MOBILE SECURITY RISK REPORT

SUMMARY
Understanding the security impact of iOS and Android in the enterprise November 2011 Executive Summary
Many corporations face the demand to rapidly increase the support and management of consumer mobile devices, especially iOS and Android, while still maintaining acceptable levels of data protection and enterprise security. Much of the information available is either based on vendor documentation, or is too general or too technical to provide a solid introductory risk assessment tool for corporate decision makers. This report provides specific, research-based intelligence on the threats, data exposure risk and benefits of most common security measures for these critical platforms. In order to apply to a wide audience, the report addresses effectiveness of policy controls in Microsoft Exchange ActiveSync (MS EAS) for popular devices, such as the Motorola Droid and iPhone 4. Case work, research and lab testing with these systems form the basis of our technical analysis. Today, iOS is the more enterprise-ready and secure mobile platform than Android, due mainly to hardware encryption, greater application origin control and fuller support for MS EAS policies. Deployed with configuration profiles and appropriate policy settings, the iPhone 4 can support reasonably high security requirements. In addition, MDM software is available to further extend the management of these devices. However, significant iOS security issues exist, including risks represented by the vulnerability of the iOS Keychain to decryption, jailbroken devices, software brute forcing of device passcodes and breaking of iOS encryption. Android is less enterprise-ready and thus far, the platform has not addressed enterprise security as a key feature. Data encryption only begins with version 3.0 -- not yet in wide use - and there is limited implementation of MS EAS policy controls. In reality, however, most of the security difference comes from the SD card, fragmentation of Android implementations and the less-stringent controls on the application marketplace. Corporations with higher risk tolerance and low regulatory requirements may find Android device risks acceptable, leveraging corporate policy and MS EAS policy controls to provide some measures of security. Secure messaging systems or MDM systems combined with secured mail clients also improve on the default Android security profile.
© Copyright 2011 viaForensics, all rights reserved. No distribution or republication without permission.

Jon Pisani. and proactive enterprise security. Thomas Cannon is a noted Android security and malware expert with extensive experience in risk mitigation. Joshua LaBorde. Andrew Hoog. security assessment. all rights reserved.In any corporation with data synced to mobile devices. Christopher Triplett. and should reserve the right to audit devices for purposes of compliance and incident response. No distribution or republication without permission. mobile app security. mobile device security audits and other services. all corporate implementations of iOS or Android devices. 1 . law firms and law enforcement/government agencies. and along with Katie Strzempka co-authored iPhone and iOS Forensics. About the Lead Authors Andrew Hoog is the co-founder of viaForensics and a leading mobile security and forensics researcher. digital investigation and secure development. Ted Eull. An author of four books on iPhone development for O’Reilly Media. Katie Strzempka. He recently published the book Android Forensics and Mobile Security. Ted Eull is VP Technology Services for viaForensics. Finally. Our areas of focus include computer and mobile forensics. MDM or other sync or security software. whether using MS EAS. Personally owned devices are generally more difficult to secure and control and should be specifically addressed in corporate policies. Authors Thomas Cannon. About viaForensics viaForensics is an innovative digital forensics and security firm providing services to corporations. corporate IT policies should address acceptable use and required security practices. should involve a regular audit of actual devices to assess the efficacy of controls and risk of data exposure. Jonathan Zdziarski is a pioneer in the field of Apple iOS forensics. Jonathan Zdziarski © Copyright 2011 viaForensics. internationally recognized forensics expert and instructor for many law enforcement agencies. overseeing delivery of mobile application security assessments.

they present unique security challenges. 2 . we provide recommendations for securing mobile devices in three categories: Basics. do we need an MDM system? What is a strong enough passcode? © Copyright 2011 viaForensics. In many instances passcode protection and encryption do not prevent recovery of data for a moderately sophisticated attacker. primarily in the United States. Key Issues and Recommendations Mobile platform security is immature technology. iOS or Android? Is it advisable to use iOS or Android for sensitive data? If we are planning to deploy or already using iPhones. No distribution or republication without permission. There are steps you can take to reduce the risk posed by deploying mobile devices. In this report. Common Questions Answered in this Report           Is iOS secure enough for use in the enterprise? Is Android secure enough for use in the enterprise? How do iOS and Android compare to BlackBerry for security? Does the device passcode prevent someone from accessing device data? Does iOS encryption work. Research into the controls on the device indicates these are relatively superficial and can be overridden by moderately skilled users. Our recommendations should be adapted by each organization to suit its own security objectives.Audience This report is intended for those responsible for mobile security device risk assessment. because smartphones are consumer technologies being implemented in business settings. It is based on hands-on experience with mobile devices by investigators with a deep technical understanding of the mobile platforms and corporate IT management. Thus. Enhanced and Advanced. all rights reserved. and does it protect all device data from being stolen? How secure is the iOS keychain? Which is more secure.

No distribution or republication without permission. Targeted Attack. you must assume some of them will be lost. with the increasing prevalence of both highly mobile devices and cyber-crime targeting corporations. and Employee Data Theft. in this report. it is critical to ensure these policies are up-to-date with the technology in use. and if you deploy mobile devices. 3 . In addition to these risks. Auditing Mobile Devices Mobile security is connected to multiple processes in the well-defined COBIT governance framework. Smartphones are an ideal target for criminals. However. use of smartphones as recording devices and as a means of advanced attacks. However. circumvention of network controls. key risks include data loss and compromised security. Malware Infection. Corporate Policies Information security and acceptable use policies are not the favorite topic of most employees or IT departments.High-level Risk Overview Mobile devices pose significant risks for sensitive corporate information (SCI). the ISACA Mobile Audit/Assurance Program provides a thorough guide to the steps an organization can take to review mobile computing risk. Implementing a targeted device audit program can help you assess the actual security posture of a system. stolen or infected with malicious code. all rights reserved. Realistic risk scenarios can help evaluate the potential impacts of known threats. there is often a gap between how security controls work in theory and how they work in practice owing to security misconfigurations. These come in the form of data storage. data leakage into backups. Android Rooting Tethering USB mass storage Data retention © Copyright 2011 viaForensics. we have outlined mobile risk scenarios such as Lost Smart Phone. and other issues. mobile devices present other unique risks. Scenarios are also useful in planning on how best to mitigate risk. We also provide a risk map to help quantify the threat posed by deploying mobile devices. Border Crossing Investigation. Policies covered in this report include:         Sensitive corporate data Device encryption Complex passcodes Remote wipe iOS Jailbreaking.

Corporations may choose to implement such systems after identifying risks that specific solutions claim to address. data recovery capabilities. Are there tools enterprises can use to effectively manage and secure iOS and Android devices. Is enterprise data at greater risk on iOS and Android devices? 2. remote wipe capabilities. 4 . our observation is that the combination of BlackBerry devices. app isolation. MDM/Secure Messaging Software targeting enterprise Mobile Device Management (MDM) allows for the central provisioning and management of mobile devices. the primary concerns are: 1. Our deeper technical analysis of iOS and Android compares their passcode protection. that can be implemented and the type of corporation and risk profile that could choose such a configuration. which is a reasonable approach. Device Security Control Profiles The report includes profiles that describe measures which may be leveraged to achieve the general levels of security required. all rights reserved. like those offered by BlackBerry/BES? At this time. No distribution or republication without permission. malware protection. and data encryption. OS and the BES server still provide a more secure solution than iOS or Android. The analyses include details on various aspects of security protection and data recovery from these platforms. including both policy and technology. ActiveSync security controls. based on our case work and lab research. Each level lists the measures. © Copyright 2011 viaForensics. while other details have been uncovered during the course of forensic and corporate security case work. Android and BlackBerry For many. In some cases specific tests were performed for this report.       Acceptable use Asset tracking Personal device restricted actions & disclosure Privileged accounts & non-exempt staff Mobile use while driving End user training Device Audits Security Comparison: iOS. But both the functionality and security of the solutions should be judged with a skeptical eye and tested for reliability after implementation.

call logs and more. Enterprise messaging. in addition to MS EAS and native email app. Additionally. focuses on delivery of email or Exchange data with an additional layer of security. ActiveSync Security Controls: The focus of this section is to cover specific basic policy settings that are fundamental to the security of a mobile device. based on our case work and lab research. © Copyright 2011 viaForensics. Data Recovery: The report explains how data recovery from iOS devices on various versions can obtain data from backups. Secure messaging involves an additional system for delivery and storage of corporate email. Areas of data recovery addressed include Exchange data (email/calendar/contacts). we discuss how MDM generally relies on device OS security and an app running in user space. Remote Wipe: Remote erasure or wiping of corporate data is a key capability in the security control of mobile devices. including: passcode requirement. No distribution or republication without permission. or using logical (file system) or physical (binary) recovery techniques. Gmail. which means added security is limited. The efficacy of key controls are addressed.viaForensics research has identified workarounds for MDM security controls such as jailbreak detection and app blacklisting. meanwhile. and which can be controlled using MS Exchange ActiveSync policy controls. App Isolation: iOS app isolation or sandboxing is intended to prevent installed apps from accessing protected system resources or data from other apps. failed password attempts. allow attachments. In some cases specific tests were performed for this report. while other details have been uncovered during the course of forensic and corporate security case work. Bearing additional cost and possible usability drawbacks. and device timeout. and local reset. remote wipe sent triggered with MS Exchange ActiveSync. This analysis details specific tests of the effectiveness of simply removing (un-syncing) an Exchange account. This section explains how this system generally operates and how it may be compromised. secure messaging/ corporate sandbox can provide an added security layer if implemented and configured properly. SMS/MMS messages. all rights reserved. Sections of technical detail include the following: Passcode Protection: This section addresses the efficacy of passcode protection in iOS and explains how passcode evasion techniques work. 5 . Technical Analysis – iOS The report details various aspects of security protection and data recovery for iOS.

© Copyright 2011 viaForensics. Malware Protection: The report explains the means of malware protection in Android as well as its limitations. including: passcode requirement. In some cases specific tests were performed for this report. No distribution or republication without permission. It also provides explanation of means of breaking the layers of encryption and recommendations for effective data protection. allow attachments. Remote Wipe: Remote erasure or wiping of corporate data is a key capability in the security control of mobile devices. Data Recovery: The report explains how data recovery from Android devices can obtain data using logical (file system) or physical (binary) recovery techniques. Technical Analysis – Android The report details various aspects of security protection and data recovery for Android. remote wipe sent triggered with MS Exchange ActiveSync. Areas of data recovery addressed include Exchange data (email/calendar/contacts). and local reset. while other details have been uncovered during the course of forensic and corporate security case work. Data Encryption: This section discusses the different layers of encryption including the keychain. and which can be controlled using MS Exchange ActiveSync policy controls.Malware Protection: The report explains the means of malware protection in iOS as well as its limitations. failed password attempts. 6 . Gmail. This section explains how this system generally operates and how it may be compromised. and device timeout. ActiveSync Security Controls: The focus of this section is to cover specific basic policy settings that are fundamental to the security of a mobile device. call logs and more. This analysis details specific tests of the effectiveness of simply removing (un-syncing) an Exchange account. The efficacy of key controls are addressed. SMS/MMS messages. App Isolation: Android app isolation is intended to prevent installed apps from accessing protected system resources or data from other apps. data protection and the hardware-based encryption of iOS. Sections of technical detail include the following: Passcode Protection: This section addresses the efficacy of passcode protection in Android and explains how passcode evasion techniques work. based on our case work and lab research. all rights reserved.

© Copyright 2011 viaForensics.Data Encryption: This section discusses the emerging encryption implementation in Android and its limitations. No distribution or republication without permission. all rights reserved. 7 .

Sign up to vote on this title
UsefulNot useful