem to be shown anywhere on the web. Just navigate start -> settings -> privacy -> app settings.

Problems

• One of the worst case scenarios for Native App security is that of payments made directly to a user's bank account.
• In Open Banking it is proposed that a payment initiator and a bank can both have Native Apps running where the payment initiator app asks the banking app on the same device for permission to remove money from the user's account.

Solutions

• The Native App exposes its name and the web site that backs it in a manner that allows the user to make a meaningful trust decision.
• Joint use Native Apps are provide to some industries for all to use. It makes the trust decision by the user much more difficult.

References

Organizational Support

• Rules for apps installed on Apple devices
• Rules for apps installed on Android devices
• Rules for apps installed on Windows devices are of two types, but it is not clear how the user could possibly distinguish, so the concept has not been helpful.

Other References

1. The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of web site software.
2. ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.
3. Native App
4. Native App Privacy