Android and iOS Attack Vectors Could Force IT’s Hand

By John Arkontaky
On Feb 14, 2014
Friday, February 14, 2014

Typically, I try to focus on innovation and enabling enterprises over doom-and-gloom scenarios. But, in the past two weeks a few mobile security stories emerged, and it’s important to take stock. Security is like insurance; it’s an idle resource-killer until disaster strikes. If you don’t have the right security measures in place when the smartphone hits the fan, compromised devices, leaked data, and legal ramifications could soon follow. At that point, there could be one more security issue: job security.

Mobile security threats come from all angles. This includes theft, hacking, viruses, and end users going rogue with apps, data, and connectivity. Only in the rarest circumstances does IT worry about desktop robbery, but this is a real enough issue for tablets and smartphones that California Senate is proposing a “kill-switch” bill for mobile devices. This bill comes as a reaction to staggering crime statistics linked to mobile devices. Reportedly, half of the robberies in San Francisco are over a mobile device of some sort. In Oakland, three-quarters of muggings are over handheld electronics. 

From what I’ve seen, the bill doesn’t specify operating systems. Rather, it dictates that all smartphones and tablets sold after December 2014 need a kill-switch mechanism built into the hardware or software by OEMs that prevents phone calls, Web browsing, and launching apps. Who controls the kill switch is unclear in the bill. It should be noted that iOS 7 already offers locking features that render an iPhone or iPad useless, and Samsung partners with LoJack for anti-theft measures for the Samsung Galaxy S4, but if their respective security measures meet the bill’s requirements has yet to be determined.

Let's assume your mobile workforce moonlight as ninjas and you don’t have to worry about who comes out on the winning end of a stickup. A hole found in Snapchat, a popular media-sharing app, allows hackers to deploy denial of service (DoS) attacks to iPhones. This can lead to bogged-down performance and system crashes. Further, a prior Snapchat hack exposed over 4 million users’ phone numbers and user names. Snapchat may be a consumer app, but that doesn’t mean your employees won’t download it.

The last example pertains to VPN on Android. Virtual private networks have a reputation for creating a secure gateway between endpoint and corporate systems. In this Android hack, the VPN encryption doesn’t hold up, leaving sensitive data open to prying eyes. This hack holds up against both Jelly Bean and KitKat OS versions, and the scariest part is that this can be achieved without end users knowing it is happening.

In many contexts, security can be a burden. But, with the mobile workforce, security and productivity are synonymous. Regardless of if your mobile workforce are ninjas, forbade from using Snapchat, or never use VPN, the main point is that mobility is a new frontier. Like the New World and Wild West, new frontiers can be dangerous grounds where threats come fast and unexpectedly. You don’t want to be out in the breeze if natives start circling the wagon.

Enterprise mobility management (EMM) platforms offered by numerous vendors will give IT administrators deeper security penetration into smart devices. Our data shows that about 61% of companies will adopt mobile device management (MDM) by the end of 2014. If you’re in that 61%, you may want to think about going one step beyond MDM, as mobile application management offers securities and controls on a per-app basis and can be less intrusive on the user experience than MDM. If you have no plans for MDM—due to cost, perceived lack of benefit or ROI, in-house solutions, or any other reason—it would be advantageous to compare security measures of in-house solutions like Exchange ActiveSync to a full-blown MDM.

Research Tracks: