Feeds

Tablet security study finds BlackBerry still good for something

iPad,Galaxy Tab and PlayBook face off in BYOD probe

Protecting against web application threats using SSL

A technology audit has identified security failings in three of the most popular tablets, raising concerns about the security implications of allowing workers to use their personal technology at work.

A study by Context Information Security looked at Apple's iPad, Samsung's Galaxy Tab and RIM's BlackBerry PlayBook, and concluded the Samsung device was the least enterprise-ready of the trio. While the iPad and BlackBerry PlayBook performed better, both still have security deficiencies – including desktop software that fails to encrypt backups by default.

The BlackBerry was the only device of the three found to provide good separation between personal and work data, something that ought to be a key feature in supporting the growing trend of Bring Your Own Device (BYOD).

All three tablets supported Exchange ActiveSync, a factor that means their core security configurations can be managed from a central Exchange server. But differences in security controls affect their suitability for enterprise use. These security controls included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.

The iPad has robust data protection and damage limitation facilities. However, its security shortcomings include the regularity of new jailbreak attacks, and ineffective disk encryption unless a strong passcode policy is applied. And although the iPad's disk encryption scheme is well designed, the default behaviour for iTunes backups is to store files in clear text, obviously unacceptable for the storage of potentially sensitive corporate data. Much the same back-up approach is adopted with the BlackBerry PlayBook.

The Samsung tablet does not ship with a locked bootloader but the built-in disk encryption provides weaker support, making it more difficult to use. Even when encryption is enabled on the Galaxy, it allows badly written apps to store sensitive information on any unencrypted SD card inserted into the device.

A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a shortcoming the kit shared with the iPad. The BlackBerry PlayBook, by contrast, provides "excellent logical and data separation between work and personal modes" thanks to its Balance architecture – which allows secure wipes of biz data from the device by the employer while leaving personal information intact – combined with its built-in Bridge content-porting application.

Context Information Security's report, entitled Tablets - A Hard Pill to Swallow (available here), casts a rule on the robustness of the security controls on the three popular tablet platforms.

We can't stop BYOD

Jonathan Roach, principal consultant at Context and author of the report, concludes that even though security controls are easier to apply on traditional desktops and laptops, the trend towards allowing working to bring their own devices into work is unstoppable.

“It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before,” Roach said. “The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises.”

Many security vendors are marketing third-party tools designed to overcome some of the security shortcomings surrounding the use of consumer devices in corporate environments.

Roach indicated that these tools are likely to help correct some of the issues the study outlined but it's not clear how much. The effectiveness of BYOD management and security tools was beyond the scope of Context's initial study into the security of tablet devices but may become the topic of follow-up research. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.