Mobile Security Weekly – Remote Mobile Management & Security Issues

This week’s summary takes a look at several different directions that mobile security seems to be taking. In particular this week’s items emphasize that while the mass integration of remote management capabilities and biometrics are useful to the enterprise, they also pose a risk to the organization.

Outlook Android app leaves emails exposed
Researchers have released reports that reveal two concerning issues with the Microsoft Outlook Android app.
Email attachments are stored in a file system accessible to any application or a third party with physical access to the phone.
Some emails are not stored in a manner that ensures the confidentiality of messages on the file-system of the mobile device.
Android users can protect their data by following the instructions posted here.

Why is this Significant?
Over the past few months, unprotected data has sadly become a recurring trend with several messaging and email apps, both on iOS and Android. As we can see, it’s not just the minor niche players releasing vulnerable apps – so are the biggest players in the game with large developer budgets.

Security researchers have found a flaw in iOS which could allow an attacker to remove security measures on lost or stolen iPhones.

By implementing an intelligent MitM (Man in the Middle) attack, attacks can exploit a flaw that could cause an iOS device to connect to a malicious device masquerading as an Apple server. Consequently, attackers can transmit instructions to the device and retrieve sensitive information including AppleID credentials.

Besides being able to access user data, an attacker could also use the stolen credentials to disable any remote locking or wipe mechanisms, which can be activated for stolen and lost devices.
The researchers have also disclosed the fact that the flaw was first identified five months ago and that despite reporting it to Apple in March, they have yet to hear back from the company.

Why is this Significant?

  1. iOS doesn’t provide the comprehensive security corporates and users are looking for when a device is reported as stolen. In the era of BYOD, a lost device could mean much more than losing text messages and a contact list.
  2. This is also another important reminder that Android isn’t the only vulnerable mobile OS. Although many of the stories we cover discuss vulnerabilities and attacks against Android devices, the more persistent and skillful hackers will be able to do significant damage to an iOS user.

Google has updated its Google Apps Mobile Management for Android service.
Google added four new features to help organizations with their BYOD strategy:

  1. Inactive account wipe: Enables businesses to set policies that will wipe an inactive account from a device if it has not been synced for a predetermined number of days.
  2. Compromised Device Detection: Enables enterprises to set policies that will detect basic signals for common forms of a compromised device.
  3. Support for WiFi networks using the Extensible Authentication Protocol (EAP). This means IT admins can now configure settings and distribute CA-based certificates for EAP networks.
  4. Additional reporting fields in the API and Admin console. These can be used to better detect the devices that are in use as well as to troubleshoot issues.

Why is this Significant?

  1. As enterprises become more mobile oriented, Google is taking an active role in trying to ensure employee productiveness as well as data security.
  2. This issue, as well as the previous iOS vulnerability, also re-raises the topic of mobile devices having “kill switches” and similar tools – rendering them useless and inoperable if need be. The question the industry is now facing, is whether “Kill Switches” should even exist given the control it gives the vendors and any adversary capable of operating the “Kill Switch”.

Samsung Looking To Iris Detection as the Future Of Mobile Security
The Korean mobile giant aims to increase its use of biometrics over the next couple of years. First on its checklist is iris detection. This allows a mobile device to scan a user’s eyes to determine whether that person is a match for biometric data the device holds.

The most common form of biometrics used at the moment is the fingerprint scanner. The new Samsung Galaxy S5, as well as the iPhone 5S, both have a fingerprint scanner as part of their security package. Both systems haven’t exactly had a smooth start – neither have stood up to simple bypass attempts.

Why is this Significant?
This is certainly an interesting vector in the world of mobile security. Some say biometrics are the only possible future in mobile protection and authentication, while others identify them as a significant security threat – once they’ve been bypassed, everything could be out in the open. Either way, this is definitely an issue we’ll be paying close attention to in the future.