On Thursday the ioXt Alliance, an Internet of Things (IoT) security trade group backed by some of the biggest names in the business, introduced a set of baseline standards for mobile apps, in the hope that IoT security may someday be a bit less of a dumpster fire.
The announcement of the new Mobile Application Profile [PDF], a certification program covering best practices and requirements to keep mobile apps safer than the low bar of vendor discretion, comes from the collaboration of more than 20 ioXt member companies like Amazon, Comcast, Google, and others.
"This security baseline helps mitigate against common threats and reduces the probability of significant vulnerabilities," said Brooke Davis and Eugene Liderman, from Google's Android security and privacy team, in a blog post.
"The profile leverages existing standards and principles set forth by OWASP MASVS and the VPN Trust Initiative, and allows developers to differentiate security capabilities around cryptography, authentication, network security, and vulnerability disclosure program quality."
Tens of millions of Internet-of-Things, network-connected gizmos at risk of remote hijacking? Computer, engage shocked modeREAD MORE
The program focuses on mobile apps because these are typically front-end clients for smart devices and cloud services. It includes an extra set of expectations for virtual private network (VPN) apps, many of which, like Facebook's discontinued Onavo VPN, have been accused of making misleading security claims.
"VPNs are central to internet privacy, security, and rights, but the members of the VTI know well that we can't provide those protections without trust and transparency. …" said Harold Li, Chair of the VPN Trust Initiative and VP of ExpressVPN, in a statement. "This program will give consumers more control and confidence in choosing solutions for protecting themselves online."
In practical terms, that means an ioXt-certified VPN app will include disclosures, somewhere, if the providing company's business practices involve selling data, and will at least have made some effort to implement its code with an eye toward security. The fact that both Google and Facebook are members of ioXt, while Apple is not, suggests a set of rules amenable to ad-based business models.
But ioXt's program is voluntary, allows for self-certification (though vendors may opt for ioXt authorized lab certification), and costs money.
"Mobile Application certification starts at $799 per year and device certification starts at $1,950 per year," said Brad Ree, CTO of the ioXt Alliance, in an email to The Register. "However, certifications are often based on entire product lines which has volume discounts."
Ree said ioXT offers both a self-certification with researcher rewards and a lab validation certification. "It is our goal to provide a certification program which can scale to the hundreds of thousands of devices produced by manufacturers all around the world," he said. "We believe we have methods which can scale to small start-ups through large corporations."
So this isn't going to catch malicious parties or do much for vulnerabilities introduced by shoddy coding.
Rather, participants are likely to be established companies looking to stand apart from less responsible vendors. The initial crop of certified apps includes: Comcast Xfinity Authenticator, ExpressVPN, GreenMAX DRC Wireless Keypad, Hubspace Affero, McAfee Innovations (VPN), NordVPN, OpenVPN for Android, Private Internet Access (VPN), VPN Private, and the Google One app, which incorporates VPN by Google One.
Certainly, there's some value to this program. The Mobile Application Profile, for example, includes sensible requirements like "No Universal Password" that you'd think would be standard practice everywhere already. It also reminds vendors to observe secure practices by asking questions such as whether the vendor has a vulnerability reporting program, the kinds of updates that get automatically applied, whether updates are signed or not, and so on.
Worth noting is the inclusion of one or two buttons on certified product listings: Dispute Certification and Report Vulnerability. The former leads to a web form for ratting out vendors who fail to uphold their pledges, and includes a link to an ioXt Alliance reward schedule ranging from $100 to $600 [PDF]; the latter consists of a
mailto: link that at least provides a point of contact for vulnerability reporting, with any bug bounty that might apply dependent on vendor programs and policies.
The disclosures listed on certified product pages may help people make more informed decisions. If you're the sort of person who might reject the Xfinity Authenticator app because it doesn't enforce x503 certificate pinning, ioXt's certification scheme may just be life changing.
But mainly, ioXt's program will help vendors that see box checking as a mechanism for signaling diligence and compliance to the market. There was nothing stopping any of these firms from establishing internal standards and releasing secure products before now. ®