app stores and security

As personal handheld devices like smartphones and tablets become part of employees’ technical arsenals, the security of those devices begins to impact the corporate environment.  No matter how many times we tell people not to store sensitive corporate information on these devices, there will always be a subset of people who do so.  They are not being malicious; rather they see these new technologies as a way to improve their productivity and are frustrated with corporate IT departments’ unwillingness or inability to support them.

Once corporate information is on these devices, security professionals need to be concerned about not only the inherent security of the device, but the trustworthiness of totally unrelated applications which the employee installs on their device. 

In the past week, Google removed more than 50 applications from the Android Market after a user discovered that they were actually pirated versions of popular Android applications which had been modified to contain a piece of malware dubbed “DroidDream,” which sends the attacker a variety of information about the device it is installed on and more importantly, provides a mechanism allowing the attacker to load and execute additional code onto the phone or tablet.

To Google’s credit, they reacted to this news quite quickly – within minutes of being notified of the problem, they removed the malware laden applications from the Android Market and later sent commands to all Android devices to remove the applications from users devices.  However, over 50,000 downloads of the rogue applications were made prior to the discovery of the malware and it is unknown how many of the affected users’ devices may have downloaded additional nefarious applications which were not removed by Google’s actions.

The basic problem here is that the structure of Android Market does not include any review of applications prior to their being put on sale.  Say what you like about Apple’s draconian control of its iOS platforms and App Store, but the App Store is much more likely to catch and prevent the distribution of malware than Android Market.

Of course, iOS users who decide to “jailbreak” their devices, thus allowing them to install applications from third parties outside of the App Store are just as much at risk as Android Market users.  Jailbreaking an iOS device is very easy and users may be tempted to jailbreak in order to obtain software which is not available from the App Store. 

All of this complicates life for the corporate IT manager who wants to make these amazing new devices part of their IT ecosystem.  If users are allowed to use their personal devices for corporate business, we need to worry about what applications they are installing on these devices.  As they are not corporate owned or controlled, we can’t really tell people what apps they should or should not install or prohibit them from jailbreaking their device.  If we decide to roll out corporate owned iOS and Android devices, we end up with new platforms to support without the security and configuration tools which allow us to protect our desktop and laptop computing devices.

So what do we do?  For now, I think that educating our users about the risks they face while using their personal devices is job one.  We need to make users understand that jailbreaking an iOS device significantly reduces the level of security on the device.  We need to explain to users that Android applications are not pre reviewed in any meaningful way by Google.

As far as enterprise use of these new devices, I think that Google and Apple need to get working on some enterprise management software that allows corporations to securely configure and manage these devices.  Ideally, it should be possible to create a separate encrypted corporate partition where work information is stored.  This partition should need to periodically phone home to check to make sure that the device is still authorized to access corporate information and to pick up policy updates.

Consumer devices are clearly the wave of the future in enterprises – but we need help from the vendors to make these devices safe for corporate use.

Leave a Reply