Portable Apps

A friend of my mine recently pointed me in the direction of Portable Apps for Windows. A portable application for Windows is one that does not leave its files or settings on the host computer. The concept was familiar as I’ve often used Linux Live CDs although this is really a portable OS rather than applications. I really like the idea but what about the security implications?

I installed the Portable Apps Suite Lite which contains over a dozen applications including Firefox. It uses the approach of having specially written applications rather than application virtualisation. I decided to do my testing with Firefox as it is something that I could see adding real value. A few years ago I used to travel a lot to the various European offices of the company I was working for. As my laptop was slow, old and over 4 kg I often used to leave it at home and work on any spare desktop that was available. It would have been a godsend to have had a USB stick with my own browser, email client etc rather than struggling away with an out of date version of Internet Explorer in a language I couldn’t always understand.

My first concern was that the portable applications might quickly become out of date exposing security vulnerabilities. However Firefox updated itself from version 3.0.7, which came with the initial install, to version 3.0.15, which suggests that security updates are application specific and not necessarily limited by being portable.

A significant risk of the portable app comes from the associated USB stick. Malware distribution from removable media although once prevalent when floppy disks were in common use was until recently rarely a problem. It seems however to be making a big come back with Trojans such as the Tartef Worm using USB sticks as its primary distribution method.

A positive aspect of a Windows portable app is that it has the potential to run on a host computer using an account that has minimum security privileges. In this respect, security could actually be improved by use of portable apps as malware either directly from the USB stick or something downloaded from a malicious web site could do less damage to the host system.

After a week of messing around with Portable Apps I could only conclude that the security implications of such technology are somewhat ambiguous. More investigation needs to be done. Unfortunately I can see Portable Apps being used mainly on corporate systems which are severely locked down to restrict users to certain approved applications. This of course defeats the object of the lockdown and so conflict with system administrators is highly likely.