Feeds

Tablet security study finds BlackBerry still good for something

iPad,Galaxy Tab and PlayBook face off in BYOD probe

The Power of One eBook: Top reasons to choose HP BladeSystem

A technology audit has identified security failings in three of the most popular tablets, raising concerns about the security implications of allowing workers to use their personal technology at work.

A study by Context Information Security looked at Apple's iPad, Samsung's Galaxy Tab and RIM's BlackBerry PlayBook, and concluded the Samsung device was the least enterprise-ready of the trio. While the iPad and BlackBerry PlayBook performed better, both still have security deficiencies – including desktop software that fails to encrypt backups by default.

The BlackBerry was the only device of the three found to provide good separation between personal and work data, something that ought to be a key feature in supporting the growing trend of Bring Your Own Device (BYOD).

All three tablets supported Exchange ActiveSync, a factor that means their core security configurations can be managed from a central Exchange server. But differences in security controls affect their suitability for enterprise use. These security controls included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.

The iPad has robust data protection and damage limitation facilities. However, its security shortcomings include the regularity of new jailbreak attacks, and ineffective disk encryption unless a strong passcode policy is applied. And although the iPad's disk encryption scheme is well designed, the default behaviour for iTunes backups is to store files in clear text, obviously unacceptable for the storage of potentially sensitive corporate data. Much the same back-up approach is adopted with the BlackBerry PlayBook.

The Samsung tablet does not ship with a locked bootloader but the built-in disk encryption provides weaker support, making it more difficult to use. Even when encryption is enabled on the Galaxy, it allows badly written apps to store sensitive information on any unencrypted SD card inserted into the device.

A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a shortcoming the kit shared with the iPad. The BlackBerry PlayBook, by contrast, provides "excellent logical and data separation between work and personal modes" thanks to its Balance architecture – which allows secure wipes of biz data from the device by the employer while leaving personal information intact – combined with its built-in Bridge content-porting application.

Context Information Security's report, entitled Tablets - A Hard Pill to Swallow (available here), casts a rule on the robustness of the security controls on the three popular tablet platforms.

We can't stop BYOD

Jonathan Roach, principal consultant at Context and author of the report, concludes that even though security controls are easier to apply on traditional desktops and laptops, the trend towards allowing working to bring their own devices into work is unstoppable.

“It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before,” Roach said. “The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises.”

Many security vendors are marketing third-party tools designed to overcome some of the security shortcomings surrounding the use of consumer devices in corporate environments.

Roach indicated that these tools are likely to help correct some of the issues the study outlined but it's not clear how much. The effectiveness of BYOD management and security tools was beyond the scope of Context's initial study into the security of tablet devices but may become the topic of follow-up research. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.