[UPDATE March 3, 2023: National Cybersecurity Strategy released on 3/2. Anne Neuberger refers to restaurant cleanliness scores to convey the need to provide consumers with more transparency into the trustworthiness of apps and IoT devices using a trust score label]
[UPDATE December 2: Letter from FCC Commissioner Brendan Barr exposing the truth about the real risks when installing apps from app stores. Consumers deserve to know if an app is trustworthy before installing]
Many people have experienced the case where you go to your favorite app store to search for apps and you receive a whole bunch of matching results. Now, you have to decide which one to install, but there are risks with any software application. It could have vulnerabilities that enable a hacker to steal your data or the software may perform functions that you really don’t want running on your device, i.e. bitcoin mining, which can draw down a battery very quickly. You’re left with the question, which one of these apps is trustworthy enough to install in my device?
Some people believe that apps in app stores have been thoroughly vetted before being allowed in an app store. But each app stores uses it's own criteria and methods, and they are not the same across app stores. Even those app stores considered to the be most trustworthy have allowed risky software to be downloaded and installed in a smart phone. The “Software Vulnerability Snapshot” reports that 95% of tests uncovered vulnerabilities in target apps
Some people believe the number of “Likes” is an indication of trustworthiness. Unfortunately, the number of Likes won’t tell you that an application was developed in a location hostile to the US. It doesn’t take much to convince someone to go into an app store and hit the like button, even though that person may have never used or installed the app. Likes do NOT = Trustworthiness, we need something else. What if each app store could produce a “trust score”, which indicated the trustworthiness of an app based on factors such as, who built the app, where it was developed, does it contain malware, does it have any vulnerabilities, etc.
Imagine the next time you go to an app store to do a search and the results returned contain a “TRUST SCORE” button that would return a statistically calculated trust score, conceptually similar to a FICO score, or a restaurant cleanliness score. You could check the “TRUST SCORE” for each of the app’s returned by your search request, looking for the app with the highest trust score. This would enable you to make a risk-based decision to install or not install an app based on the trust score calculated for an app. Some app stores may choose to display a trust score with each app, sorting the results by the trust score, with the highest, most trustworthy scoring apps listed first in the result set. This could protect you from installing a risky app and compromising your personal data, or possibly destroying your device contents with ransomware.
One critical success factor for this app “TRUST SCORE” to work is that all app stores will need to follow the same standard methods and criteria for measuring trustworthiness of an app, just like the FICO score is produced using common and consistent methods and criteria to determine the trustworthiness of a person. For example, you can go to any car dealership and they will use the same FICO scoring method to determine trustworthiness. The same must be true for any app store that wants to display a trustworthiness score for software – the same “risk assessment methods and criteria” must be used across all app stores, just like the FICO process, in order to provide consistent TRUST SCORE results for applications and other software objects. In practice, you should be able to compare the trust score of a calorie counting app on the Apple app store with a calorie counting app found on the Windows store, or Amazon, or Google Play and others. The trust score must be consistent and mean the same thing, regardless of which app store is used to check the trustworthiness of an app, using the same trust scoring methods and criteria, in order to do an apples-to-apples comparison across app store applications.
This is the role of REA’s patented SAGScore™ (US11,374,961) and SAG™ methods used to determine trustworthiness of software objects and their entire supply chain. The SAGScore™ relies on common, consistent methods and criteria (factors) to measure the integrity and authenticity of a software object and its entire supply chain. SAGScore™ results are placed in the SAG Community Trust Registry™, SAG-CTR™, allowing app stores to check the trustworthiness of any software object in the app store by querying the SAG-CTR™ for a SAGScore™ recorded in the SAG-CTR™ database. This ensures that a check for trustworthiness of an app is consistent across app stores and operating system platforms, enabling a software consumer to make a risk-based decision to install of not install an app, based on its SAGScore™.
This is one way we can stop harmful software and supply chain breaches from being installed in our devices.
Never trust software, always verify and report!™
I look forward to discussing this very important topic at the IETF 114 meeting in Philadelphia on 7/28 during the Supply Chain Integrity, Transparency and Trust session. Hope to see you there.