Beruflich Dokumente
Kultur Dokumente
SUMMARY
Understanding the security impact of iOS and Android in the enterprise November 2011 Executive Summary
Many corporations face the demand to rapidly increase the support and management of consumer mobile devices, especially iOS and Android, while still maintaining acceptable levels of data protection and enterprise security. Much of the information available is either based on vendor documentation, or is too general or too technical to provide a solid introductory risk assessment tool for corporate decision makers. This report provides specific, research-based intelligence on the threats, data exposure risk and benefits of most common security measures for these critical platforms. In order to apply to a wide audience, the report addresses effectiveness of policy controls in Microsoft Exchange ActiveSync (MS EAS) for popular devices, such as the Motorola Droid and iPhone 4. Case work, research and lab testing with these systems form the basis of our technical analysis. Today, iOS is the more enterprise-ready and secure mobile platform than Android, due mainly to hardware encryption, greater application origin control and fuller support for MS EAS policies. Deployed with configuration profiles and appropriate policy settings, the iPhone 4 can support reasonably high security requirements. In addition, MDM software is available to further extend the management of these devices. However, significant iOS security issues exist, including risks represented by the vulnerability of the iOS Keychain to decryption, jailbroken devices, software brute forcing of device passcodes and breaking of iOS encryption. Android is less enterprise-ready and thus far, the platform has not addressed enterprise security as a key feature. Data encryption only begins with version 3.0 -- not yet in wide use - and there is limited implementation of MS EAS policy controls. In reality, however, most of the security difference comes from the SD card, fragmentation of Android implementations and the less-stringent controls on the application marketplace. Corporations with higher risk tolerance and low regulatory requirements may find Android device risks acceptable, leveraging corporate policy and MS EAS policy controls to provide some measures of security. Secure messaging systems or MDM systems combined with secured mail clients also improve on the default Android security profile.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
In any corporation with data synced to mobile devices, corporate IT policies should address acceptable use and required security practices, and should reserve the right to audit devices for purposes of compliance and incident response. Personally owned devices are generally more difficult to secure and control and should be specifically addressed in corporate policies. Finally, all corporate implementations of iOS or Android devices, whether using MS EAS, MDM or other sync or security software, should involve a regular audit of actual devices to assess the efficacy of controls and risk of data exposure.
About viaForensics
viaForensics is an innovative digital forensics and security firm providing services to corporations, law firms and law enforcement/government agencies. Our areas of focus include computer and mobile forensics, mobile app security, and proactive enterprise security.
Authors
Thomas Cannon, Ted Eull, Andrew Hoog, Joshua LaBorde, Jon Pisani, Katie Strzempka, Christopher Triplett, Jonathan Zdziarski
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
Audience
This report is intended for those responsible for mobile security device risk assessment, primarily in the United States. It is based on hands-on experience with mobile devices by investigators with a deep technical understanding of the mobile platforms and corporate IT management. Our recommendations should be adapted by each organization to suit its own security objectives.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
Corporate Policies
Information security and acceptable use policies are not the favorite topic of most employees or IT departments. However, with the increasing prevalence of both highly mobile devices and cyber-crime targeting corporations, it is critical to ensure these policies are up-to-date with the technology in use. Policies covered in this report include: Sensitive corporate data Device encryption Complex passcodes Remote wipe iOS Jailbreaking, Android Rooting Tethering USB mass storage Data retention
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
Acceptable use Asset tracking Personal device restricted actions & disclosure Privileged accounts & non-exempt staff Mobile use while driving End user training Device Audits
MDM/Secure Messaging
Software targeting enterprise Mobile Device Management (MDM) allows for the central provisioning and management of mobile devices. Corporations may choose to implement such systems after identifying risks that specific solutions claim to address, which is a reasonable approach. But both the functionality and security of the solutions should be judged with a skeptical eye and tested for reliability after implementation.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
viaForensics research has identified workarounds for MDM security controls such as jailbreak detection and app blacklisting. Additionally, we discuss how MDM generally relies on device OS security and an app running in user space, which means added security is limited. Enterprise messaging, meanwhile, focuses on delivery of email or Exchange data with an additional layer of security. Secure messaging involves an additional system for delivery and storage of corporate email, in addition to MS EAS and native email app. Bearing additional cost and possible usability drawbacks, secure messaging/ corporate sandbox can provide an added security layer if implemented and configured properly.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
Malware Protection: The report explains the means of malware protection in iOS as well as its limitations. Data Encryption: This section discusses the different layers of encryption including the keychain, data protection and the hardware-based encryption of iOS. It also provides explanation of means of breaking the layers of encryption and recommendations for effective data protection.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.
Data Encryption: This section discusses the emerging encryption implementation in Android and its limitations.
Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.