Smartphone applications abusing user trust – and why code audit may not be sufficient to control this abuse


Majority of Smartphone users are not software engineering or application development experts, or a technology expert for that matter. Application users trust their application distributor (application store or equivalent) and application owner to be honest while transacting with them. Craig Silverman at BuzzFeed News reported a research under taken by Kochava on 26 Nov 2018 alleging that a number of popular Android applications (developed by Cheetah Mobile and Kika Tech) have been committing advertisement fraud. The article explains ‘click injection’ and ‘click flooding’ concepts in very simple terminology along with the help of easy to understand diagrams.

The challenge of inserting malicious code in an application or a software by an unscrupulous technology company may be mitigated by;
  • making the audit of source code compulsory by an independent code audit professional, and
  • placing necessary controls in place that only the audited code goes in to the production.

An argument against source code audit by an independent audit professional is same as the argument against financial statements audits. In past the unqualified audit of financial reports by independent accounting and audit professional didn’t prevent audited companies to collapse. And same could be possible with source code audit if the integrity and honesty of the auditor is compromised.

Technology industry and the companies within the industry need to inculcate a culture that promotes honesty, integrity and ethical behaviour in order to prevent fraudulent and illegal activities abusing the users of services.

Comments

Popular posts from this blog

Content piracy challenge: perceived versus actual loss of revenue, and tackling it.

Recommendation to Youtube to allow auto publish Linkedin user videos