Senior executives on the hunt for greater mobility are pushing for smartphone and tablet adoption in the enterprise, but can these devices be adequately secured?
The security challenges, in some ways, are no different to managing existing infrastructure - the smartphone is just another device in the overall ecosystem that needs controlling.
On the other hand, unlike a simpler feature phones, the smartphone or iPad can in theory support business applications on platforms that often lack the set of tools normally used to manage PC risks, ranging from staff installing malicious apps and jailbreaking devices, to inadvertently or intentionally leaking corporate data.
“Overall security of mobile environments for companies is very much a grey area,” Drazen Drazic managing director of Australian security consultancy, Securus Global, told CSO.com.au.
“There is little in the way of monitoring and the anti-malware side of things is weak.”
Still, the demand for mobility is there and it is resulting in an increasing number of engagements to test mobile security.
“It is ramping up – in particular for the banking and finance sector but also for other companies who are testing things like third-party email applications and the like,” he said.
Companies are eager to press ahead with deployments despite some serious shortcomings in the organisations’ understanding of security and a device’s various strengths and weaknesses.
For example, Android does not offer anti-exploitation technologies, while all smartphone devices see each other over a 3G network, said Drazic.
A third, perhaps lower security risk but one that may disrupt operations that depend on a mobile application, is that in the case of Android, the hardware vendor can issue an over- the-air patch.
Symantec’s recent report “A Window Into Mobile Device Security”, which pitted Android against iOS, argued that in-built security features such as sandboxing, access control, data wiping and device encryption made them superior to their desktop roots, but noted weaknesses in both.
But Securus’ Drazic disagreed that the built-in security of iOS and Android were an improvement. In fact, they were just the same as their “broken” Linux and iOS predecessors.
“The built-in security model is the same as that of local Linux (Android) and OS X (iOS) users. It's a fundamentally broken model, as these devices don't have decent protection against local (kernel)exploits. Every hacker and his dog has private local privilege escalation for the platforms they're attacking,” he said.
Jailbroken iPhones more secure than 'legit' handsets Still, Apple’s greatest defence, at least in terms of keeping malware at arm’s length, was its application vetting and certification process. So far this has kept malicious apps off its marketplace, but as the recent PDF jailbreaking exploit shows, there are other ways to bypass this, and for now no way to protect it during the time it takes for Apple to release a patch.
The iOS PDF vulnerability was not known to have been exploited by criminals, but the German Federal Information Office was concerned the point-and-click method of jailbreaking the device could lend itself to a targeted trojan attack on senior executives.
If such an attack were launched, antivirus firm F-Secure envisioned an effective way to lure a victim would be to hide the exploit behind a Twitter link.
The great irony of that situation was that until Apple issued a patch,jailbroken iPhones that applied the non-Apple patch supplied by the maker of the jailbreak were more secure than non-jailbroken ones, F-Secure’s chief researcher Mikko Hypponen told CSO.com.au.
But does a lack of antivirus for iOS really matter? For now at least,not really, John Engels, Symantec’s mobile team product manager told CSO.com.au.
“It hasn’t mattered historically, but as we see more of the jailbreaking PDF threat that we see now, this could become increasingly greater.
“The big risk is that as people start to use this to access sensitive corporate information, and unfortunately there is no protection against that.”
While Apple’s approach to securing iOS was “admirable”, the real risk for the enterprise comes from people using apps they probably should not.
“The problem is not that there is no security, but that I have no wayto control what apps people run on this. And if you’re running an inappropriate app, it could create a liability for the enterprise that
they can’t handle,” said Engels.
Perhaps a more important question may be why corporations are allowing mobile devices to store corporate information, itself symptomatic of a deeper carelessness towards securing data that has carried over from PC security management.
“It’s tough out there,” said Drazic. “Even now, most companies don’t encrypt their PCs and laptops so of course there’s a heap of data leakage issues. Mobile environment, no different. A bigger question is, why is sensitive data being stored on a mobile device?
“The most common scenario would be things like email, but these generally traverse the Internet cleartext anyway.”
Is Android is the new Windows?
Android’s antivirus story is quite different. With a steady count of malware, any corporate deployment of Android should include antivirus,Engels suggested.
Security vendors have hedged their bets on the Android as being its next Windows desktop, thanks to Google’s unwillingness to vet new apps for security risks. There are over 300 antivirus applications on Android Market, including usual suspects Kaspersky, AVG, Symantec’s Norton and McAfee, and the most widely-used product, Lookout.
But even here, malware authors are exploiting Google’s weak vetting process. A fake Kaspersky Antivirus 2011 popped up recently, which captures and syphons-off SMS messages to a server under the attacker’s control.
The latest in a steady stream of trojans was a mobile version of the banking malware Zeus, veiled behind a fake version of Trusteer’s Rapport SMS out-of-band solution for transaction authentications.
Jailbroken Android or iOS devices present an interesting challenge to organisations.
Symantec’s current Mobile Management product cannot detect if a device is jailbroken, and has relied on Microsoft’s ActivSync and Exchange to pass down policy. The existing product lacked an “agent” on the end device, however, a new version due out in August will allow administrators to set a policy to block jailbroken phones, said Engels.
“When you put the app on authenticate yourself, the first thing it does is ask whether it is a jail broken device and is it the right OS level.”
Some mobile management products, such as Good for Enterprise, can do this already, however a quick view of MacRumour’s forum on the matter indicates the likely response to this measure will be that staff seek a way to bypass the lock-out.
As for antivirus, Engels believes the way forward for Symantec on the iPhone, will application controls, where administrators have a tool to black- or whitelist applications according to company policy.
It could limit potential risks arising from, for example, the recent bug in wildly popular cloud sharing service, DropBox, which briefly allowed any password to be used to access the accounts of its
“The biggest risk is now that I have a mobile device, you download DropBox to share information, the company has no visibility to it, and no control.”
On the other hand, it’s just another potential leakage point for the organisation on top of desktop USB ports that are not locked down or monitored.
“If they haven’t done it for the broader environment, they shouldn’t rush off and do it for mobile first, but look at the desktop and email side to minimise the stuff getting to the mobile in the first place.
Traditional data leakage protection can help with that, and scan all devices, including mobile,” said Engels.