Android security in the enterprise - can the worst flaws be fixed?

How do Android's growing list of vulnerabilities affect enterprises and is there much they can do about them?

Suddenly the big beasts of Android are taking the platform's security very seriously. Recent weeks have seen a number of significant security flaws, including a particularly alarming one called Stagefright that could be used against almost every Android user on the planet with very little difficulty.

Google suddenly appears to be less laid back than usual about this, announcing within days of Stagefright that from this month its own Nexus devices will receive at least monthly Over-The-Air (OTA) updates offering security fixes. Samsung, the biggest hardware partner, has said it will feed this through to Galaxy smartphones and tablets, also from this month, although the timing will for specific fixes will still depend on coordination with mobile carriers.

What prompted the change? Numbers from Danish vulnerability management firm Secunia show that 80 flaws have been found in Apple's iOS so far in 2015 compared to an apparently modest 10 in Android. These numbers are deceptive; what matters with mobile operating systems is how serious the flaws are, how easy they are to fix and how quickly that happens. Apple has direct control over that process, Google (with the exception of Nexus devices) doesn't. If Google either produces a patch that must be applied by carriers or phone makers, or the flaw exists in a third-party plug-in that is part of the ecosystem not controlled by Google, it could be weeks, months or never before handsets receive an update.

Worries about Android's fragmentation and its effect on security are nothing new but anxieties about the way the platform handles security speak run deeper. There was a time when Windows PCs were only updated for security issues on an occasional basis but by 2003 Microsoft had realised that this was no longer sufficient. Android is now going through much the same growing up process.

Depending on the nature of the flaw (i.e. whether it is buried in Android itself or a third-party component) Google always produces the first fix. But consumers still rely on carriers and manufacturers to apply it, and much the same may apply to enterprises. The fact that a large organisation manages its Android devices using Samsung's Knox security platform for BYOD or a third-party Mobile device Management (MDM) system is irrelevant if no patch is available for the flaw in question.

The 'Certifi-Gate' mRST flaw

Revealed on this week by Check Point, this is a weakness in the certificate two mobile Remote Support Tool (mRST) plug-ins called Rsupport and TemaViewer, used by a large number of handset makers for remote support. In essence, the weakness allows an attacker to use a malicious app piggyback on the certificates and permissions given to these apps, taking control of the device.

Devices affected: Affected makers running Android devices up to version 5.1 Year: 2015 Fix: Not easy but will depend on each company updating handsets individually. There's also some doubt about how easy it will be to revoke access to an older version of the vulnerable flaw which implies that attackers could find a way back in even when an update is issued. Tools: Check Point offers a Certifi-gate scanner app which an admins can use to confirm the bad news.

'Stagefright' MMS flaw

The most sever flaw ever to affect Android, largely because of its universality and the ease with which it could be exploited by an attacker to take over a handset by sending a malicious MMS message. Google's Nexus devices should get the fix first straight from Google first although as of 7 August that hadn't happened on our test device. Otherwise, enterprises are at the mercy of the handset maker and network carrier in question unless they run a specialist device such as the secure Blackphone, which has already implemented it. This flaw will be a major test of how fast Android can be updated in the filed for a major issue.

Devices affected: All handsets up to version 5.1 Year: 2015 Fix: Wait for updates for device maker or Google. In the meantime, disable automatic MMS retrieval in the default messaging app if the carrier doesn't do it. Tools: Zimperium has released an app on Google Play to detect vulnerable smartphones called Stagefright Detector.

Android Installer hijacking

Allows attackers to hijack the install process and sneak a malicious application on to the target smartphone. A vulnerability that will still be very common on older Android smartphones although it only affects enterprises using third-party app stores which reduces the danger level.

Devices affected: up to version 4.3 Year: 2015 Fix: Buy a new smartphone or update to Android 4.3_r0.9 Tools: Palo Alto offers a tool on Google Play.

Android FakeID flaw

Slightly older but potentially serious flaw, again affecting older smartphones from version 2.1 to version 4.4. Provides a way for attackers to impersonate a trusted application without that being apparent to the user.

Devices affected: All Android versions up to 4.31 Year: 2014 Fix: Multiple handset makers and carriers released patches for this flaw by early August 2014. Tools: Bluebox Security and others released scanner apps.

Linux futex 'TowelRoot'

A vulnerability that started life with a CVE number but not long after was incorporated into a legitimate rooting tool - the first proof-of-concept exploit in effect, albeit one with a specific purpose. That tool gave the flaw its name, TowelRoot. Unusual in that it also affected Linux itself, and was given the CVE-2014-3153 identifier.

Devices affected: Android up to version 4.4 Year: 2014 Fix: Patched in Android 4.43 Tools: None needed to detect it but some mobile security products claim to block it

Join the CSO newsletter!

Error: Please check your email address.

Tags galaxyAppleGooglesecuniasecurity21

More about AppleBlueboxCheck PointGalaxyGoogleLinuxMicrosoftSamsungSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts