Applications: Programs pose various serious security risks

Learn about the ways applications can compromise your security in more ways than simply being scammed or hacked. We also cover advise on modern operating systems.
Categories:

How can applications pose security risks?

Applications, when executed, are given permission to run what is called application code within the kernel of your operating system. This grants the application creator the ability to do most anything that the user of the system can. There have been some attempts at implementing restrictive rules. However, while they are effective at some critical attack vectors, they fall well short of stopping the problem. Often, attack vectors that are prevented by those systems are themselves defeated when some other legacy method requires the mechanism to be disabled. 

There are also major use-case discrepancies when it comes to programs. Meaning when the average user is using something, the program is not intended for that particular use. It’s an industry tool designed for very stringent conditions.

The restrictive controls issued by modern companies, namely Apple, serve to create a more secure platform. However, the abilities of the programs that users can use are also heavily restricted. Many programs require you to not use the Apple Store and its secure ecosystem. It has also served to stop any development from happening on the parts of the operating system outside of the application ecosystem, which have received few updates for over 10 years. For Apple Macs, this applies only to the desktop. As the mobile operating systems are completely Apple operating systems, containing all the modern components. Still, jailbreaking Apple devices from their restrictions, has proven trivial.

Android has a more open platform and operates more like desktop computers. They also implement their own restrictive controls, which are said to be more visable than Apples. I am not a Android user.

Chromebooks, on the other hand, are somewhat different since there are no user applications, at least without disabling many restrictions. This makes them somewhat secure against this attack vector. However, there are other vectors, like the Webp incident.

Without taking into account any actual intent of being malicious, other means can pose a security risk. A factor that is amplified by the conditions imposed on programs by stringent requirements. Often, maintainers of the program source code can take a direction that encompasses something that was outside your initial threat analysis. In addition, these changes are often hard to pick out as being relevant during the chaos of the day-to-day. This makes reading any terms of service a critical part of managing providers, which people often overlook. Given the monopolistic current state of the economy (as of 2024), this lack of ability to migrate to other suitable competitors poses a serious security risk for a large percentage of the population. This issue may abate with time with the passage of patents (I don’t know; as a developer, I’m told to never read patents, but there’s a 20-year limit); however, (whats a patent) the current major monopolistic players exert lots of control over the policies that will dictate the architecture of the systems we are developing.

What are the consequences of the security risks?

In short, to completely own a target user. And once a target user has been infected, it is often trivial to escalate to other users on the system or network. Again, methods have been implemented that have addressed the issues to some extent, but the solutions themselves have created more complexity. Complexity rarely improves things and often makes it much worse for some subsets of users.

Once a computer has been infected, the damage can be quite severe. However, it depends on the computer that has been infected and the virus or person that infected it.

The methods to improve the issues have created systems where another factor must be used to authenticate. This means that often, to perform small grade account hacking or to escalate privileges while already owning some devices of a target, the second factor also needs to be compromised. This has lead to multibillion-pound black (many of them will be legal companies given only an obligation to do what’s reasonable, many lightly won’t be) market industries that are collecting data about us as you read this document. This data serves to help the assailants should they gain access to your devices via some automated campaign to find susceptible devices. Assuming completly good intent on the part of any companies, their data being hacked is still a large concern. If you are as old as me, type your email into haveibeenpwned.