Mobile Security: Virtualization on the smartphone

10.10.2013 by Martin Kuppinger

LG recently announced a new platform called GATE that will enable some LG business smartphones to run two mobile operating systems in parallel. LG appears, with this feature, to be reacting to the security concerns many organizations have around BYOD (Bring Your Own Device). Virtualization is one of the smartest options for enhancing the security of mobile devices, as we discussed in the KuppingerCole Advisory Note “BYOD”.

By virtualizing the smartphones and providing two segregated environments, users can access both their business and their private environment, with the business apps operating in a segregated and more secure way in concert with the business backend systems.

I personally like that approach, because it focuses on making the smartphone smart enough for BYOD. Together with additional features such as built-in and improved MDM (Mobile Device Management) support and VPN integration, LG is raising the bar for enterprise ready smartphones.

However, there is one question LG has left open as of now: which types of strong authentication are supported for access to the smartphone, particularly the business virtual machine? Clearly, segregation makes a lot of sense. But without adequate strong authentication, there is still a security gap.

Overall, it is good to see smartphone vendors making significant progress in security. The bad thing about this is that they should have started with that security evolution years ago. But better late then never.


Microsoft Surface RT: My experience

08.08.2013 by Martin Kuppinger

I’m aware that this is a somewhat tangential post, as there is no relationship to our KuppingerCole topic of Mobile Security, but clearly it fits into the theme of the Computing Troika, i.e. the changes in Business and IT due to the impact of Cloud, Mobile, and Social Computing. However, the main purpose is to share some of my experiences with the Microsoft Surface RT I’ve been using for quite a while now.

I just upgraded to the Windows 8.1 Preview, which is a significant step forward for a simple reason: It includes Microsoft Outlook and I do not need to rely on either the Outlook Web App or the standard Mail app anymore. I will come back to this later.

What I do not like that much with my Surface is the angular design, in contrast to the smoother curves of an Apple iPad. However, my iPad has made it to the living room and is the device of choice for my wife now. I switched to the Surface due to the fact that the iPad was far too limited for my requirements in daily business use, especially when travelling. I need a strong tool for email, calendar, and task management. And I need the ability to not only read Word or PowerPoint documents in the proper formats but also to edit them, including the support for comments and the “track changes” mode of Word. I can do all that with my notebook, but when travelling this is a rather large device to lug around. Tablets are good when I know that I mainly will work on emails plus some other light work, or when I might want to use the Amazon Kindle app. Reading books on my notebook (one of these new convertibles) works, but the device is too heavyweight to really be convenient. So, in other words: I have been looking for a tablet that still provides my work environment. The “big” Surface Pro was not my choice due to its weight and height. I opted for the RT version.

This worked quite well for me. I like some of the features, such as having a classical Windows experience if I like and need to have it, or the USB port. This is so convenient. I remember back at EIC I had to quickly provide a presentation to the technicians. I just put in a USB stick and copied it from Microsoft SkyDrive. I can’t do that with an iPad. Dave Kearns sat beside me and just said: “Why doesn’t Microsoft promote that feature?” The other purpose I use the USB port for is attaching a mouse when I have to work more intensively. It just works.

I also like the fact that the device knows the distinction between a device and a user. This is an important security feature, especially for enterprise deployments – just think about machine and user certificates. I do not need it mandatorily, but it makes sense – and it even makes sense in the living room sometimes, if for instance the children should have limited access.

I feel comfortable with the screen resolution etc. The battery also lasts sufficiently long. Thus, there is – from my perspective – little need to switch to the Pro version of the Surface.

However, there are also some challenges. I do not have 3G support in the device. I solved this by using a mobile WiFi/3G router. This is very convenient, because it works for all of my mobile devices. I also miss one (but only one) app for Windows RT, which is the “Bahn” app provided by the German railway. I have it on my Windows Phone, but not yet for RT.

And then there has been the mail app. This clearly is not the best piece of software Microsoft ever created – it is closer to being one of the worst. After an update it just failed, because my folder structures on Office 365 are too complex for the app. But that has changed now: I have Outlook 2013 now, after upgrading to Windows 8.1 Preview. So I have a tablet with (close to) full Office 2013 capabilities, which makes a great tool for business travel and vacation.

Having been asked by several people about my experience with Microsoft Surface now (being one of the still rare users, obviously), I decided to share that experience in my blog.


Posted in Mobile Security | Comments Off

Apple iOS (and Android): Data Leakage by Design

20.02.2012 by Martin Kuppinger

Recently an old story hit the news again: Apple iOS allows apps free access to the address book, without any user consent. However that isn’t really new. The story was told back in 2010. Privacy awareness and concerns, however, have massively gained momentum since then, so it is a different situation now. Apple CEO Tim Cook has been asked by two congressmen to provide answers by Feb 29th (even while it is a German link, the lower half with the letter of the congressmen is in English). See also this link.

What has happened: Apple iOS allows apps to access the address book information. Some apps store that information for a long time. And there is no user consent. That is another story within a long line of other weaknesses, like location data provided by iOS (and now patched) and several “data leaks” in Android. However, in Android it depends a little more on the implementation – but overall, it’s the same situation.

Apple responded immediately. Unfortunately, the answer is ridiculous. Apple claims the apps violate the Apple guidelines. Sorry: Apple builds in a data leak by design and then blames the others? Yes, the others like Path are a part of the problem, but the root cause is Apple’s design flaw. Apple has announced to provide a patch. But, even if privacy is a feature that can be added with a patch – it will most likely take some time as usual. And the patch won’t bring your data back.

When looking at the details from the business user perspective, it becomes even worse. You might use Office 365 together with Outlook. That means that Outlook (which makes sense in that closed environment) adds all e-mail addresses to your contacts. However, once you add that account to your iPad, they end up in that device’s local address book. We haven’t yet investigated whether they are also leaked then to other apps, but given that you can use them on your iPad with other apps like the NotePad (“Notizen” in German), this is more than likely. In other words: connecting with iOS to business apps might let your data leak. And many business users will use some of these “malicious” apps.

You still could say it’s only about e-mail addresses. But honestly: do we really know what else might leak in a system with “data leakages by design”?

That raises an important question: can companies allow their employees access corporate information with an iPad or iPhone (or other inherently insecure mobile devices)? You have to decide yourself. But there is an obvious risk. Think about using that in sensitive areas like healthcare or clinical trials in the pharmaceutical industry, where (limited) patient or trial participant data might leak.

It isn’t easy to solve these issues and to make your mobile devices more secure, especially as long as vendors don’t really help you. However there is a place to learn more about this. Mobile privacy & security is a key topic at the EIC 2012. Join our mobile privacy & security expert analysts there and find out, how the reality looks like and why many of the currently proposed solutions like Symantec Wireless Device Security or Cisco AnyConnect are not the answer to your most challenging security questions.


Saying that others are wrong doesn’t make a mobile OS secure

30.11.2011 by Martin Kuppinger

Recently, Chris DiBona published a comment (or blog or whatever it is) at Google+ bashing at a lot of companies and people in the industry. He starts with “people claiming that open source is inherently insecure and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market.” Further down he claims that no major cell phone has a virus problem like Windows or Mac machines. There are some other harsh statements in the article, especially about vendors in the security space being charlatans and scammers.

Not surprising that there has been a flood of press releases and other types of responses by vendors of anti-virus, anti-malware, and other types of security tools.

If you look at the facts, then from my opinion some things are evident:

  • Every type of software is potentially insecure – that includes closed source and open source
  • There are better and worse approaches to deal with security flaws – and that doesn’t relate to software being open source or not
  • There is malware attacking Android devices and the number of known issues is growing
  • There are different approaches to marketplaces like the ones for Android and iOS – however even open marketplaces could use independent test and certification approaches increasing security
  • Yes, vendors are trying to earn money with security solutions for mobile devices and there is marketing in

However, the essential point is: There are security risks and instead of bashing on others the goal should be to mitigate risks. That needs to be done before the security issues become too big. Saying that “If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.”, to quote again Chris DiBona, is absolutely misleading. The problem might not be as big as some marketeers try to tell today – but there is an malware problem and there is a need to deal with it. Not saying that anti-malware on mobile devices is the best choice to solve the problem… And yes, Chris DiBona isn’t correct in saying that these usually aren’t viruses but other types of malware. That’s splitting hairs! So, instead of playing down things, it’s about understanding current and upcoming risks, security needs, and then acting on that – regardless of providing open source or closed source.

I personally believe that its worse to play down security issues than trying to identify and address the issues. And if someone uses the wrong term (like “virus” for something that isn’t a virus), OK – that happens and virus is sort of a term used commonly wrong. But it doesn’t change the fundamental facts: There are security risks for mobile devices. Thus users have to react. Oh, and by the way: I thought we ended these religious “open source or not” discussions at least five or ten years ago. There is no value in these discussions. There is only value in providing better software.

And when talking about Android, looking at the way it uses information I just can state that it is not the best example for “fair information practice” (carefully spoken). Information security is not only about malware and the likes, it is about the way systems deal with information overall. With respect to the way Android deals with GPS locations, SSIDs of available WLANs, and other information, just have a look here (to give you just one example, there is more to be found at YouTube). So again, Google: Do your homework first before you start bashing at others.


Posted in Information Security, Mobile Security | Comments Off

Mobile phones and security – still two worlds colliding?

28.10.2011 by Martin Kuppinger

Some days ago I received a new HTC Pro Windows Phone, now running with Windows 7.5, the “Mango” release. Overall, I really like that phone. It is smart, it is very easy to configure. I never had a phone which was up and running with access to all mail accounts, calendar, and tasks so quickly. It works pretty seamless with Office 365. OK, having Skype on the phone would be great, in particular given that Microsoft owns Skype.

So far, so good. But then you start this phone and are asked for the PIN. But if you just cancel the PIN entry, you have full access to everything which is on that phone. In the out-of-the-box configuration, there is not even a password required. You have to opt for this and change the settings so that the phone requires a password.

I know that there is a balance between usability and security. However, I’d like to have more options for security and I’d like to at least be prompted for decisions about the security when setting up the phone. And there are options you can build in these phones for more security. Biometrics like fingerprints wouldn’t be that difficult to add. Secure stores for sensitive information (sort of TPM++) should be feasible.

But currently it is still about usability first and then —- nothing for a very long period of time. Only minimal security. It still looks like security and mobile phones are totally different worlds, being in parallel universes. The bad thing: You might find some software tools (“apps”) to increase security. But there could be hardware security built in at reasonable cost, there could be done much more. But vendors are just still ignoring mobile security. And while mandatory security might be inconvenient for many users, optional security (which is still easy to use) might be of value to many of them.


Posted in Mobile Security | Comments Off

Be prepared for BYOD

06.06.2011 by Martin Kuppinger

BYOD: Again one of these acronyms. It stands for “Bring Your Own Device”. You’d also say that it stands for IT departments accepting that they’ve lost against their users. They have lost the discussion about which devices shall be allowed in corporate environments. When I travel by train, I observe an impressive number of different devices being used. There are Windows notebooks, netbooks, iPads, iBooks, other types of “pads”, smartphones,…

For a long time corporate IT departments have tried to limit the number of devices to a small list, thus being able to manage and secure them. However, the reality especially in the world of mobile devices proves that most IT departments have failed. For sure many have restricted the access to corporate eMail to Blackberry devices. But many haven’t managed to achieve that target. And the popularity of Apple devices increases the heterogenity of devices being used by employees.

It increasingly looks like the solution only can be acceptance. Accept, that users want to use different types of devices. Accept that the innovation especially around smartphones and pads is far quicker than corporate IT departments can adopt their management tools.

At first glance that sounds like a nightmare for corporate IT departments. How to manage these devices? How to secure the devices? However, it is not about managing or securing the devices. That would be “technology security”. It is about managing and securing information, e.g. “information security”. It’s about the I in IT, not the T. Thus, we have to look at when to allow access to which information using which tool.

To do this, a simple matrix might be the starting point. The first column contains the classes of devices – notably not every single device. The first row contains the applications and information being used. In the cells you can define the requirements, based on the risk score of both the devices and the information. In some cases you might allow access based on secure browser connections, in others you might require to use virtual desktop connections. In others you might end up with having to build a specialized app. However, if banks are able to secure online banking on smartphones, why shouldn’t you be able to secure your corporate information on these devices?

You might argue that building apps or deploying desktop virtualization is quite expensive. However, trying to manage all these different devices or trying to restrict the devices allowed is expensive as well – and much more likely to fail. I don’t say that it is easy to protect your corporate information in a heterogeneous environment, supporting BYOD. But it is much more likely to be feasible than to manage and secure any single device – given the increasing number of these devices, the speed of innovation, and the simple fact that corporations don’t own all these devices.

Thus it is about preparing for BYOD by providing a set of secure paths to access corporate information and to protect that information – and by understanding how to protect which information where. When you start with BYOD, do it risk-based.


Android attacks – you shouldn’t be surprised

04.03.2011 by Martin Kuppinger

The news about a significant number of malicious apps for the Android platform on mobile phones hit the news yesterday. Many comments still sounded a little surprised. However there is no reason for being surprised. Today’s mobile phones are insecure by design. The vendors haven’t understood that security is mandatory for long term success and they are still selling devices which are as secure as a PC in the mid ’80s of last century. Unfortunately these devices are connected and have far more capabilities than the PCs of the early days.

The vendors (and developers of OSes) are just ignoring the need for built-in security. A PIN code is a ridiculous mechanism to protect a device which can hold that much sensitive data and which can be used to access sensitive corporate information. How about biometrics or other types of strong authentication? There are many potential solutions out there for mobile devices which are secure by design and still user-friendly.

In addition to the insecure devices and OSes, the concept of apps itself is insecure. How to manage apps for your corporate users? How to do DLP (Data Leakage Prevention) for apps? The concept of apps is as well insecure by design. Unfortunately, it is a good example for the wrong design principle “function follows form” – it should be “form follows function”. But the concept of apps is about markets and money, about a “cool” concept and not well-thought, because it isn’t secure (enough).

For organizations, the only consequence can be to review the policies for using mobile devices and massively restrict the professional use of devices which are insecure and have too many capabilities. That requires an analysis of which platforms are allowed for which use cases. You might argue that this won’t work because even the managers want to use their gadgets. Correct, it isn’t a simple task to do. However, in virtually every country there are laws which require that the board enforces an adequate risk management. Using insecure gadgets with access to sensitive corporate information (starting with eMail) is a risk which has to be mitigated by restricting the use of gadgets or more secure ways to use them. By not doing so (or even using insecure devices as a board member), legal requirements are ignored. I’d bet that the next hot topic for auditors will become mobile security…

For vendors, these new attacks hopefully are an alert which helps them to understand that security is a key requirement for long term success in the market. That might lead to invest more in security which is easy to use.

In the meantime we will see masses of point solutions and services to better protect mobile communication. Be careful with that – some might deliver a real value, others will turn out to be sort of placebos. But in any case, you first should have a strategy and policies for the secure use of mobile devices, before you invest in such point solutions and services.

It will be interesting to observe what happens in the next months. Will vendors wake up? Or will it need more and even more severe incidents for that?


Services
© 2014 Martin Kuppinger, KuppingerCole