Smartphones: the grey area of enterprise security

iPhones and Android handsets are penetrating your enterprise but does

Senior executives on the hunt for greater mobility are pushing for smartphone and tablet adoption in the enterprise, but can these devices be adequately secured?

The security challenges, in some ways, are no different to managing existing infrastructure - the smartphone is just another device in the overall ecosystem that needs controlling.

On the other hand, unlike a simpler feature phones, the smartphone or iPad can in theory support business applications on platforms that often lack the set of tools normally used to manage PC risks, ranging from staff installing malicious apps and jailbreaking devices, to inadvertently or intentionally leaking corporate data.

“Overall security of mobile environments for companies is very much a grey area,” Drazen Drazic managing director of Australian security consultancy, Securus Global, told

“There is little in the way of monitoring and the anti-malware side of things is weak.”

Still, the demand for mobility is there and it is resulting in an increasing number of engagements to test mobile security.

“It is ramping up – in particular for the banking and finance sector but also for other companies who are testing things like third-party email applications and the like,” he said.

Companies are eager to press ahead with deployments despite some serious shortcomings in the organisations’ understanding of security and a device’s various strengths and weaknesses.

For example, Android does not offer anti-exploitation technologies, while all smartphone devices see each other over a 3G network, said Drazic.

A third, perhaps lower security risk but one that may disrupt operations that depend on a mobile application, is that in the case of Android, the hardware vendor can issue an over- the-air patch.

Symantec’s recent report “A Window Into Mobile Device Security”, which pitted Android against iOS, argued that in-built security features such as sandboxing, access control, data wiping and device encryption made them superior to their desktop roots, but noted weaknesses in both.

But Securus’ Drazic disagreed that the built-in security of iOS and Android were an improvement. In fact, they were just the same as their “broken” Linux and iOS predecessors.

“The built-in security model is the same as that of local Linux (Android) and OS X (iOS) users. It's a fundamentally broken model, as these devices don't have decent protection against local (kernel)exploits. Every hacker and his dog has private local privilege escalation for the platforms they're attacking,” he said.

Jailbroken iPhones more secure than 'legit' handsets Still, Apple’s greatest defence, at least in terms of keeping malware at arm’s length, was its application vetting and certification process. So far this has kept malicious apps off its marketplace, but as the recent PDF jailbreaking exploit shows, there are other ways to bypass this, and for now no way to protect it during the time it takes for Apple to release a patch.

The iOS PDF vulnerability was not known to have been exploited by criminals, but the German Federal Information Office was concerned the point-and-click method of jailbreaking the device could lend itself to a targeted trojan attack on senior executives.

If such an attack were launched, antivirus firm F-Secure envisioned an effective way to lure a victim would be to hide the exploit behind a Twitter link.

The great irony of that situation was that until Apple issued a patch,jailbroken iPhones that applied the non-Apple patch supplied by the maker of the jailbreak were more secure than non-jailbroken ones, F-Secure’s chief researcher Mikko Hypponen told

But does a lack of antivirus for iOS really matter? For now at least,not really, John Engels, Symantec’s mobile team product manager told

“It hasn’t mattered historically, but as we see more of the jailbreaking PDF threat that we see now, this could become increasingly greater.

“The big risk is that as people start to use this to access sensitive corporate information, and unfortunately there is no protection against that.”

While Apple’s approach to securing iOS was “admirable”, the real risk for the enterprise comes from people using apps they probably should not.

“The problem is not that there is no security, but that I have no wayto control what apps people run on this. And if you’re running an inappropriate app, it could create a liability for the enterprise that
they can’t handle,” said Engels.

Perhaps a more important question may be why corporations are allowing mobile devices to store corporate information, itself symptomatic of a deeper carelessness towards securing data that has carried over from PC security management.

“It’s tough out there,” said Drazic. “Even now, most companies don’t encrypt their PCs and laptops so of course there’s a heap of data leakage issues. Mobile environment, no different. A bigger question is, why is sensitive data being stored on a mobile device?

“The most common scenario would be things like email, but these generally traverse the Internet cleartext anyway.”

Is Android is the new Windows?
Android’s antivirus story is quite different. With a steady count of malware, any corporate deployment of Android should include antivirus,Engels suggested.

Security vendors have hedged their bets on the Android as being its next Windows desktop, thanks to Google’s unwillingness to vet new apps for security risks. There are over 300 antivirus applications on Android Market, including usual suspects Kaspersky, AVG, Symantec’s Norton and McAfee, and the most widely-used product, Lookout.

But even here, malware authors are exploiting Google’s weak vetting process. A fake Kaspersky Antivirus 2011 popped up recently, which captures and syphons-off SMS messages to a server under the attacker’s control.

The latest in a steady stream of trojans was a mobile version of the banking malware Zeus, veiled behind a fake version of Trusteer’s Rapport SMS out-of-band solution for transaction authentications.

Jailbroken Android or iOS devices present an interesting challenge to organisations.

Symantec’s current Mobile Management product cannot detect if a device is jailbroken, and has relied on Microsoft’s ActivSync and Exchange to pass down policy. The existing product lacked an “agent” on the end device, however, a new version due out in August will allow administrators to set a policy to block jailbroken phones, said Engels.

“When you put the app on authenticate yourself, the first thing it does is ask whether it is a jail broken device and is it the right OS level.”

Some mobile management products, such as Good for Enterprise, can do this already, however a quick view of MacRumour’s forum on the matter indicates the likely response to this measure will be that staff seek a way to bypass the lock-out.

As for antivirus, Engels believes the way forward for Symantec on the iPhone, will application controls, where administrators have a tool to black- or whitelist applications according to company policy.

It could limit potential risks arising from, for example, the recent bug in wildly popular cloud sharing service, DropBox, which briefly allowed any password to be used to access the accounts of its

“The biggest risk is now that I have a mobile device, you download DropBox to share information, the company has no visibility to it, and no control.”

On the other hand, it’s just another potential leakage point for the organisation on top of desktop USB ports that are not locked down or monitored.

“If they haven’t done it for the broader environment, they shouldn’t rush off and do it for mobile first, but look at the desktop and email side to minimise the stuff getting to the mobile in the first place.
Traditional data leakage protection can help with that, and scan all devices, including mobile,” said Engels.

Join the CSO newsletter!

Error: Please check your email address.

Tags iosMikko HypponenAndroidZeus malwareiPadDrazen DrazicAppleiOS PDF vulnerabilitysymantecsecurityiPhone 4 jailbreakingmobilitysmartphonesJohn Engelf-securetablet PCsover-the-air-patch

More about AppleAVG Technologies AUetworkF-SecureGoogleKasperskyKasperskyLinuxMcAfee AustraliaMicrosoftNortonSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place