Android MasterKey and a secure, simple BYOD future

Android MasterKey and a secure, simple BYOD future

Android MasterKey and a secure, simple BYOD future

1 comment 📅05 January 2014, 02:45

Android MasterKey and a secure, simple BYOD future

As we discover more security loopholes in Android, it is becoming increasingly clear that we need to protect our mobile devices every bit as carefully as we already do our PCs. Infact, the extreme mobility of our new tools means they are even more vulnerable than any machine was in the old world, since they hardly spend any time sitting secure behind an enterprise firewall.

Fortunately, new tools that have stepped up to the challenge show us that the future lies in simple, security-first architecture.

What’s going on?

I had already been following the story of the Android “master key vulnerability” in the APK cryptographic security system, which is a way to bypass the piece of code that warns if an app is not legitimate or has been tampered with, when I read about a second vulnerability which allows a Java-based approach to achieve the same objective.

What’s alarming about these discoveries isn’t just the fact that they allow rogue apps to install completely undetected, but rather that they have been around since the release of Android 1.6 back in 2009.

We’ve also recently seen new research that suggests it could be possible to take over a phone via its SIM card, examples of kids’ apps have been found to use the Android master key (although it seems the developer may have had no idea what they had found), and we’ve had another object lesson in basic web scams in the form of WhatsAppSpy, a fraudulent service that should have flagged every target’s alarms, but still made its perpetrator a handy profit.

Now, you may recall that I’m a keen iPhone user, and you might be thinking that as a result I wouldn’t be too concerned. After all, Apple keeps tight control of its apps, and malware has never been a problem on Apple, right?

Well, leaving aside the fact that I test and use many devices at work, Android is based on Linux, and any Linux fan will tell you that they don’t worry about malware either. It’s just a Windows problem.

There is a very simple reason why malware has not historically been an Apple problem and it’s the same reason as applies to Linux: marketshare.

The difficulty of writing malware for a particular platform has only limited effect on its developer; they’re looking for the best way to make a profit. Up until now, Android has been the preferred target because the OS isn’t locked down; specifically and unlike iOS, it has been very easy for users to download apps from third party app stores.

Since these aren’t policed by Google, malware creators have nothing standing between them and a dodgy download that will install as malware. This is on a par with the old Windows problems of downloading a .exe file from an email attachment: it’s incredibly basic and relies on users being naive or simply less able to check what they’re installing due to the limitations of their tiny touchscreens.

Also, enterprise security people have traditionally felt that a password is the ultimate answer to security (especially one that users can’t remember), but as any parent with young children can tell you; their child will know the passwords to all their mobile devices. This is just a fact of life these days and one that we need to build enterprise security around, and which further reinforces the end of perimeter security.

I predict that we’re going to see far more sophisticated malware for Android, and once you have the skills to create those, iOS users with their far greater willingness to spend will undoubtedly look like a promising target too.

The problem with existing solutions: I’m sorry, I can’t do that, Dave

So, that’s why I started looking for a new type of enterprise security solution. Now, to my mind the majority of mobile and BYOD security systems out there have a major flaw, because the typical mobile device management (MDM) requires users to install an agent on their device to either control what it will do, or require complex passwords (good luck with that on a little touchscreen), which rather undermine the attractiveness of BYOD.

Actually, this being 2013 I suspect that rather than use MDMs, many workers just use their device for work without their employer having any kind of oversight, adding to the shadow IT and opening the entire system up to threats.

Also, if you try to run MDM on a whole company’s devices, think where that ends up: you can quickly end up having to manage a whole fleet of devices which you never paid for, which could be obscure, or not supported by your system…

So I was very pleased to come across LetMobile, a company which provides a secure email solution that takes a different approach to the problem.

Rather than a container or an MDM, it works as a gateway to corporate information. Therefore, instead of managing endless devices, or getting into personal conflicts with users, it secures the data flow rather than the device so your users can use their preferred device and email client.

Multi-factor authentication takes the device, user identity and location into account. So, if you want (or have) to ensure that only users in a particular country or project have access to certain information, a simple policy will ensure that it cannot be accessed any other way – because the data is never stored on the device. It even ensures that all access to your data is logged for audit, and only affects corporate data so outside of work it doesn’t get in the way.

So what does this mean for you?

That service is just an example of how one part of your corporate data, email, can be secured more easily and cost effectively by focusing on what’s important: the need for secure communications and to know who you’re really dealing with. It shows that by architecting your solution with security and access in mind, you can secure important gateways to your data.

Consider what these gateways can be in the modern era of smartphones: start by looking at a typical device’s hardware features and then consider what kind of apps may be run. Consider how your data could be transferred through contact via Android Beam, Bluetooth, what would happen if an NFC payment system were hijacked the way ATMs can be… Consider how to deal with keys stored on the device, what is stored in the cache.

The example I gave is a solution for securing email, but what is really important here is the concept, not the service. Today we are not just dealing with securing communications between a device and the back office; we need to create secure apps, secure servers and so on but you may also need to secure access to data through social media, websites, or to ensure your data isn’t copied by an agent at customs.

The point is that you cannot simply take your existing web strategy to mobile as there are so many new threats, and these need a new approach.

So while we definitely need to be careful when using our mobile devices, it’s the future holds smart, un-intrusive ways of protecting our corporate data by developing architectures with security in mind from the start.

1 Comment

Donato Orlando
    15 January 2014, 02:45 Donato Orlando

    The price mattered to my coworker when I was telling her about beautiful widgets yesterday. She loved it until I told her the price, so we searched for fancy widgets on her phone since I knew about it from before, but I was pretty sure it was off the market and found this new ve1ion last night.

    Reply to this comment

Leave a comment