Android meets Company – Is this really a good Combination?
Smartphones and tablet computers are no longer indispensable from the corporate life. Now, they don´t serve for communication purposes only but are often used for the processing of business related documents and even for access to sensitive corporate resources. This evolution demonstrates that mobile devices will be the future within every organization.
One of the major players in the battle for market share is Google and its Android OS. This OS is mainly open-source, there are a lot of developers and manufacturers available that produce helpful and futuristic apps and, most important, the devices are often cheaper as compared to Apple or BlackBerry. But there is also a large amount of disadvantages and problems that come together with the afore mentioned advantages.
(I) Probably the biggest headache for your security stuff is caused by the vulnerability handling of Android device manufacturers:
A simple example that happened some months ago: A large device manufacturer had a severe vulnerability (RCE with system rights) in one of its default apps that are installed on the device. This vulnerability was disclosed publicly and PoC’s have been available very fast. The manufacturer then announced to trusted companies that he is developing a patch and is sending out this patch within days. After three weeks there has been an information that patches for the latest models (newer than 2 years) have shipped and that users should apply the updates. The main problem was, that not all devices on the list of the manufacturer really got the update (and the manufacturer is still trying to find out why) and that this update has been displayed to the user just with “Security Policy Update installed” and no word about which vulnerabilities are now fixed or that this is not a new security policy from the companies MDM system. Furthermore, this update can’t be detected within the MDM, so the security people have no idea which smartphone is still vulnerable.
As already described above, the update policies are very bad. Google is patching their Nexus devices really quickly (often quicker than anybody else) and for a long time (approximately 3-4 years). This is something a company can deal with. Devices are most often used for 3 years and only rarely for 4 years or even longer.
The problem is what other manufacturers do with the updates from Google. They have to apply the updates to every modified version of their own Android system that is shipped to the customers. In the worst case, this means that a large manufacturer would have to implement the fix from Google to more than 50 versions of his shipped OS. This is not done currently and hopefully it will change with the new Stagefright vulnerability. Now, most manufacturers guarantee one major update per lifetime of the device or for specific devices they promise support for 2 years starting with the release of the smartphone, which is just too short for larger companies. And to make it even worse, in some countries (Germany is one of it) the network operators changed that OS, too. So even if the manufacturer is implementing every fix to every OS version, the network operator has to do the same.
When you keep this in mind, you will very soon understand why a very large amount of devices is vulnerable to attacks even if Google has fixed this months ago.
There are a lot more problems (like missing security advisories or device management issues), but also some really great advantages that I will discuss with you at this years (ISC)2 EMEA Conference in Munich.
Happy to see you there!