A couple of days ago, we saw the AVG "security suite" appear in the Windows Phone Marketplace. Although coming from a company that held a somewhat decent reputation, it ended up being spyware itself, providing zero value whatsoever. So what exactly do Windows Phone users need to expect from future applications and what they need to consider before installing something on their device?
1. Most important - know the security model of your device.
I know that this doesn't really apply to the "average Joe" who bought the phone at a retail store, but you should at least familiarize yourself with the basics. First and foremost - a third-party application on a Windows Phone cannot access the file system outside its Isolated Storage and project files, given that it came from the Marketplace. That being said - think about the sources of possible "malware" that AVG could scan. Its own Isolated Storage? What it did is simply go through the file names and look for specific strings. You can already see how effective that is against modern-day malware.
The effectiveness of that kind of virus search is equal to the effectiveness of a speed trap with a warning sign a couple of miles ahead of it (image courtesy of Jalopnik). It is equal to zero. It gets better - what AVG was scanning were pictures and songs in the media library. Remember, that even though third-party applications can read the byte array representation of images (so let's assume there are specific signatures that can be detected), the same cannot be said about music - other than get the name of a song (as well as associated metadata) there is nothing to look for, since there is no way to read the actual contents of the file through the API exposed in the public SDK. If that is out of the picture, how else AVG could help on a Windows Phone device? Exactly nothing.
2. Pay attention to the application requirements before installing it.
The AVG "fakeware" asked for user location access from the very beginning. In such cases, the user has to ask himself - why would an anti-virus need his location? Reasoning like "quality assurance" is not valid here - there is nothing to assure, since the application is useless.
Other than the location, the application also collected the Live ID identifier, device type, device unique id, OS version, device UUID, the name of the carrier, the user region and the user email. Again, these requirements are generally outlined by the used CAPs, so pay attention to those. This applies to any app you are downloading. If a flashlight application collects your location and email, then its purpose is probably not providing you with a flashlight in the first place.
3. Read the reviews. And make the right conclusions.
Remember that case with fake iTunes reviews? Well this can happen in any Marketplace, on any platform. And when you see this (notice how the developer rated its own app - cutting edge, right?):
contrasting with this:
This should instantly raise all sorts of doubts as to what the application actually does. It migth have a pretty UI, showing all sorts of possible processes, but it might just be a shell for something you don't need. XCKD has the best conclusion in this case.
Question: but shouldn't Microsoft make sure that the application does what it claims to do?
To some extent - yes, to some extent - no. There are fixed test cases that make sure that the application declares its capabilities correctly, that it doesn't crash on a tombstoned restore, that it doesn't consume more RAM that it needs, etc. There is no way to identify with 100% precision what's inside the application without meticulous code analysis, that is not performed during the Marketplace approval process. In this case, AVG did just this - made sure that the basic approval requirements align with what its basic capabilities are. The rest was up to them.
Conclusion: pay close attention to what the application requires from you before installing it, and if there are suspicious requirements - the purpose of the application might be completely different from the one declared in the Marketplace page. No approval process can completely eliminate cases of app privilege abuse.