in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

BYOD Encryption: Android App Shows Encryption Faults

It's been noted time and time again that Android tends to be less secure than its competitor because of its "open ecosystem."  It's the perfect reason to use something like AlertBoot's mobile device encryption solution if a company is hopping on to the BYOD wagon (and plenty are).

However, not all mobile data security threats stem from the fact that the Android platform is so open.  Sometimes, the apps that are designed to incorporate security were not designed as carefully as they should be.

As Many as 185 Million Exposed

According to researchers, Android apps downloaded by as many as 185 million people could

expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections. [arstechnica.com]

Forty-one applications available on Google Play -- Google's answer to criticisms that every scammer who can code under the sun was offering something fishy in the Android app store -- were identified.  The one silver lining in the cloud: researchers had tested it under Android's Ice Cream Sandwich.  There's a good chance that the latest iteration of Android OS -- Jellybean -- is not affected, since the latter has instilled previous safeguards that were missing previous versions of Android.

More than Android

But, then again, maybe not (my emphasis):

The findings underscore the fragility of the SSL and TLS protocols, which together form the basis for virtually all encryption between websites and end users. While the technology itself is generally considered secure, its protection can be undermined when certificate authorities fail to secure their infrastructure or websites don't take proper precautions. The paper, presented at this week's Computer and Communications Security conference, exposes yet another point of failure, which is poor implementation by app developers. [arstechnica.com]

The listed methods that undermine SSL and TLS are the same whether it's Android's newest (or oldest), Apple's iOS for iPhones and iPads, or even Microsoft's new Windows Phone 8.  (The impact on each platform will be different, though.  For example, iOS is sandboxes all applications, so there's a lower risk level.)

What does this mean for organizations that are invested in BYOD programs, either fully or partially?  After all, choosing the "right device" is not the answer in this particular case.  Choosing the right app could be, but there's no real way to ensure that an app is truly secure.

One way to manage the threat might be via the use of an integrated MDM solution [http://www.alertboot.com/disk_encryption/disk_encryption_product_tour.aspx ; Android and iPhone MDM solution ] that, in addition to providing a way to manage devices and their policies, also controls which apps can and cannot be installed.  Such control would require the use of whitelists, blacklists, or both.


Related Articles and Sites:
http://arstechnica.com/security/2012/10/android-apps-expose-passwords-e-mail-and-more/
http://gizmodo.com/5953686/researchers-reveal-massive-encryption-faults-in-android-apps-used-by-millions

 
<Previous Next>

Mobile BYOD: Feds Find BlackBerries Dowdy, Go With iPhone

Weak Encryption: Researchers Crack Encryption On Australian Public Transportation

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.