MOBILE SECURITY: OVERCOMING PREVALENT THREATS AND CHALLENGES INSIDE AND OUTSIDE AN ENTERPRISE
INTRODUCTION Mobile devices are the driving force behind world economies
security challenges. The implications of malicious attack on
today. Leading research firm Gartner predicts worldwide
devices create major concerns for enterprises. Recently, two
combined shipments of devices (PCs, tablets, ultramobiles and
threats - Exynos exploit for Android and Evasion for iOS - have
mobile phones) are expected to reach 2.5 billion units in 2015, a
been identified. Device OEMs are adopting technologies such as
1.5 percent increase from 2014 [1]. As smart phones and tablets
Mobile Device Management (MDM) and Mobile Application
become ubiquitous, there has been an unprecedented growth in
Management (MAM) to cope up with these threats.
the availability of mobile applications which are free to download. With this spurt in availability of innovative and feature
In these circumstances, mobile security is the need of the hour
rich mobile applications, comes the real threat of malicious
as the mobile security ecosystem continues to evolve. While
applications that can play havoc with the user’s data on mobile
end-users and enterprises work towards overcoming various
devices. The security threats can be due to security risks in
mobile security threats, the fact is that malicious applications
mobile applications, loopholes in mobile operating systems or
and attacks continue to breach mobile device security at all
risks in the network access. Malicious applications and
levels.
vulnerabilities in network access and mobile operating systems can expose sensitive user-data such as photos, email, contact
Most smart phone OEMs are providing accounts to device
list, calendar details, call records and messages to attackers.
owners on private clouds where they can store their personal
Device rooting i.e acquisition of complete administrator rights
data such as photos, documents, etc. Accessing this data on th
on a device also gives malicious applications the ability to access
internet from unsecure Wi-Fi networks poses a threat to user
sensitive information on end-user devices. Apart from the threat
data stored on the cloud.
to data stored on the mobile device, data exchanged on the network between mobile applications and backend servers is
This paper attempts to look at the key challenges and risks
also under threat. The communication between the mobile
prevailing in the mobile security space both in the B2E and B2C
application and its backend servers may not be secured, leading
domain. It also explores the evolving mobile security
to data security being compromised.
technologies that stakeholders should employ to safeguard their devices, personal data and businesses against mobile security
With large number of enterprises adopting BYOD to improve
threats.
employee productivity, enterprises are also facing similar mobile
B2E An Employee
M2M MAM Trustlets Secure Elements
B2C - A Consumer Secure Chat Tor Project Guardian Project
Data Transfer over SSL/Secure Tunnel
User Device powered by MDM Server Data Transfer via MDM Server
MDM Server
Internet
Internet Encrypted Data Transfer Between VPN Server and Internet
Figure 1 - Mobile Security Ecosystem
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
1
MARKET OVERVIEW Current Trends in Mobile Security The mobile security market is flooded with technologies to
An analysis by Forrester indicates that enterprises will adopt
address mobile security needs. According to Infonetics
emerging technologies such as mobile VDI, containers, app
Research, by 2018, mobile device security software will be a
wrapping,
$3.4 billion market. This is primarily driven by demand from
personal-to-corporate segregation in comparison to the more
enterprises to address concerns related to mobile security
conventional solutions such as Mobile Device Management
threats. Enterprises need to evaluate technology maturity and
(MDM) which shall be perceived as a "heavy-handed approach�
and
device
virtualization
to
deliver
Global revenue in US $Billions
Enterprises and consumers are investing real money in mobile device security $4
$ 3.4 Billion
$3 $2
$ 1.3 Billion $1 $0
2013
2018
Copyright -Infonetics Research, Mobile Device Security Client Software Biannual Market Size and Forecasts, april 2014
select
security
to managing employee devices. The challenge with many of
requirements but are efficient and can integrate with the
solutions
that
not
only
satisfy
their
these technologies is that they diminish the user experience,
existing enterprise infrastructure. The solutions must also have
which may become the single biggest barrier to their adoption.
a buy-in from the employees on whose devices they will be deployed.
SECURITY LOOPHOLES WITH MOBILE PLATFORMS AND APPLICATIONS Mobile platforms and the applications that run on them have
applications that have the potential of causing tremendous
inherent security loopholes, most of which remain hidden from
harm to the end-user’s privacy and data. It also suggests some
end-users. These end-users could be corporate employees or
best practices that developers can adopt to prevent any misuse
end-users of smart devices. This section discusses some of the
of these loopholes.
security loopholes present in mobile operating systems and
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
2
Malwares
Unsafe Coding Practices
Jail Breaking SECURITY LOOPHOLES
Deobfuscation
Decompilation
Figure 2 - Security Loopholes
Application Loopholes Malwares Malwares
are
applications
that
exploit
mobile
platform
recommendations for secure coding practices are discussed.
vulnerabilities to gain operating system (root) privileges, impact
Intents: Intents are a means to provide inter-application and
normal operations or collect sensitive and private information
intra-application communication mechanism on Android using
without explicit permissions. Evasion – discovered in February
message passing. If used incorrectly, intents can become an
2013 - for Apple is one such example. Evasion7 is the iOS 7.x
attack surface for hackers to exploit any application
jailbreak program released by ‘evad3rs’, which just after an hour of
vulnerabilities. The content of messages can be sniffed,
release was proved a malware because it was not compatible with
modified, stolen, or replaced by malicious third-party
some of the apps offered in the app store for jailbroken devices
applications, which can compromise user privacy. Also, there
(cydia).
are malicious applications present which can inject malicious or forged messages leading to data breach and security policy
One example of malware for Android is Exynos Exploit discovered in
violation. There are applications available that exploit incorrect
December 2012. This OS vulnerability allows any malicious
usage of intents, for example: an intent sniffer can sniff intents
application to gain full access to a user’s device. It also provides
when:
read and write access to several parts of the memory (RAM) to
Intent is explicit and not implicit
anyone. Using permissions, malware can be pushed to the device to
Intent is created with the NEW_TASK flag
disable security features. Android devices affected by this malware are devices including Samsung SII, Samsung SIII and Samsung Note that use Samsung Exynos chipset.
Application
Permissions: Android
applications
request
permissions from the operating system to access resources to function suitably, for example access to resources that cost
Another type of malware executes malicious code outside the application sandbox because it has root privileges. Some malwares execute malicious code that turns mobile applications into key logging apps and screen capturing software which are then are able to send all sensitive data to attacker-controlled servers.
money like SMS or phone calls, resources that store users’ private data like user location and contacts, and device resources like Bluetooth and Wi-Fi, while installing the applications. This may result in over privileging an application, thereby increasing the security threat to the application. Attacker can access any protected resource and exploit the vulnerabilities of the platform that are the result of over
Unsafe Coding practices
privileging an application. The issue has two aspects to it:
Indiscriminate usage of rich features - intents, permissions
The developer who creates an app with an overly permissive
and WebViews - provided by mobile platforms such as Android
manifest
can introduce vulnerabilities in mobile devices. Developers
The end-user who allows the app to access resources at
need
install time
to
understand
and
imbibe
secure
application
development practices to avoid any security loopholes. Using
The attackers take advantage of both these lapses to gain
various features without having sufficient knowledge of the
access to protected resources on the device. To avoid this, it is
security loopholes, developers can unknowingly introduce
recommended
several vulnerabilities in the mobile applications, leading to
permissions to any application.
catastrophic
failures.
In
the
section
below,
to
grant
only
the
minimum
required
some
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
3
WebViews:
WebViews
in
Android
provide
the
same
engineering hook Dalvik byte code, examine process states,
functionality as web browsers with customizability with respect
and provide logs and detailed report of application’s behavior.
to how and what to display. These customized browsers
Obfuscation can be leveraged to minimize the risk of exposing
sometimes pose a threat to application security by allowing
the application call flow to a hacker and adds a degree of
web content to interact with the application. Android allows
difficulty to retrieve code in original form. Basic obfuscation
JavaScript to invoke Android application code in a WebView.
techniques such as rewriting methods, parameters and
One such example where using WebView led to an OS
variables with small or meaningless strings do not make the
vulnerability is remote code execution that was discovered in
application source code completely safe from hackers.
Google Android 4.1 (and below) in early 2012. This is due to the
Advanced obfuscation techniques are required to counter
‘addJavascriptInterface’ API which exposes native methods to
techniques used by de-compilers and make it tougher for
the JavaScript loaded from the WebView. As a result of which,
hackers to obtain application source code.
remote attackers get a chance to perform several dangerous tasks such as executing malicious code, escalating privileges,
Operating System Loopholes
extracting all user data and loading malware on the device. There are several possible entry points for loading malicious
If the OS allows jailbreaking and if there are forums such as
JavaScript in the application through WebView. Few examples
Cydia for iOS devices that provide applications to run on
include:
jailbroken devices, then people will be tempted to root their
Application requests content from the server using any plain
devices and install such applications.
text (HTTP) communication
Jailbreaking an Android or iOS device might lead to phone
Application loads third-party content including ads or
bricking or installation of full-scale spyware on the device. While
content from partner websites
jailbreaking makes unimaginable features and nice device
Application has a persistent cross-site scripting vulnerability
management available to the end-user, it brings to the fore the following loop holes in the operating system which hackers can
To avoid any vulnerabilities using WebView, the developers must:
take undue advantage of: An application that has obtained root privileges comes out
Avoid calling setJavaScriptEnabled() for WebView unless
of the “Application Sandbox”, so its declared feature set and
there is need for processing JavaScript
granted permissions are no longer applicable, making the
Compile the application against Android API level equal to or
device vulnerable to misuse
more than 17
Applications for rooted phones are almost never from
Send all traffic over SSL
credible companies/groups and are created by amateur
Un-obfuscated and Poorly Obfuscated Applications: Most application developers are unaware of the threat to their source code from hackers. Hackers can easily obtain code and the call flow of an application using techniques such as de-compilers and dynamic code analyzers. These techniques enable reverse
groups. More often than now, they contain sloppy code with its own vulnerabilities Some jailbreaking methods leave devices SSH enabled, therefore remotely controllable with a common password (such as alpine) that any attackers can misuse
SECURING THE MOBILE APPLICATION As responsible users, both enterprises and end-users need to
devices. This section talks about the different technologies that
be aware of the techniques and best practices to keep their
are being utilized to implement mobile security in the
device and data secure, when using mobile devices to access
enterprise, as well as outside it.
enterprise data or personal data. Enterprise employees and end-users are not a disjoint set. The end-users become
Mobile Device Management (MDM) is a management
enterprise users in office premises or even outside, when they
technique that enterprise IT uses to manage enterprise data
access enterprise applications and data from their personal
security, while Mobile Application Management (MAM) and
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
4
Containerization can be used for managing mobile application
isolated and secure environment for each application on the
security for both enterprise users and end-users.
device. MAM solutions help in acquiring, distributing, securing and tracking mobile applications. They allow organizations to
MDM enforces device security by implementing the policies so
manage each lifecycle activity of application - from purchasing
that the organization’s IT department has full control over
and
device. Containerization is a management approach which uses
installation.
developing
to
securing,
distributing
and
tracking
Securing the Device through Mobile Device Management Mobile Device Management (MDM): MDM is to devices what
Most enterprises today are using some form of MDM to better
traditional IT management was to enterprise desktops and
secure, monitor, manage and support mobile devices used by
laptops. As more and more enterprises move towards making
their employees. MDM solutions enable IT to provide employees
corporate applications accessible to their employees over
with access to corporate resources and applications - email,
mobile devices, the biggest challenge that IT departments face,
work time logging and enterprise social network - from their
today, is to secure corporate data on employee devices and
mobile devices. To protect corporate applications and data,
ensure secure access to the corporate network from these
MDM solutions leverage security services and features provided
devices. BYOD brings in additional challenges for IT – managing
by the mobile operating system or the device OEM. IT
corporate data on personal devices, while not interfering with
organizations also implement additional security controls such
personal user data.
as device passwords, remote wipe and lock features in the event of a device loss to enhance mobile device and data security.
Securing the Application through Mobile Application Management and Containerization While an MDM solution enables managing policies on the device
device management operations (data wipe and lock) exclusively
level, it may not be sufficient to provide security at application
on the corporate data.
level. Additionally, MDM does not always provide easily adaptable BYOD and good end-user acceptability. For example:
Another way to provide security at application level is to add a
Passcode strength maybe enforced by IT but may have
security wrapper or a management layer on top of a mobile
opposition from enterprise users due to inconvenience of
application. The advantage of this approach is that it doesn’t
keeping complex passwords
require any changes to the underlying mobile application. This
Lock and wipe feature may result in wiping out the entire
approach can be leveraged for both enterprise applications, as
users’ data
well as applications available on OS play store. The wrapper
This is where Mobile Application Management (MAM) fills in the
allows a MAM administrator to set specific policy elements that
gap. MAM provides security at the application level. One way of
can be applied to an application or a group of applications. For
providing security to mobile application data from hackers is by
example whether user authentication is required for a specific
using a container-based approach, where a separate container
application, whether data associated with the application can be
is created for storing enterprise application data. This provides a
stored on the device or whether specific APIs such as copy and
secure environment on the device to protect enterprise data,
paste or file sharing will be allowed. This enables organizations
while providing unrestricted access to end-user data to
to completely customize their own unique mobile workflows to
third-party applications. This approach enables enterprises to
support app-to-app interoperability and end-to-end security.
respect each employee’s privacy by applying policies on corporate applications only. It also gives freedom to exercise
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
5
Securing the Operating System through TrustOS TrustOS: Data on a mobile device can also be secured using a
a naïve user. Android Lollipop provides a feature to disable and
specialized operating system named TrustOS, which is
delete the other user’s account once the user is done with their
separated by hardware from the main operating system. This
job.
ensures secure data storage and processing by maintaining the integrity and confidentiality of key resources like user interface
Data sharing with other devices
and service provider assets in a Trusted Execution Environment
Smartlock: This feature allows the user to configure his device
(TEE). Trusted applications or trustlets running in a TEE have
to get unlocked only in the presence of a trusted device or
access to the full power of a device's main processor and
network, including a Bluetooth tag, an NFC tag or a Wi-Fi
memory, while hardware isolation protects these applications
network.
from user installed applications running in a main operating
Encryption: Starting with Android Lollipop, the system the user
system. The Samsung Galaxy SIII was the first mobile phone
to enable data encryption when a factory device is started for
that utilized ARM TrustZone technology to host and run a secure
the very first time. When enabled, the system requests for a
micro-kernel on the application processor. The security critical
password on a device restart. If the password is not provided,
applications that run inside TrustOS (trustlets) are developed by
the device does not start. This feature was present on earlier
third-parties such as banks and content providers. The trustlet
versions of Android but was disabled by default.
software development kit includes library files to develop, test and deploy trustlets as well as Android applications that
Other methods to secure an OS
communicate with relevant trustlets via Trust API for Android.
Hypervisors: Type 1 hypervisors can be used on Android handsets to create two virtual phones, running simultaneously
Trustlet empowers mobile application to process and store
on the same physical hardware. One virtual phone instance is for
sensitive data securely. It also provides secure authentication
personal use, running Facebook, Twitter and other personal
and secure interaction with both users and cloud services.
applications. The other phone instance is for running all the enterprise applications on the device.
Building security into the rich operating systems’ architecture
Desktop-as-a-Service (DaaS): DaaS uses virtualization to solve
Popular operating systems such as Android are evolving to solve
the BYOD puzzle, but without leveraging the hypervisor
the security issues in their architecture. Android Lollipop has
approach of virtualizing the phone. In this approach, the users'
added the following features to make its environment secure:
desktop computer is virtualized and delivered to the users as a service, giving them the ability to access that virtual desktop
Device sharing with guest
through different devices - from a physical desktop or laptop to
Guest user mode secures user’s personal data by isolating it
a tablet or smart phone.
from being accessed by a new user, who might be an attacker or
Securing the Application Data Exchanged on the Network (VPN/SSL) With the proliferation of the internet, providing access to the
sensitive data being exchanged over the internet. MDM
Web within the office premises and offering facilities such as
solutions also provide robust authentication and identity
work from home and access to web mail became a mandate for
management as devices and user base both change rapidly. By
enterprises. This led to corporate information being dynamically
unifying MDM and secured VPN gateways, enterprises can
posted to the Web, making data leak protection and application
ensure that only compliant devices are allowed access to the
control extremely critical. So enterprises had to adapt to a
corporate network. Compliance policies for corporate-owned
changing environment and utilize network security technologies
mobile devices reside on the MDM servers. When a device
such as VPNs, SSL connections etc. to safely meet user
attempts to connect to the corporate network, compliance is
demands for information access. MDM secures corporate data
checked. This can prevent users from installing a VPN client on
exchanged on the network by offering secure and encrypted
unmanaged devices and stop them from trying to access the
communication between MDM client and MDM server using
organization resources. The security gateway can also block
SSL, so as to prevent unwanted parties from accessing any
unknown devices of valid users.
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
6
Securing the Application from Peripheral Devices (BT/Wi-Fi/Wi-Fi Direct/USB) While smart peripheral devices such as Wi-Fi-enabled music
denial-of-service and man-in-the-middle. These attacks expose
players, Bluetooth-enabled fitness wearables and gaming
the vulnerability of the Bluetooth devices and provide undue
peripherals enhance the functionality of smart phones, they
advantage to phone hackers or “phreakers”, leading to privacy
pose a major security threat to user data stored on the smart
invasion, loss of integrity and availability.
phones and tablets they are connected to. According to a study,
In the section below, threats that lead to serious security
25 percent of malware is spread through peripheral devices. In
breaches are discussed:
the section below, various security threats associated with
BlueBugging: Phreakers connect to the target device by altering
peripheral devices are discussed:
its owner and steal information by exploiting address translation commands (AT) available in GSM. Using these techniques, a
USB: The USB interface on a mobile device is used to transfer
phreaker can send text messages to contacts or infect the
files between the device and a PC or laptop or between device
target device by slipping in a Bluetooth virus or worms
and USB drive/flash drive through On-The-Go (OTG). Since USB
Man-in-the-Middle (MITM) attack: MITM or impersonation
firmware isn’t ‘code-signed’ or tamper-proof, it is possible to
attacks can access and modify the data within piconets. It
hide malware inside the USB firmware. It may be impossible to
involves authentication message relay between two devices
detect the malware present in the firmware using anti-virus
trying to pair in order to authenticate without knowing shared
scans because it’s the code running the device itself. The
secret key. By acting between two devices a phreaker can trick
malware can play havoc with the data on the device the USB is
two devices into believing that they are mutually paired when
connected with – from siphoning-off data to a chosen network
actually they are paired with the phreaker.
to wiping-off data on the device it is connected with. Wi-Fi: Open Wi-Fi networks are unsecure and vulnerable to Some major threats prevailing due to malicious firmware in USB
attacks. The user connects to an unsecured Wi-Fi network
include:
without knowing who else could be on the network. Free Wi-Fi
Malicious firmware could function as a keyboard, sending
access provided in public areas such as cafes, restaurants,
keyboard press actions to device/computers, as if someone is
shopping malls and airports serve as excellent places for
typing the keys
harvesting passwords. Hackers can read unencrypted data with its own internet connection could
including all plaintext passwords, unsecured email (email that
function as a router that could relay information from
does not use advanced authentication protocol like TLS),
device/PC to a malicious server
unencrypted ftp, websites without SSL, Google searches,
Juicejacking refers to gaining access to a phone during the
domains visited (encrypted or not) and so forth. A more
charging process using the now standard USB miniB connecion
advanced attacker might set up an active proxy on his machine
or Apple’s proprietary cable at a public charging kiosk,
to perform attacks such as SSL stripping, which would expose
leveraging the USB data/power cable to illegitimately access
all sites that are visited through the device connected to an open
the phone’s data and/or inject malicious code onto the device,
Wi-Fi network, including HTTPS and may provide illegitimate
Attack can be a simple privacy invasion, when phone pairs with
access to various sensitive passwords and financial information.
A connected USB
computer concealed within the charging kiosk, or can be as invasive as injection of malicious code directly into the device
Wi-Fi Direct: Another game changing technology is Wi-Fi Direct that enables Wi-Fi devices to connect to one another without
Bluetooth: Bluetooth headsets add to user’s comfort but can
joining a traditional home, office or hotspot network. While Wi-Fi
also lead to mobile security threats. A smart phone with
Direct has various benefits, especially for consumer devices, it
Bluetooth ‘ON’ is discoverable not only to the headset but to all
may introduce unforeseen security threats when used in an
other devices in its vicinity. Hackers can use Bluetooth to
enterprise setting. A known issue with Wi-Fi Direct allows a
connect with the device to get access to the sensitive data
hacker to attack vulnerable Android smartphones, when they
stored on the smart phone.
scan for other Wi-Fi Direct devices and could trigger a reboot or 'denial of service'. According to a study, an attacker could send a
Bluetooth can also be used to form ad-hoc networks of (up to
specially crafted 802.11 Probe Response frame causing the
eight) devices called piconets. These networks are useful, when
Dalvik subsystem to reboot because of an Unhandle Exception
co-located users want to communicate using their own
on the WiFiMonitor class. The bug has been confirmed to affect
compatible devices. This technology and the associated devices
a subset of Android devices, including the Nexus 4 and Nexus 5
are susceptible to general wireless networking attacks such as
running Android KitKat; it also includes some devices with
Bluejacking,
Android Ice Cream Sandwich and Jelly Bean.
Bluesnarfing,
Bluebugging,
Cabir
worm,
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
7
In the section below, some key measures that can be taken to
Do not connect to open or ad-hoc Wi-Fi networks
secure smartphone devices from threats posed by various
Incorporate additional confidential piconet information to
peripheral devices are highlighted:
reduce security risk, while pairing between devices in a
Encrypt data stored on smartphones
piconet
Enable remote wipe and password protection on smart
Avoid charging at public kiosks or power off the device (while
phones
charging a public kiosk)
Disable physical interfaces such as Bluetooth and Wi-Fi,
Disable pairing with jailbroken iOS devices or any un-trusted
when not in use
devices
COMMUNITY INITIATIVES IN MOBILE APPLICATION SECURITY The threats and techniques discussed in the sections above
their freedom to conduct confidential communication. It uses
only work well in the B2B scenarios to protect enterprise data.
an encryption technique called ‘onion routing’ which ensures
B2C scenarios are still a vulnerable area and need attention. To
privacy of data in transit. Anonymous web browsing is a use
safeguard and protect end-user’s private data, several industry
case for mobile devices too since browsing from mobile devices
forums are now working on various projects to develop open
puts user data at risk. The term "onion routing" refers to
source software, which maintains user anonymity and ensures
application layers of encryption, nested like the layers of an
secure communication, browsing and chats. Some of these
onion, used to anonymize communication. Tor encrypts the
projects are:
original data packet, including the next hop destination IP
Guardian Project: The Guardian Project is a community of
address and sends it through a virtual circuit of successive and
software developers, trainers and activists who work on open
randomly selected Tor relay nodes. Each relay node in the
source mobile security software development and operating
network decrypts a layer of encryption to reveal details of only
system enhancements. They create customized mobile apps
the next relay node in the circuit in order to pass the remaining
which enable individuals to communicate more freely and
encrypted data to it. The final relay decrypts the innermost layer
protect
of encryption and sends the original data to its destination
themselves
monitoring. Some
against available
intrusion
and
applications
unsolicited or
without revealing, or even knowing, the source IP address.
implement the Guardian Project are Orbot, orweb and chat
which
use
Because the routing of the communication is partly concealed
secure. Refer [8] for more details.
at every hop in the Tor circuit, this method eliminates any single
Tor Project: The Tor project is an open source project that
point at which the communication can be de-anonymized
enables user anonymity, making it possible for users to surf the
through network surveillance that relies upon knowing its
internet anonymously. Tor ensures users’ personal privacy and
source and destination.
Router A Key Router B Key Router C Key Message
Source
Router A Router B Router C
Destination
Figure 3 - Concept used in Onion Routing
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
8
CHALLENGES WITH IMPLEMENTING BYOD Devices use Hotspots
BYOD
BYON
BYOE
BYOC is the new BYOD (software is the new hardware)
Hotspots allow access to private and public cloud services
BYOC
Figure 4 - The ‘Bring Your Everything’ Cycle
BYOD is a boon for employees, who get the benefit of carrying a
sensitive information from non-sensitive data. Use the latest
single device for their personal and official use. It also leads to
firewalls to track network usage and develop applications with
improvement in productivity for enterprises, since the
built-in security.
employees have round-the-clock access to their corporate
Network Capabilities: Invest in in-house network capabilities to
emails and services. However, it brings in newer challenges for
ensure employees have adequate wireless access and do not
enterprise IT because an employee, who uses BYOD services will
need to resort to using external network resources such as
also inherently use BYON (Bring Your Network) and BYOC
personal Wi-Fi hotspots to access the internet
(Bring Your Own Cloud). “As security professionals, we must re-evaluate traditional BYON: Employees can access enterprise applications and data
security practices and create service models that offer secure
from wherever an internet connection is available. BYON
data access—regardless of the device, network or source.”
encompasses a range of wireless networking options including
Jason Sachowski, a security professional explains.
cellular, public Wi-Fi, ad-hoc Wi-Fi. Some of these networks are inherently unsecure. Enterprises have no way of tracking their
BYOC: Gone are the days when hard drives were used to store
employees who may use these networks to access corporate
data. Today, software is the new hardware. BYOC is another
data.
trend that is catching up in mostly small and medium enterprises to save costs. It enables employees to use public
Mitigating the risks that BYON brings: For enterprises to
cloud services. For examples, allowing employees to share large
benefit from BYON, they must focus on three elements:
files through their Dropbox accounts. The reason BYOC has
Policies: Clearly define and communicate policies that guide
become popular is due to the flexibility it offers to end-users. It is
employees on BYON and its usage
also beneficial for enterprises, as it enables them to reduce cost
Network Architecture: Install mechanisms that separate
of setting-up dedicated infrastructure needed to provide the
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
9
access to the cloud. Consider a scenario where a sales person in
employee who is no longer on the rolls does not have access to
the organization needs access to confidential presentations on
company information stored over BYOC.
the company’s annual report from his device while on travel. He would upload this material from the company provided file
Enterprises should take immediate steps to define and
servers on the corporate network to his personal DropBox
communicate a policy of what is acceptable when it comes to
account. Once the material is on the third-party cloud, the IT
BYOC. They must enforce this policy using tools such as next
does not have any visibility into managing or safeguarding the
generation
material.
enterprise-grade
firewalls.
Enterprises
alternatives
to
should some
also of
the
evaluate popular
consumer-grade cloud services. Many of the consumer oriented Enterprises today are making their way towards using
cloud services may claim to be secure, but most do not include
third-party cloud services such as Google docs, Gmail for office,
enterprise-based security controls required to adequately protect
Evernote and DropBox instead of deploying their own
corporate
on-premise email or storage solutions. But being able to access
enterprises should apply security policies to the cloud services
corporate applications and data on the cloud from end-user
used from their premises such as:
data
and
meet
compliance
mandates.
Hence,
devices makes corporate data vulnerable to security risks. Risks
Using antivirus security and monitoring of employee activities
from using cloud services include malwares and publicized
Event logging and firewall protection to track usage
breaches on cloud services such as those seen on Twitter and
Detecting intrusive attacks
Evernote[9] and [10]. Another potential risk with using cloud
Enabling secure login and authentication
services is as to how an enterprise would be able to know that an
CONCLUSION Enterprises today offer Bring Your Own Everything (BYOE),
charge - be it applications on the App Store, free Wi-Fi access in
covering devices, cloud and/or network to improve overall
public areas or free services such as cloud storage for user
employee satisfaction and productivity, and to reduce the fine
documents. End-users should be guarded in their use of peripheral
line between usage of employee owned devices for personal and
devices such as USBs, Bluetooth headsets and mobile charging
official purposes.. However, BYOE brings in a unique set of
kiosks. Setting up peer-to-peer connections over Wi-Fi Direct or
challenges too. Enterprises and employees should be well aware
Bluetooth also needs adequate caution. Organizations such as
of the threats to corporate data and services when they are
NSA and community initiatives such as Tor are working actively to
accessed from personal devices. Enterprise IT should adopt
safeguard the interests of end-users.
security solutions such as MDM and MAM with adequate know how, research and applicability to their unique requirements.
While enterprise IT is working towards safeguarding businesses within the enterprises, public organizations such as NSA are
NaĂŻve smart phone users are often lured to use the plethora of
working towards protecting end-user interests. Any measures
services offered free of charge. They are unaware of the serious
against security threats will be effective only when the user
consequences of using these services due to their lack of
carrying a smartphone is educated about the threats and risks
awareness of the threats these services pose. The directive for
prevalent in the mobile ecosystem
users is to use services judiciously that are offered free of
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
10
ARICENT’S OFFERING Aricent provides engineering services to design and develop
also engaged with leading innovators to build secure messaging
enterprise apps and app stores. We provide vulnerability assess-
app and to provide end-to-end functional and penetration testing
ment as a service for mobile apps and backend systems. We are
for the MDM products.
Manju Dogra, Sumit Dhingra Authors
Mobile Security: Overcoming Prevalent Threats and Challenges Inside and Outside an Enterprise
11
ACRONYMS MDM
Mobile Device Management
MAM
Mobile Application Management
B2C
Business to Consumer
B2E
Business to Enterprise
BYOC
Bring Your Own Cloud
BYOD
Bring Your Own Device
BYON
Bring Your Own Network
USB
Universal Serial Bus
VDI
Virtual Desktop Infrastructure
SaaS
Software as a Service
DaaS
Desktop as a Service
OEM
Original Equipment Manufacturer
OTG
On-The-Go
TEE
Trusted Execution Environment
VPN
Virtual Private Network
SSL
Secure Socket Layer
TOR
The Onion Router
REFERENCES 1. http://www.gartner.com/newsroom/id/2753017 2. http://www.gartner.com/newsroom/id/3088221 3. http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-58.pdf 4. http://www.techrepublic.com/article/android-lollipop-tak ing-mobile-security-to-a-new-level/ 5. https://www.owasp.org/index.php/Projects/OWASP_Mobile_Securi ty_Project_-_Dangers_of_Jailbreaking_and_Rooting_Mobile_Devices 6. http://blog.kaspersky.com/rooting-and-jailbreaking/ 7. https://datatheorem.github.io/2014/03/21/securing-webviews-android/ 8. http://www.howtogeek.com/203061/don%E2%80%99t-pan ic-but-all-usb-devices-have-a-massive-security-problem/ 9. https://guardianproject.info/tag/android/ 10.http://www.bbc.com/news/technology-21644317 11. https://blog.twitter.com/2013/keeping-our-users-secure 12.http://blog.allstream.com/byon-security-risks-can-be-miti gated-with-3-critical-elements/
-
Aricent is the world’s #1 pure-play product engineering services firm. The company has 20-plus years experience co-creating ambitious products with the leading networking, telecom, software, semiconductor, Internet and industrial companies. The firm's 10,000-plus engineers focus exclusively on software-powered innovation for the connected world. The company’s key investors are KKR & Co. and Sequoia Capital. info@aricent.com
Š 2015 Aricent. All rights reserved. All Aricent brand and product names are service marks, trademarks, or registered marks of Aricent in the United States and other countries.