Securing Android for the enterprise
by Patrick Oliver Graf - General Manager, NCP engineering - Tuesday, 3 January 2012.
The numbers speak for themselves - Android’s share of the worldwide smartphone market is 52.5 percent, more than double compared to a year ago, according to recent research from Gartner. Google’s operating system unmistakably leads the pack, followed by Nokia’s Symbian, Apple’s iOS and RIM’s BlackBerry.



With such rapid adoption, it’s no surprise that Android smartphones and tablet PCs are increasingly making their way into the enterprise. This is further amplified by the consumerization of IT trend, in which employees use their personal mobile devices for business. Companies often encourage this, since it lowers their IT costs and allows employees to use their preferred devices.

Integrated IPsec client lacking with Android

Android, however, brings some risk with it. For instance, one of the challenges enterprises face is securing communication between the mobile devices and the company network. VPNs are a tried-and-tested remote access technology designed to resolve this exact issue. Android’s VPN client, starting with version 1.6 (called “Donut”), is based on the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). It also supports L2TP with IPsec pre-shared keys and VPN connections via IPsec VPN, on the basis of certificates and an optional L2TP-"secret" mode.

And while many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android - not even in the current version. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. Since its third iteration, the iPhone has featured an integrated IPsec client that works with common VPN gateways.

Access to smartphone firmware necessary

The Android operating system doesn’t just lack an integrated IPsec VPN client; it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly.

IPsec VPN providers have to ask each vendor of Android systems, like HTC, Samsung or Sony Ericsson, for access to the system software of the devices. Considering how time-consuming and financially burdensome this process is, many vendors, justly, frown upon it. Vendors are particularly not fond of disclosing the details of their Android implementations to third parties.

Alternatives: PPTP and L2TP via IPsec

Until a “real” IPsec VPN client is available, Android users can use their devices’ integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A “real” IPsec VPN connection, however, is more secure because it encrypts data prior to authentication.

NCP tested this on smartphones with Android 2.2 and found that with L2TP over IPsec, data is sometimes transmitted unencrypted due to the lack of implementation. The system interrupts transmission only after some time (about 180 seconds). In fact, we found that if the wrong pre-shared key is used, the IPsec VPN connection will not be configured properly. When L2TP is deployed over IPsec, certificates are used to carry out secure authentication. For this reason, the appropriate certificate has to be installed on the Android device. On top of this, a man-in-the-middle attack can lead to an L2TP transmission without encryption.

The standard Android client, however, does not function with all VPN servers and gateways. Sometimes even accessing the same VPN fails if Android smartphones of certain vendors are used. Developer and support forums have plenty of threads written by frustrated Android users looking for professional solutions to access company networks.

Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //