Feeds

Got a mobile phone? Then you've got a Trojan problem too

This time it’s personal

Protecting against web application threats using SSL

And last comes Android

And last comes Android. Lyne agrees with Sawyer that it is the most under attack, and notes that it is fragmentation that poses the biggest problem.

The scale is shown by research conducted by Lacoon Security, an Israeli consultancy which surveyed the smartphones of half a million users over a number of networks.

Lacoon found that one in 1,000 had some kind of spy phone software installed. Of these 53 per cent were Android and 47 per cent iOS, with 22 per cent of the infections being on Android 4.x.

Given that there is a security threat if you don’t use an MDM, and that using an MDM itself might pose a security treat, what is the best option, particularly for those highly targeted Android devices?

Hard Knox

Perhaps the best combination of MDM and devices is the Samsung Knox system. Like the General Dynamics solution announced at Mobile World Congress, Knox has a customisable boot and uses the NSA-derived SELinux (security enhanced), although Sawyer notes that until the end of August Samsung shipped this in permissive mode rather than enforced mode.

Samsung does not provide an MDM system for Knox phones directly but builds on its Safe program to provide a basis for other suppliers of MDM system.

In a world of end-to-end ecosystems from Amazon to iTunes it is surprising that Samsung has elected not to enter the fray. Perhaps it thinks Western companies would prefer not to have a South Korean company own the keys to their commercial secrets.

The secure container is a common approach, adopted by Knox, General Dynamics, Deutsche Telekom’s SimKo3, MobileIron, Airwatch, FiberLink, Zenprise and Good Technology, among others.

The model of using a container for applications cuts the risk of the data leakage associated with BYOD (bring your own device). A secure container is set up for corporate applications such as email, calendar, browser, storage clients and so on.

Data downloaded from the enterprise, such as email attachments and files, cannot be accessed by applications outside that container.

This provides the perfect excuse to leave the work phone behind when you go on holiday

This stops users from being able to email, text or Dropbox any files that should live only within the corporate environment. All the data stored is encrypted using AES-256.

This provides the perfect excuse to leave the work phone behind when you go on holiday as you will be prohibited from taking it anywhere that has UN export restrictions and sanctions in place or where encryption is illegal.

Sophos has a lighter touch, perhaps more tailored to BYOD. This ensures the user has a decent passcode and that the device is properly configured – for example that SSL is turned on for email and looking for the signs of Trojans.

There is no easy way to detect if a phone has been rooted or jailbroken. The signatures are to look for those apps such as Cydia, which takes advantage of the freedom to download third-party applications to an iPhone, or Superuser which establishes privileges on an Android phone.

Daniel Brodie, senior researcher at Lacoon, adds that data is unencrypted once it is in memory and a crafted Trojan could bypass the container.

Choose your cloud

And don’t forget the hosting. Although backing up your corporate data in the cloud might be a good thing to do for all kinds of reasons, you need to make sure that the cloud you are using is secure. If data is covered under the data protection act you are legally obliged to know where it is.

This has led to the advent of companies such as Secura Hosting, a government-approved G-Cloud supplier, which undertakes to keep data within the UK only.

So, has mobile malware suddenly gone from being talked about to actually happening? All those companies that sold solutions for which there was no problem now do have a problem to deal with.

That is why one security expert I spoke to was carrying a Motorola Razr. It might be old and limited but it was built before phones got smart. It is unhackable. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.