Naked Security Naked Security

China clamps down on app stores in bid to curb malware

Concern as Beijing's move also makes it easier to censor content the authorities don't like

We and many others have long warned about the higher risks often associated with third-party app stores, including app stores located in China. This week, Chinese authorities took steps towards gaining greater control over those app stores. China’s actions could lead to less malware there – but also less access to allegedly “dangerous” foreign ideas.

Since last Monday, all app stores operating in China must register with the nation’s Cyberspace Administration. According to IDG News Service, the government argues that “some app stores have been offering products that violate users’ rights, contain security vulnerabilities or spread ‘illegal information’.” The new rules, China says, will “force the stores to better audit their products. Cyberspace Administration officials will keep records… and investigate [stores] that fail to register or which are found falsifying information.”

According to the BBC, research from China’s Cheetah Mobile Security found that

… more than 1.4m Chinese users’ mobile devices had been struck by infections as of January 2016, making it the worst afflicted nation. India and Indonesia were in second and third place. ‘[A] reason these countries have become the worst-hit ones is that third party app markets are prevailing… and [most] have been contaminated by malware due to weak monitoring.’

Cheetah noted that attacks on mobile payments were soaring, reflecting more than 60% of the mobile malware it was seeing. The firm also pointed to growing “data leakage” problems for both individual users and companies.

Many press accounts have called attention to China’s ongoing attempts to restrict “illegal” content on mobile platforms, as exemplified by Apple’s recent removal of Chinese and English-language New York Times apps, possibly in connection with the Times’ aggressive reporting on China. (Those events were recently summarized quite well by China Digital Times.) Unquestionably, tighter control over app stores will give the authorities significantly more leverage in restricting apps that distribute content that discomforts them.

As New York Times tech columnist Farhad Manjoo writes:

Blocking a website is like trying to stop lots of trucks from delivering a banned book; it requires an infrastructure of technical tools (things like China’s “Great Firewall”) and enterprising users can often find a way around it. Banning an app from an app store, by contrast, is like shutting down the printing press before the book is ever published… The easy banning of apps suggests that if we let it, the internet could [become] one of the most efficient choke points of communication the world has ever seen.

As for mobile malware in China, a few points are worth mentioning for context. Android dominates the enormous Chinese marketplace; one recent estimate suggests it now has roughly 85% market share. But the “official” Google Play app store for Android isn’t permitted to operate in China, though rumors of its impending return have been rife for nearly two years.

In Play’s absence, says VentureBeat, between 200 and 400 third-party independent app stores have emerged: that’s the core of the industry China’s government intends to track more closely. Of course, not all third-party app stores – in China or anywhere else – are equally risky. Some are managed by device manufacturers, service providers, or other large organizations who do vet their offerings, albeit with varying levels of care.

What about Apple? iOS apps are also available from multiple sources in China, but despite Apple’s low market share, the “official” censored version of Apple’s iOS app store is a huge business. This year, it blew past Apple’s US operations to earn more revenue than any other Apple app store on Earth. Of course, while Apple’s track record in preventing malware has generally been solid, “official-ness” itself doesn’t mean complete immunity: just consider the XcodeGhost saga we covered a year ago.

Bottom line: whatever governments and app stores do, you still want to be careful out there.