Feeds

Tablet security study finds BlackBerry still good for something

iPad,Galaxy Tab and PlayBook face off in BYOD probe

Beginner's guide to SSL certificates

A technology audit has identified security failings in three of the most popular tablets, raising concerns about the security implications of allowing workers to use their personal technology at work.

A study by Context Information Security looked at Apple's iPad, Samsung's Galaxy Tab and RIM's BlackBerry PlayBook, and concluded the Samsung device was the least enterprise-ready of the trio. While the iPad and BlackBerry PlayBook performed better, both still have security deficiencies – including desktop software that fails to encrypt backups by default.

The BlackBerry was the only device of the three found to provide good separation between personal and work data, something that ought to be a key feature in supporting the growing trend of Bring Your Own Device (BYOD).

All three tablets supported Exchange ActiveSync, a factor that means their core security configurations can be managed from a central Exchange server. But differences in security controls affect their suitability for enterprise use. These security controls included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.

The iPad has robust data protection and damage limitation facilities. However, its security shortcomings include the regularity of new jailbreak attacks, and ineffective disk encryption unless a strong passcode policy is applied. And although the iPad's disk encryption scheme is well designed, the default behaviour for iTunes backups is to store files in clear text, obviously unacceptable for the storage of potentially sensitive corporate data. Much the same back-up approach is adopted with the BlackBerry PlayBook.

The Samsung tablet does not ship with a locked bootloader but the built-in disk encryption provides weaker support, making it more difficult to use. Even when encryption is enabled on the Galaxy, it allows badly written apps to store sensitive information on any unencrypted SD card inserted into the device.

A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a shortcoming the kit shared with the iPad. The BlackBerry PlayBook, by contrast, provides "excellent logical and data separation between work and personal modes" thanks to its Balance architecture – which allows secure wipes of biz data from the device by the employer while leaving personal information intact – combined with its built-in Bridge content-porting application.

Context Information Security's report, entitled Tablets - A Hard Pill to Swallow (available here), casts a rule on the robustness of the security controls on the three popular tablet platforms.

We can't stop BYOD

Jonathan Roach, principal consultant at Context and author of the report, concludes that even though security controls are easier to apply on traditional desktops and laptops, the trend towards allowing working to bring their own devices into work is unstoppable.

“It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before,” Roach said. “The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises.”

Many security vendors are marketing third-party tools designed to overcome some of the security shortcomings surrounding the use of consumer devices in corporate environments.

Roach indicated that these tools are likely to help correct some of the issues the study outlined but it's not clear how much. The effectiveness of BYOD management and security tools was beyond the scope of Context's initial study into the security of tablet devices but may become the topic of follow-up research. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
SMASH the Bash bug! Red Hat, Apple scramble for patch batches
'Applying multiple security updates is extremely difficult'
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.