Smartphones are powerful devices, and a constant reminder that we are “living in the future.” We can take high-resolution photos, edit those photos, and upload them to the Internet in less time than it takes to order a cup of coffee. We can track our activity, our calorie intake, and our workouts. We can even get a ton of work done without ever opening a laptop or sitting down at a desk. All with a device that fits in the palm of the hand.
However, as with any complex device or system, vulnerabilities and the potential for bad guys to exploit them emerge. Along with the explosion in smartphone adoption has come new vectors for malware, virus infection, and so-called ransomware. A quick google of the terms “mobile device malware” yields dozens of results related to Android. Owing to various implementations of the Android OS by smartphone manufacturers, and a lot of choices for installing apps (Google Play Store, Amazon Appstore, sideloading Android application package files (APK)s, and more), there are many opportunities for the bad guys to introduce their nasty payloads.
In contrast, Apple iOS—regardless of carrier or device (iPhone, iPad, iPod, etc.)—is largely free of concerns about malware and other malicious payloads. The reason is not some innately better security in the iOS architecture vs. Android’s. It’s the closed ecosystem of iTunes and the App Store. It’s extraordinarily difficult to download any app or even music or movie without first going through one of these two Apple-controlled distribution mechanisms. Difficult, that is, unless an iPhone happens to be jail-broken, making it possible for users to download apps that aren’t available in the App Store.
The fact that almost every release of iOS gets jailbroken (despite the best efforts of Apple’s iOS developers) indicates that iOS is not inherently more secure than Android. However, because Apple vets and controls all apps available in the App Store, other security holes have very limited opportunity for exploit. As a result, the security track record of iOS has been much stronger than other platforms, and Apple users at least have the perception that their devices are relatively secure.
Why jailbreak a perfectly good iPhone, then? Well, especially among the high school set, there is the ever-tempting “cool factor” of having an app or customization that’s only available on a jailbroken iPhone. For others, it can be the desire to “have their cake and eat it, too”—all the polish of iOS without those pesky constraints of the App Store and the rigid default iOS interface. And for the tech-savvy, it can be the desire to tinker and see how things work. I’ve met more than a few folks with jailbroken iPhones, courtesy of a tech-savvy friend doing them a “favor.”
Regardless of the reasons, and despite disclaimers in many jailbreaking tools, many iPhone jailbreakers don’t fully grasp the security and privacy risks posed by leaving the safety of the closed Apple ecosystem. And with BYOD being the new reality, we must educate users to the risks of jailbroken phones. These risks extend beyond the individual to enterprise networks, applications, and the data a smartphone might access.
Various remote access solutions—SSL VPN gateways, virtual applications and desktops, and mobile application management solutions—are able to assess enterprise resources whether a user is running a supported operating system or a jailbroken version. While it may not be the kindest way to teach users about the dangers of jailbreaking their phones, preventing them from accessing sensitive systems and data using these compromised smartphones sends a clear message that these devices are no longer trustworthy. Make sure to update your mobile device policy and put it in writing.
Beyond simply restricting access, security training can help raise awareness about safe mobile device usage. Most training I’ve seen focuses on spotting potential phishing attacks, using good password practices, and logging out of sensitive accounts. Security awareness training can go a step further and educate aggressively about jailbreaking iPhones as well as sideloading apps from untrusted sources. While some organizations are adopting a strategy of segregating corporate and personal data on the device, or creating closed enterprise ecosystems featuring wrapped apps in an enterprise app store, these can be seen as half-measures that assume too much risk for the enterprise.
Whatever strategy we choose to reduce the risk of malicious apps on personal and enterprise-issued devices, the key is to educate ourselves on how the various operating systems provide security, and to make no assumptions about the security posture of any given device. It’s important to assess the security posture of every device that has access to our systems and data—on each and every request for access.[su_box title=”About Brian A. McHenry” style=”noise” box_color=”#336588″]
As a Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers, the F5 sales team, and the F5 product teams, providing a hands-on, real-world perspective. Prior to joining F5 in 2008, McHenry, a self-described “IT generalist”, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
Twitter: @bamchenry[/su_box]
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on InformationSecurityBuzz.com, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.