20.02.2012 by Martin Kuppinger
Recently an old story hit the news again: Apple iOS allows apps free access to the address book, without any user consent. However that isn’t really new. The story was told back in 2010. Privacy awareness and concerns, however, have massively gained momentum since then, so it is a different situation now. Apple CEO Tim Cook has been asked by two congressmen to provide answers by Feb 29th (even while it is a German link, the lower half with the letter of the congressmen is in English). See also this link.
What has happened: Apple iOS allows apps to access the address book information. Some apps store that information for a long time. And there is no user consent. That is another story within a long line of other weaknesses, like location data provided by iOS (and now patched) and several “data leaks” in Android. However, in Android it depends a little more on the implementation – but overall, it’s the same situation.
Apple responded immediately. Unfortunately, the answer is ridiculous. Apple claims the apps violate the Apple guidelines. Sorry: Apple builds in a data leak by design and then blames the others? Yes, the others like Path are a part of the problem, but the root cause is Apple’s design flaw. Apple has announced to provide a patch. But, even if privacy is a feature that can be added with a patch – it will most likely take some time as usual. And the patch won’t bring your data back.
When looking at the details from the business user perspective, it becomes even worse. You might use Office 365 together with Outlook. That means that Outlook (which makes sense in that closed environment) adds all e-mail addresses to your contacts. However, once you add that account to your iPad, they end up in that device’s local address book. We haven’t yet investigated whether they are also leaked then to other apps, but given that you can use them on your iPad with other apps like the NotePad (“Notizen” in German), this is more than likely. In other words: connecting with iOS to business apps might let your data leak. And many business users will use some of these “malicious” apps.
You still could say it’s only about e-mail addresses. But honestly: do we really know what else might leak in a system with “data leakages by design”?
That raises an important question: can companies allow their employees access corporate information with an iPad or iPhone (or other inherently insecure mobile devices)? You have to decide yourself. But there is an obvious risk. Think about using that in sensitive areas like healthcare or clinical trials in the pharmaceutical industry, where (limited) patient or trial participant data might leak.
It isn’t easy to solve these issues and to make your mobile devices more secure, especially as long as vendors don’t really help you. However there is a place to learn more about this. Mobile privacy & security is a key topic at the EIC 2012. Join our mobile privacy & security expert analysts there and find out, how the reality looks like and why many of the currently proposed solutions like Symantec Wireless Device Security or Cisco AnyConnect are not the answer to your most challenging security questions.
30.11.2011 by Martin Kuppinger
Recently, Chris DiBona published a comment (or blog or whatever it is) at Google+ bashing at a lot of companies and people in the industry. He starts with “people claiming that open source is inherently insecure and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market.” Further down he claims that no major cell phone has a virus problem like Windows or Mac machines. There are some other harsh statements in the article, especially about vendors in the security space being charlatans and scammers.
Not surprising that there has been a flood of press releases and other types of responses by vendors of anti-virus, anti-malware, and other types of security tools.
If you look at the facts, then from my opinion some things are evident:
- Every type of software is potentially insecure – that includes closed source and open source
- There are better and worse approaches to deal with security flaws – and that doesn’t relate to software being open source or not
- There is malware attacking Android devices and the number of known issues is growing
- There are different approaches to marketplaces like the ones for Android and iOS – however even open marketplaces could use independent test and certification approaches increasing security
- Yes, vendors are trying to earn money with security solutions for mobile devices and there is marketing in
However, the essential point is: There are security risks and instead of bashing on others the goal should be to mitigate risks. That needs to be done before the security issues become too big. Saying that “If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.”, to quote again Chris DiBona, is absolutely misleading. The problem might not be as big as some marketeers try to tell today – but there is an malware problem and there is a need to deal with it. Not saying that anti-malware on mobile devices is the best choice to solve the problem… And yes, Chris DiBona isn’t correct in saying that these usually aren’t viruses but other types of malware. That’s splitting hairs! So, instead of playing down things, it’s about understanding current and upcoming risks, security needs, and then acting on that – regardless of providing open source or closed source.
I personally believe that its worse to play down security issues than trying to identify and address the issues. And if someone uses the wrong term (like “virus” for something that isn’t a virus), OK – that happens and virus is sort of a term used commonly wrong. But it doesn’t change the fundamental facts: There are security risks for mobile devices. Thus users have to react. Oh, and by the way: I thought we ended these religious “open source or not” discussions at least five or ten years ago. There is no value in these discussions. There is only value in providing better software.
And when talking about Android, looking at the way it uses information I just can state that it is not the best example for “fair information practice” (carefully spoken). Information security is not only about malware and the likes, it is about the way systems deal with information overall. With respect to the way Android deals with GPS locations, SSIDs of available WLANs, and other information, just have a look here (to give you just one example, there is more to be found at YouTube). So again, Google: Do your homework first before you start bashing at others.
28.10.2011 by Martin Kuppinger
Some days ago I received a new HTC Pro Windows Phone, now running with Windows 7.5, the “Mango” release. Overall, I really like that phone. It is smart, it is very easy to configure. I never had a phone which was up and running with access to all mail accounts, calendar, and tasks so quickly. It works pretty seamless with Office 365. OK, having Skype on the phone would be great, in particular given that Microsoft owns Skype.
So far, so good. But then you start this phone and are asked for the PIN. But if you just cancel the PIN entry, you have full access to everything which is on that phone. In the out-of-the-box configuration, there is not even a password required. You have to opt for this and change the settings so that the phone requires a password.
I know that there is a balance between usability and security. However, I’d like to have more options for security and I’d like to at least be prompted for decisions about the security when setting up the phone. And there are options you can build in these phones for more security. Biometrics like fingerprints wouldn’t be that difficult to add. Secure stores for sensitive information (sort of TPM++) should be feasible.
But currently it is still about usability first and then —- nothing for a very long period of time. Only minimal security. It still looks like security and mobile phones are totally different worlds, being in parallel universes. The bad thing: You might find some software tools (“apps”) to increase security. But there could be hardware security built in at reasonable cost, there could be done much more. But vendors are just still ignoring mobile security. And while mandatory security might be inconvenient for many users, optional security (which is still easy to use) might be of value to many of them.
06.06.2011 by Martin Kuppinger
BYOD: Again one of these acronyms. It stands for “Bring Your Own Device”. You’d also say that it stands for IT departments accepting that they’ve lost against their users. They have lost the discussion about which devices shall be allowed in corporate environments. When I travel by train, I observe an impressive number of different devices being used. There are Windows notebooks, netbooks, iPads, iBooks, other types of “pads”, smartphones,…
For a long time corporate IT departments have tried to limit the number of devices to a small list, thus being able to manage and secure them. However, the reality especially in the world of mobile devices proves that most IT departments have failed. For sure many have restricted the access to corporate eMail to Blackberry devices. But many haven’t managed to achieve that target. And the popularity of Apple devices increases the heterogenity of devices being used by employees.
It increasingly looks like the solution only can be acceptance. Accept, that users want to use different types of devices. Accept that the innovation especially around smartphones and pads is far quicker than corporate IT departments can adopt their management tools.
At first glance that sounds like a nightmare for corporate IT departments. How to manage these devices? How to secure the devices? However, it is not about managing or securing the devices. That would be “technology security”. It is about managing and securing information, e.g. “information security”. It’s about the I in IT, not the T. Thus, we have to look at when to allow access to which information using which tool.
To do this, a simple matrix might be the starting point. The first column contains the classes of devices – notably not every single device. The first row contains the applications and information being used. In the cells you can define the requirements, based on the risk score of both the devices and the information. In some cases you might allow access based on secure browser connections, in others you might require to use virtual desktop connections. In others you might end up with having to build a specialized app. However, if banks are able to secure online banking on smartphones, why shouldn’t you be able to secure your corporate information on these devices?
You might argue that building apps or deploying desktop virtualization is quite expensive. However, trying to manage all these different devices or trying to restrict the devices allowed is expensive as well – and much more likely to fail. I don’t say that it is easy to protect your corporate information in a heterogeneous environment, supporting BYOD. But it is much more likely to be feasible than to manage and secure any single device – given the increasing number of these devices, the speed of innovation, and the simple fact that corporations don’t own all these devices.
Thus it is about preparing for BYOD by providing a set of secure paths to access corporate information and to protect that information – and by understanding how to protect which information where. When you start with BYOD, do it risk-based.
04.03.2011 by Martin Kuppinger
The news about a significant number of malicious apps for the Android platform on mobile phones hit the news yesterday. Many comments still sounded a little surprised. However there is no reason for being surprised. Today’s mobile phones are insecure by design. The vendors haven’t understood that security is mandatory for long term success and they are still selling devices which are as secure as a PC in the mid ’80s of last century. Unfortunately these devices are connected and have far more capabilities than the PCs of the early days.
The vendors (and developers of OSes) are just ignoring the need for built-in security. A PIN code is a ridiculous mechanism to protect a device which can hold that much sensitive data and which can be used to access sensitive corporate information. How about biometrics or other types of strong authentication? There are many potential solutions out there for mobile devices which are secure by design and still user-friendly.
In addition to the insecure devices and OSes, the concept of apps itself is insecure. How to manage apps for your corporate users? How to do DLP (Data Leakage Prevention) for apps? The concept of apps is as well insecure by design. Unfortunately, it is a good example for the wrong design principle “function follows form” – it should be “form follows function”. But the concept of apps is about markets and money, about a “cool” concept and not well-thought, because it isn’t secure (enough).
For organizations, the only consequence can be to review the policies for using mobile devices and massively restrict the professional use of devices which are insecure and have too many capabilities. That requires an analysis of which platforms are allowed for which use cases. You might argue that this won’t work because even the managers want to use their gadgets. Correct, it isn’t a simple task to do. However, in virtually every country there are laws which require that the board enforces an adequate risk management. Using insecure gadgets with access to sensitive corporate information (starting with eMail) is a risk which has to be mitigated by restricting the use of gadgets or more secure ways to use them. By not doing so (or even using insecure devices as a board member), legal requirements are ignored. I’d bet that the next hot topic for auditors will become mobile security…
For vendors, these new attacks hopefully are an alert which helps them to understand that security is a key requirement for long term success in the market. That might lead to invest more in security which is easy to use.
In the meantime we will see masses of point solutions and services to better protect mobile communication. Be careful with that – some might deliver a real value, others will turn out to be sort of placebos. But in any case, you first should have a strategy and policies for the secure use of mobile devices, before you invest in such point solutions and services.
It will be interesting to observe what happens in the next months. Will vendors wake up? Or will it need more and even more severe incidents for that?