Google And Apple Can Reach Into Mobile Devices, Even If You're Using Them For POS

How will mobile devices ever get PCI approval if retailers can't lock them down? For that matter, how should IT feel about a vendor that reserves the right to reach into the mobile devices and make unannounced changes? What if the device is in the middle of a critical project at that moment? What if the act of removal causes some unexpected system crash? Those are some key questions in the wake of Google's announcement on Saturday (March 5) that the search giant is remotely removing a group of malicious apps from Android-based smartphones and tablets—and without any prior warning to users.

Google has reached into users' mobile devices at least once before to delete apps in the name of security. Most users may not mind—certainly not as much as, say, Amazon reaching into their Kindles to delete mistakenly published e-books. But for retailers that want to use an Android device as a point-of-sale unit, the ability of a vendor—or any outsider—to modify the device by long distance could make getting a QSA's approval impossible.

In the case of Google's most recent reach-in, the problem was a group of between 20 and 50 rootkit-infected apps from the Android Market (accounts differ on exactly how many infected apps were involved). Google said it learned about the bad apps on March 1 and immediately stopped distributing them, then began removing them from the phones and tablets of the 260,000 users who had downloaded them.

Apple has confirmed it has the same ability to reach into iPhones and iPads, though the company has never admitted doing so.

That may be fine for ordinary users. They're adding apps at will, and neither Apple, Google, RIM nor any other smartphone vendor can thoroughly vet every app that's offered for its phones. Given that so much sensitive information is likely to flow through a smartphone, the ability to let a vendor kill malware by remote control at least sounds appealing—if you trust Apple and Google, anyway. Apple's recently patented ability to completely shut down an i-device has the same who-do-you-trust problem.

And not all users are happy to place that much trust in their phone maker. There were plenty of complaints among bloggers and online commenters when word broke about Google's use of its kill switch. Then again, there were similar complaints when Apple acknowledged its own iPhone app kill switch in 2008. That doesn't seem to have driven away users.

But retailers are in a different situation than users. There shouldn't be any malware downloaded to a mobile device being used for POS—or any other apps, for that matter. These handhelds should be locked down hard. No one should be able to add, remove or change software except IT. Certainly not users, and not Google or Apple either.

Unfortunately, both those vendors' licenses reserve the right to reach in.Unfortunately, both those vendors' licenses reserve the right to reach in, either to push operating system upgrades or remove problem software. And if retailers can't completely control what's on the devices, who has access to them, how they'll be set up and when they'll be changed, there's no way for a QSA to be sure a device is secure for handling payment card information. And these fears certainly also extend to mobile units that might happen to never be used for tendering purposes.

After all, mobile devices are much easier to steal or tamper with than dedicated POS devices, and those are already a perpetual security headache. A payment-card reader that's been tampered with is a bad enough risk, but at least those devices can literally be nailed down.

Not so with a mobile POS device. A dedicated thief with a netbook and a little privacy could steal an unattended POS smartphone or tablet, install malware and return the device in minutes without even leaving the store and with no obvious signs of tampering with the device. Short of the ability to lock down that phone or tablet, how can a QSA seriously agree that this is a secure way of processing a payment card?

The problem for retailers with reach-ins doesn't stop with payments. True, IT departments now have decades of experience with automated software updates for everything from PCs to HVAC systems. But mobile is very new and—as with every new platform—developers don't know which rules they can bend. (The one thing you know for sure is that they will break rules to make the devices do what's needed.)

That means there's a much higher chance that an unexpected update will break existing software as soon as it arrives, or worse, create subtle issues that won't become obvious until they generate major problems. That's why IT does regression testing on new software before it goes into production -- which can't happen if Apple or Google makes changes without warning.

Still, because on-the-spot checkout is a prime reason many retailers are looking at in-store mobile devices, mobile POS is the place where reach-ins have the potential to be a deal killer.

It shouldn't be. Apple and Google should be the most retailer-friendly phone vendors imaginable. Apple runs a chain of stores; Google offers an online checkout system. If any smartphone or tablet maker is going to understand the need of retailers to lock down devices and exempt them from reach-in, it should be these guys.

Of course, that's no guarantee they will understand. Apple and Google have brands to protect. Are they ready to let retailers completely control the devices, even if that means critical bugs can't be fixed? Will retailers have to sign away the right to sue over faulty handheld products, in exchange for the ability to completely control them as POS devices?

Maybe the response should be special hardened versions of Android and i-devices that can be locked down. But that's likely to jack up the price per device, and those hardened versions will always trail the current consumer smartphones in terms of capabilities.

It's an ugly tradeoff for retailers. Simply cutting a deal to allow locked-down devices would be a lot more attractive.

Still, Google and Apple's ability to spike rogue apps isn't all bad news for retailers. Suppose a retailer's own app is cracked by thieves and injected with malware, then submitted to the App Store or Android Marketplace. Suppose it slipped through the phone vendor's vetting process, and hundreds of thousands of your customers downloaded it to use before the malware was discovered.

Just about then, the ability to reach into all those phones and kill bad apps would start to sound very attractive indeed.