Apple iOS (and Android): Data Leakage by Design

20.02.2012 by Martin Kuppinger

Recently an old story hit the news again: Apple iOS allows apps free access to the address book, without any user consent. However that isn’t really new. The story was told back in 2010. Privacy awareness and concerns, however, have massively gained momentum since then, so it is a different situation now. Apple CEO Tim Cook has been asked by two congressmen to provide answers by Feb 29th (even while it is a German link, the lower half with the letter of the congressmen is in English). See also this link.

What has happened: Apple iOS allows apps to access the address book information. Some apps store that information for a long time. And there is no user consent. That is another story within a long line of other weaknesses, like location data provided by iOS (and now patched) and several “data leaks” in Android. However, in Android it depends a little more on the implementation – but overall, it’s the same situation.

Apple responded immediately. Unfortunately, the answer is ridiculous. Apple claims the apps violate the Apple guidelines. Sorry: Apple builds in a data leak by design and then blames the others? Yes, the others like Path are a part of the problem, but the root cause is Apple’s design flaw. Apple has announced to provide a patch. But, even if privacy is a feature that can be added with a patch – it will most likely take some time as usual. And the patch won’t bring your data back.

When looking at the details from the business user perspective, it becomes even worse. You might use Office 365 together with Outlook. That means that Outlook (which makes sense in that closed environment) adds all e-mail addresses to your contacts. However, once you add that account to your iPad, they end up in that device’s local address book. We haven’t yet investigated whether they are also leaked then to other apps, but given that you can use them on your iPad with other apps like the NotePad (“Notizen” in German), this is more than likely. In other words: connecting with iOS to business apps might let your data leak. And many business users will use some of these “malicious” apps.

You still could say it’s only about e-mail addresses. But honestly: do we really know what else might leak in a system with “data leakages by design”?

That raises an important question: can companies allow their employees access corporate information with an iPad or iPhone (or other inherently insecure mobile devices)? You have to decide yourself. But there is an obvious risk. Think about using that in sensitive areas like healthcare or clinical trials in the pharmaceutical industry, where (limited) patient or trial participant data might leak.

It isn’t easy to solve these issues and to make your mobile devices more secure, especially as long as vendors don’t really help you. However there is a place to learn more about this. Mobile privacy & security is a key topic at the EIC 2012. Join our mobile privacy & security expert analysts there and find out, how the reality looks like and why many of the currently proposed solutions like Symantec Wireless Device Security or Cisco AnyConnect are not the answer to your most challenging security questions.

Isn’t it better that we talk about last-generation firewalls instead of next-generation firewalls?

09.02.2012 by Martin Kuppinger

One of the buzzwords that became quite popular during the last few years is “next-generation firewall”. Some startup vendors position themselves in that market segment and established firewall vendors are trying to catch up. But when looking at what next generation firewalls are, I doubt that this term really applies, for two reasons:

One is the question of which role firewalls will play in the future. There is no doubt that we will need some sort of firewalls as part of a multi-layered security concept. However, the firewall as the leading security device at the perimeter isn’t the future. Decentralized firewalls are a logical consequence of the fact that there isn’t a single perimeter anymore. There are perimeters you can define around some network segments or devices, but not for the enterprise. So the role of firewalls is changing and there most likely won’t be that many generations for classical firewalls anymore, but there will be firewall functionality as an integrated feature in other types of devices – and only one of much functionality. By the way: UTM (Unified Threat Management), which frequently is used to describe such devices, is inadequate as well, because they always tackle only some threats. But that’s another topic.

The second and more important reason is another one: The most prominent features like “enhancing the 5-tuple”, adding support for user identities, integration capabilities with other context information, and application awareness, are not what should describe a next-generation firewall. These features should have been there at least ten years ago. Calling something which just adds features that are overdue is not a next-generation thing. I tend to call these last-generation firewalls because they are not innovative at all, compared to the target. They are only innovative compared to ancient technology.

By the way: Enhancing the 5-tuple means that these firewalls have more complex policies, going beyond Source IP, Target IP, Source Port, Target Port, and Protocol. It’s about adding things like application, “user identity” (which commonly is only an Active Directory group or something like that – my understanding of a user identity is somewhat broader), and maybe other attributes.

Back to the topic: I remember having talked about that many years ago. My complaint against classical “1st generation firewalls” (by the way: was there that little innovation in the firewall market that there hasn’t been a second generation before the “next-generation firewalls”?) always has been that it is not about deciding whether a packet is allowed to pass or not but about deciding which packet in the context of which business process and which user is allowed to pass. Notably, even next-generation firewalls only think about applications and are process-agnostic.

So doing that makes sense, given that firewalls are still an important element in security and will remain important, even while they most likely will become more distributed. But this is not about “next-generation”. It is about adding missing features, nothing else. And there are still a lot of things missing even in the next-generation firewalls: knowledge about business processes, integration with risk analytics (understanding the risks of a specific network communication and taking this into account when deciding), optimized and centralized management of hundreds, thousands, or tens of thousands of distributed systems, optimizing the rule sets (that’s where specialized vendors like Tufin come into play), hardware and software solutions to support the needs of distributed next-gen firewall environments, and many more.

So before jumping on technology which claims to be next-generation – and isn’t really – it is time to rethink the approaches on security you are following. And if the argument is that “the network security organization has neither the responsibility nor the authority for enforcing that or that or that” (which I found as a statement in a next-generation firewall report of another analyst company with respect to more advanced user-based access control policies) the answer is not that next-generation firewalls are so good because you wouldn’t be able to manage anything better. The answer is that you should rethink your information security strategy and organization so that you can deal with security the way you need. If the organization doesn’t fit your security needs, change the organization.

This topic shows once again that it is not mainly about technology. It is about understanding security risks, it is about the security organization. Then you can decide about the tools you really need. And then you will be easily able to identify whether something is really next-generation for you, i.e. enabling you to reach the next level in security. If doesn’t help you if something is next-generation for the vendors, but far too late for your needs.

© 2014 Martin Kuppinger, KuppingerCole