BYOD Encryption: Android App Shows Encryption Faults.

It’s been noted time and time again that Android tends to be less secure than its competitor because of its “open ecosystem.”  It’s the perfect reason to use something like AlertBoot’s mobile device encryption solution if a company is hopping on to the BYOD wagon (and plenty are).


However, not all mobile data security threats stem from the fact that the Android platform is so open.  Sometimes, the apps that are designed to incorporate security were not designed as carefully as they should be.


As Many as 185 Million Exposed



According to researchers, Android apps downloaded by as many as 185 million people could



expose end users’ online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections. [arstechnica.com]


Forty-one applications available on Google Play — Google’s answer to criticisms that every scammer who can code under the sun was offering something fishy in the Android app store — were identified.  The one silver lining in the cloud: researchers had tested it under Android’s Ice Cream Sandwich.  There’s a good chance that the latest iteration of Android OS — Jellybean — is not affected, since the latter has instilled previous safeguards that were missing previous versions of Android.


More than Android



But, then again, maybe not (my emphasis):



The findings underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and end users. While the technology itself is generally considered secure, its protection can be undermined when certificate authorities fail to secure their infrastructure or websites don’t take proper precautions. The paper, presented at this week’s Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers. [arstechnica.com]


The listed methods that undermine SSL and TLS are the same whether it’s Android’s newest (or oldest), Apple’s iOS for iPhones and iPads, or even Microsoft’s new Windows Phone 8.  (The impact on each platform will be different, though.  For example, iOS is sandboxes all applications, so there’s a lower risk level.)


What does this mean for organizations that are invested in BYOD programs, either fully or partially?  After all, choosing the “right device” is not the answer in this particular case.  Choosing the right app could be, but there’s no real way to ensure that an app is truly secure.


One way to manage the threat might be via the use of an integrated MDM solution [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; Android and iPhone MDM solution ] that, in addition to providing a way to manage devices and their policies, also controls which apps can and cannot be installed.  Such control would require the use of whitelists, blacklists, or both.



Related Articles and Sites:
http://arstechnica.com/security/2012/10/android-apps-expose-passwords-e-mail-and-more/
http://gizmodo.com/5953686/researchers-reveal-massive-encryption-faults-in-android-apps-used-by-millions



Comments (0)


Let us know what you think