Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

« December 2010 | Main | March 2011 »

February 2011

Do You Know the Security of Your Smartphone? (Part 2 of 3)

This is the second post in a three-part series on smartphones and information security. The series will discuss overall security of the BlackBerry, Apple and Android mobile operating systems.

Continuing from our previous post on the advantages and challenges of the BlackBerry operating system, we now move on to Apple mobile operating system (iPhone, iPad, iPod Touch), known as iOS.

As mentioned previously, the iPhone has been making waves in the industry concerning its recent introduction to the Verizon Wireless network. Regardless of the initial customer turnout for Verizon’s in-store release, the iPhone is still considered one of the most highly respected and coveted smartphones in the market.

 

Exclusivity of the iPhone iOS

The iPhone, iPod Touch and iPad now run iOS 4.2.  Apple has not only changed its major version, but also changed its name — from iPhone OS to iOS — in recognition of the fact that voice phone functions are a shrinking fraction of their mobile devices’ functionality.

So, what's the main differentiator between early smartphones and iPhone?  I believe the essential “newness” was that Apple inserted the iPhone into its maturing iPod/iTunes content ecosystem and added the App Store.  This closed environment gives users a unified device experience within Apple’s “walled garden.”  Apple prides itself on having created a trusted, friendly device that, conveniently for Apple, only downloads music, videos, podcasts and apps from the iTunes App Store.

While most iPhone owners find this state of affairs comforting, some find it frustrating. The ultimate form of challenging the control of Apple and their carrier at the device level is a process known as “jailbreaking”. Jailbreaking removes the controls, limitations and safeguards put in place by Apple, thus enabling the device to access and run applications, extensions and themes available outside of Apple’s App Store.  However, the added freedom comes with a tradeoff because the App Store is part of the Apple “cocoon of security.”  While Apple makes no guarantees (in their end user agreement) that apps will not misbehave, they do take more effort than any other vendors to assure that an application does what it says it does and only that.  They also restrict content they deem explicit.

 

iOS Security Benefits and Weaknesses

In addition to scrutinized applications, Apple’s iOS uses a “sandboxed application” philosophy. A sandbox is a default installation state of no access to OS level objects, such as persistent storage or executable.  The sandboxed app can, of course, access its own data and network resources freely, but can’t reach into the phone’s OS or even “talk to” other applications except in very controlled ways. This makes it harder to write applications that cooperate via drag and drop, etc., but improves security significantly. It makes it harder for applications to spy on and export each other’s data, and more straightforward when uninstalling an application and cleaning up its associated data.  If an employer controls the apps and deletes the CRM app, the CRM’s database of company confidential customer information is deleted with it.

Of course, retaining our healthy skepticism, iOS is just a device operating system and like all large complex software systems is not exempt from bugs and security issues:

  • Just this month (Feb. 2011) the Frauenhofer Institute SIT, exploited an iOS stored password/encryption vulnerability. Via the aforementioned jailbreaking process, the SIT research team was able to crack into stored iOS password vault, called the Keychain, in as little as six minutes.  In addition to the hardware encryption key for that device's storage, where application data would be stored, the Keychain contains user account/password pairs for such things as websites, email accounts, wi-fi hotspots, etc.  Optimistically, since Apple controls the ecosystem from the hardware up, they can rework the affected encryption architecture and system libraries to use the hardware in a different way to restore security to the iOS devices out there.  This should be an advantage of a monolithic device provider.

Apple continues to make iOS more enterprise friendly with hooks to email and other corporate services considered critical.  For example, companies can control whether the device locks its screen after an idle  interval and requires a password to get in.  Or, after say, ten failed attempts to get into the device, it wipes itself (data and applications or just the corporate controlled data and applications).  It can now be remotely wiped on demand by a command sent from a company IT security department.

 

What has your experience been?

Do you love the security of Apple’s walled garden or is it driving you nuts?  Are you excited or worried about switching from your current smartphone to an iPhone?  We’d like you to share your thoughts and questions with us.

Check out the first post in this series, and stay tuned for additional posts on information security with the leading smartphone operating systems:

----------------------------

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust.

 

on 24 February 2011 | | Comments (0)

| | | | | |

Do You Know the Security of Your Smartphone? (Part 1 of 3)

This is the first post in a three-part series on smartphones and information security. The series will discuss overall security of the BlackBerry, Apple and Android mobile operating systems.


Today, it seems like everyone has, or is planning to get, a smartphone. From recent buzz surrounding the much-anticipated Verizon iPhone, to speculations on the staying power of the Android’s market dominance, the focus has been on smartphones and their presumed takeover of the mobile market. 

The Basics of Smartphones

 A smartphone combines the elements of a normal mobile phone with the additional features of a personal digital assistant (PDA). The convenience provided by the marriage of these technologies is huge, especially for those needing constant connection to personal or professional communication systems. For more information, read Liane Cassavoy’s article: What Makes a Smartphone Smart?

Be it the stalwart BlackBerry, the utopian Apple iOS, or the Swiss army knife Android platform, increasing numbers of corporate users — from the C-level to the mail room clerk — are becoming enamored, if not attached at the hip, to their mobile devices. 

Not only are they used for personal communications, such as calls, texting, email and web browsing, but we have also grown to rely on them for work.  If your business information is being shared via smartphone, it’s important that you understand the security models of the leading smartphones.

                                                                        

BlackBerry - Apparent Strengths can Become Weaknesses

Blackberry Long the paradigm of tight control and the only smartphone approved for use by the US Government employees, the BlackBerry has to some extent been rendered a victim of its own success.

The BlackBerry OS (BBOS)/BlackBerry Enterprise Server (BES) system implements an exquisitely fine-grained security layer that allows administrators to define hundreds of configuration settings.  For example, you can set the encryption of the device contents down to the level of the key length and algorithm to use. On other devices, “whole device encryption” or “application encryption” is either on or off and the device maker has chosen the algorithm and key lengths.  BlackBerry’s placing this control in the hands of the users  results in an embarrassment of riches of sorts because when a configuration setting can be controlled, there is a tendency to change the default to something “more secure.”  But as a consequence, going forward, the complexity of dozens of such choices must be managed.  Managed in the sense of brought forward to hardware models, tested on new versions of the BB OS, etc.  For the customer this is a potentially huge time sink.  For the device and OS maker it creates an enormous burden of legacy compatibility.  We have seen this sort of phenomena occur with MS Windows.

In BlackBerry’s defense, they have tried to control management complexity.  For example, these customizations can be bundled into named configurations (e.g., “Sales Config”, “IT Config”, etc.) and distributed to the BlackBerry population based on job role.  But remember, BlackBerry has been playing hardware catch up with touchscreen phones, and now tablets, and has re-versioned it's operating system through from 4.x to 6.x in the space of 36 months.  Bringing the aforementioned custom configurations forward though revisions of the BBOS,BES and dozens of new device models is quite challenging.  Moreover, over the next couple years, RIM is moving new devices entirely from the proprietary BBOS to QNX, a real-time microkernel OS!

 

BlackBerry Availability

In general BlackBerry has been a very robust and reliable platform although they have had some bobbles (not surprising due to their long lived number one smartphone position).

As with any device, you run the risk of experiencing system failures and service blackouts, which can result in serious problems for highly dependent users. For some BlackBerry customers, this dreaded occurrence became a reality in late January 2011, as the BlackBerry Internet Service experienced a brief outage.

Another source of potential concern over availability and security is that much of the comfort and control/monitoring behind BlackBerry use resulted from the fact that all network traffic to and from the device was forced to loop all the way back through the corporate LAN (one of the main functions of the MDS service that runs in the BES) before going, say out to the Internet.  The upside was that all of your corporate safeguards put in place for email and web filtering were automatically in place for the BB traffic.  However, newer BB models have to some extent shot this model in the foot by including Wi-Fi which supports direct attachment to the Internet (if the corporate admins permit it) which of course means that the BB can make direct connections  to potentially infected web sites.

What has your experience been?

We’d like to hear about any security issues you’ve faced with your BlackBerry, or concerns with the BBOS that have swayed you to consider an alternative smartphone system.

Stay tuned for the next two posts on information security with the leading smartphone operating systems:

  • Apple iOS
  • Google Android

 

John Brady is Information Security Architect Engineer at Westfield Insurance.

Photo - Cheon Fong Liew

on 09 February 2011 | | Comments (1)

| | | | | |