MOBILE SECURITY RISK REPORT

SUMMARY
Understanding the security impact of iOS and Android in the enterprise November 2011 Executive Summary
Many corporations face the demand to rapidly increase the support and management of consumer mobile devices, especially iOS and Android, while still maintaining acceptable levels of data protection and enterprise security. Much of the information available is either based on vendor documentation, or is too general or too technical to provide a solid introductory risk assessment tool for corporate decision makers. This report provides specific, research-based intelligence on the threats, data exposure risk and benefits of most common security measures for these critical platforms. In order to apply to a wide audience, the report addresses effectiveness of policy controls in Microsoft Exchange ActiveSync (MS EAS) for popular devices, such as the Motorola Droid and iPhone 4. Case work, research and lab testing with these systems form the basis of our technical analysis. Today, iOS is the more enterprise-ready and secure mobile platform than Android, due mainly to hardware encryption, greater application origin control and fuller support for MS EAS policies. Deployed with configuration profiles and appropriate policy settings, the iPhone 4 can support reasonably high security requirements. In addition, MDM software is available to further extend the management of these devices. However, significant iOS security issues exist, including risks represented by the vulnerability of the iOS Keychain to decryption, jailbroken devices, software brute forcing of device passcodes and breaking of iOS encryption. Android is less enterprise-ready and thus far, the platform has not addressed enterprise security as a key feature. Data encryption only begins with version 3.0 -- not yet in wide use - and there is limited implementation of MS EAS policy controls. In reality, however, most of the security difference comes from the SD card, fragmentation of Android implementations and the less-stringent controls on the application marketplace. Corporations with higher risk tolerance and low regulatory requirements may find Android device risks acceptable, leveraging corporate policy and MS EAS policy controls to provide some measures of security. Secure messaging systems or MDM systems combined with secured mail clients also improve on the default Android security profile.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

In any corporation with data synced to mobile devices, corporate IT policies should address acceptable use and required security practices, and should reserve the right to audit devices for purposes of compliance and incident response. Personally owned devices are generally more difficult to secure and control and should be specifically addressed in corporate policies. Finally, all corporate implementations of iOS or Android devices, whether using MS EAS, MDM or other sync or security software, should involve a regular audit of actual devices to assess the efficacy of controls and risk of data exposure.

About viaForensics
viaForensics is an innovative digital forensics and security firm providing services to corporations, law firms and law enforcement/government agencies. Our areas of focus include computer and mobile forensics, mobile app security, and proactive enterprise security.

About the Lead Authors

Andrew Hoog is the co-founder of viaForensics and a leading mobile security and forensics researcher. He recently published the book Android Forensics and Mobile Security, and along with Katie Strzempka co-authored iPhone and iOS Forensics. Jonathan Zdziarski is a pioneer in the field of Apple iOS forensics. An author of four books on iPhone development for OReilly Media, internationally recognized forensics expert and instructor for many law enforcement agencies. Thomas Cannon is a noted Android security and malware expert with extensive experience in risk mitigation, security assessment, digital investigation and secure development. Ted Eull is VP Technology Services for viaForensics, overseeing delivery of mobile application security assessments, mobile device security audits and other services.

Authors
Thomas Cannon, Ted Eull, Andrew Hoog, Joshua LaBorde, Jon Pisani, Katie Strzempka, Christopher Triplett, Jonathan Zdziarski

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

Audience
This report is intended for those responsible for mobile security device risk assessment, primarily in the United States. It is based on hands-on experience with mobile devices by investigators with a deep technical understanding of the mobile platforms and corporate IT management. Our recommendations should be adapted by each organization to suit its own security objectives.

Key Issues and Recommendations

Mobile platform security is immature technology. Research into the controls on the device indicates these are relatively superficial and can be overridden by moderately skilled users. In many instances passcode protection and encryption do not prevent recovery of data for a moderately sophisticated attacker. Thus, because smartphones are consumer technologies being implemented in business settings, they present unique security challenges. There are steps you can take to reduce the risk posed by deploying mobile devices. In this report, we provide recommendations for securing mobile devices in three categories: Basics, Enhanced and Advanced.

Common Questions Answered in this Report

Is iOS secure enough for use in the enterprise? Is Android secure enough for use in the enterprise? How do iOS and Android compare to BlackBerry for security? Does the device passcode prevent someone from accessing device data? Does iOS encryption work, and does it protect all device data from being stolen? How secure is the iOS keychain? Which is more secure, iOS or Android? Is it advisable to use iOS or Android for sensitive data? If we are planning to deploy or already using iPhones, do we need an MDM system? What is a strong enough passcode?

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

High-level Risk Overview

Mobile devices pose significant risks for sensitive corporate information (SCI); key risks include data loss and compromised security. Smartphones are an ideal target for criminals, and if you deploy mobile devices, you must assume some of them will be lost, stolen or infected with malicious code. In addition to these risks, mobile devices present other unique risks. These come in the form of data storage, circumvention of network controls, use of smartphones as recording devices and as a means of advanced attacks. Realistic risk scenarios can help evaluate the potential impacts of known threats. Scenarios are also useful in planning on how best to mitigate risk; in this report, we have outlined mobile risk scenarios such as Lost Smart Phone, Malware Infection, Targeted Attack, Border Crossing Investigation, and Employee Data Theft. We also provide a risk map to help quantify the threat posed by deploying mobile devices.

Auditing Mobile Devices

Mobile security is connected to multiple processes in the well-defined COBIT governance framework; the ISACA Mobile Audit/Assurance Program provides a thorough guide to the steps an organization can take to review mobile computing risk. However, there is often a gap between how security controls work in theory and how they work in practice owing to security misconfigurations, data leakage into backups, and other issues. Implementing a targeted device audit program can help you assess the actual security posture of a system.

Corporate Policies
Information security and acceptable use policies are not the favorite topic of most employees or IT departments. However, with the increasing prevalence of both highly mobile devices and cyber-crime targeting corporations, it is critical to ensure these policies are up-to-date with the technology in use. Policies covered in this report include: Sensitive corporate data Device encryption Complex passcodes Remote wipe iOS Jailbreaking, Android Rooting Tethering USB mass storage Data retention

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

Acceptable use Asset tracking Personal device restricted actions & disclosure Privileged accounts & non-exempt staff Mobile use while driving End user training Device Audits

Security Comparison: iOS, Android and BlackBerry

For many, the primary concerns are: 1. Is enterprise data at greater risk on iOS and Android devices? 2. Are there tools enterprises can use to effectively manage and secure iOS and Android devices, like those offered by BlackBerry/BES? At this time, our observation is that the combination of BlackBerry devices, OS and the BES server still provide a more secure solution than iOS or Android. Our deeper technical analysis of iOS and Android compares their passcode protection, data recovery capabilities, ActiveSync security controls, remote wipe capabilities, app isolation, malware protection, and data encryption. The analyses include details on various aspects of security protection and data recovery from these platforms, based on our case work and lab research. In some cases specific tests were performed for this report, while other details have been uncovered during the course of forensic and corporate security case work.

Device Security Control Profiles

The report includes profiles that describe measures which may be leveraged to achieve the general levels of security required. Each level lists the measures, including both policy and technology, that can be implemented and the type of corporation and risk profile that could choose such a configuration.

MDM/Secure Messaging
Software targeting enterprise Mobile Device Management (MDM) allows for the central provisioning and management of mobile devices. Corporations may choose to implement such systems after identifying risks that specific solutions claim to address, which is a reasonable approach. But both the functionality and security of the solutions should be judged with a skeptical eye and tested for reliability after implementation.

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

viaForensics research has identified workarounds for MDM security controls such as jailbreak detection and app blacklisting. Additionally, we discuss how MDM generally relies on device OS security and an app running in user space, which means added security is limited. Enterprise messaging, meanwhile, focuses on delivery of email or Exchange data with an additional layer of security. Secure messaging involves an additional system for delivery and storage of corporate email, in addition to MS EAS and native email app. Bearing additional cost and possible usability drawbacks, secure messaging/ corporate sandbox can provide an added security layer if implemented and configured properly.

Technical Analysis iOS

The report details various aspects of security protection and data recovery for iOS, based on our case work and lab research. In some cases specific tests were performed for this report, while other details have been uncovered during the course of forensic and corporate security case work. Sections of technical detail include the following: Passcode Protection: This section addresses the efficacy of passcode protection in iOS and explains how passcode evasion techniques work. Data Recovery: The report explains how data recovery from iOS devices on various versions can obtain data from backups, or using logical (file system) or physical (binary) recovery techniques. Areas of data recovery addressed include Exchange data (email/calendar/contacts), SMS/MMS messages, Gmail, call logs and more. ActiveSync Security Controls: The focus of this section is to cover specific basic policy settings that are fundamental to the security of a mobile device, and which can be controlled using MS Exchange ActiveSync policy controls. The efficacy of key controls are addressed, including: passcode requirement, allow attachments, failed password attempts, and device timeout. Remote Wipe: Remote erasure or wiping of corporate data is a key capability in the security control of mobile devices. This analysis details specific tests of the effectiveness of simply removing (un-syncing) an Exchange account, remote wipe sent triggered with MS Exchange ActiveSync, and local reset. App Isolation: iOS app isolation or sandboxing is intended to prevent installed apps from accessing protected system resources or data from other apps. This section explains how this system generally operates and how it may be compromised.

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

Malware Protection: The report explains the means of malware protection in iOS as well as its limitations. Data Encryption: This section discusses the different layers of encryption including the keychain, data protection and the hardware-based encryption of iOS. It also provides explanation of means of breaking the layers of encryption and recommendations for effective data protection.

Technical Analysis Android

The report details various aspects of security protection and data recovery for Android, based on our case work and lab research. In some cases specific tests were performed for this report, while other details have been uncovered during the course of forensic and corporate security case work. Sections of technical detail include the following: Passcode Protection: This section addresses the efficacy of passcode protection in Android and explains how passcode evasion techniques work. Data Recovery: The report explains how data recovery from Android devices can obtain data using logical (file system) or physical (binary) recovery techniques. Areas of data recovery addressed include Exchange data (email/calendar/contacts), SMS/MMS messages, Gmail, call logs and more. ActiveSync Security Controls: The focus of this section is to cover specific basic policy settings that are fundamental to the security of a mobile device, and which can be controlled using MS Exchange ActiveSync policy controls. The efficacy of key controls are addressed, including: passcode requirement, allow attachments, failed password attempts, and device timeout. Remote Wipe: Remote erasure or wiping of corporate data is a key capability in the security control of mobile devices. This analysis details specific tests of the effectiveness of simply removing (un-syncing) an Exchange account, remote wipe sent triggered with MS Exchange ActiveSync, and local reset. App Isolation: Android app isolation is intended to prevent installed apps from accessing protected system resources or data from other apps. This section explains how this system generally operates and how it may be compromised. Malware Protection: The report explains the means of malware protection in Android as well as its limitations.

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

Data Encryption: This section discusses the emerging encryption implementation in Android and its limitations.

Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.