A sensible approach to mobile security is rooted in a clear identification of what needs protection. In general, CISOs want to protect access (i.e. who can login and get to company systems) and company data, both in transit and at rest. At the root of all protection strategies is strong encryption to protect data that is either input or consumed by the mobile user. Without strong encryption all mobile security strategies are nothing more than a game that hackers can play and win.
In the last month, two separate approaches to compromising encryption on Android and iOS broke in the news. The Android vulnerability, discovered as a result of a compromised Bitcoin transaction, is most directly relevant to encryption. In short, the Android operating system does not properly seed the PRNG (pseudo-random number generator) used by the built-in cryptography APIs.
Randomness is essential to ensure that (a) encryption keys cannot be guessed, and (b) an attacker cannot successfully guess the contents of intercepted, encrypted messages. In short, any app that relies on the vulnerable APIs for its essential encryption functions is flawed, including everything from Bitcoin to a vast array of enterprise-targeted apps developed by third-party and in-house developers.
On the iOS side, a group of researchers at Georgia Tech successfully submitted an app with malicious capabilities and intentions to the Apple App Store. What the researchers discovered is that the cornerstone of Apple’s approval process is a static analysis of the app code (i.e., the app is not actually run for very long to see what it does – instead, tools are used to analyze the code submitted by the developer).
How does malware in the app store implicate iOS encryption? Well, the link here is indirect – malware installed on a device can exploit an OS vulnerability to “jailbreak” the device. Once jailbroken the OS can no longer be trusted, and an untrustworthy OS should not be used for encryption nor should it be trusted to report on its own health and safety when a device management app tries to determine if it is jailbroken.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.