Jailbreaking BYOD Control. Is Apple ready for enterprise primetime?

Mobile World Congress 2012

Mobile World Congress 2012

Consumerization is happening now, but many IT departments simply aren’t prepared to deal with the new challenges and complexities it entails. With IT managers increasingly urged by CEOs to stop saying ‘no’ and start supporting consumer tools, they need to reappraise their traditional approach. Put simply, IT needs flexible standards – they can’t say no but neither can they say yes to everyone.

In the mobile space this becomes a minefield for IT admins. An upcoming Trend Micro study* into mobile consumerization trends finds that nearly half of companies have experienced a data breach as a result of an employee owned device accessing the corporate network. When the stakes are this high, IT needs to know which platforms to allow and which to refuse.

An upcoming independent study commissioned* by Trend Micro assessed the enterprise readiness of the major consumer platforms – iOS, Android, BlackBerry and Windows Phone – appraising them in over 40 categories. Unsurprisingly, BlackBerry came out top by far, but the truth is that it is the remaining consumer platforms where most challenges lie, and where most user requests will be focused. The research rated the platforms in order of most secure and manageable: 1) Apple iOS 2) Windows Phone 3) Android

Apple came top of the bunch, excelling in areas such as application security and support for corporate managed email, with the platform also offering ISVs a large range of APIs to provide device management capabilities. Windows Phone also fared well, considering it’s a relative newcomer, particularly impressing with its Active Sync support, device wipe and authentication functionality. Android was rated least secure, despite featuring capabilities including VPN support and mandated code signing for all installed applications, and there are signs that it will get better as it matures.

It’s fair to say that despite enterprise-grade security and management capabilities creeping into some of these platforms over time – Apple’s OS is in its fifth iteration for example – the target for all of these manufacturers is the consumer. The focus is on attributes like design, form factor and social networking support, not encryption, VPN, or MDM support. So is it fair to put Apple at the top and Android way down below? To understand why Android gets a bad rap, and why there is such a positive perception of Apple in enterprise IT circles, we need to look at the application ecosystems for both.

The argument goes thus: Apple has complete control over its ecosystem because it makes the hardware and the operating system and vets any third party applications incredibly rigorously. Google on the other hand only makes the OS, leaving OEMs to build the handsets and to craft their own particular versions of Android, and it has a very laissez-faire attitude to the apps in the Android Market. Apple has therefore seen no major security incidents within its tightly controlled ecosystem whereas new malicious Android apps are being found on an increasingly regular basis.

This doesn’t tell the whole story though. I’d argue that it is Apple, not Android, which is the more risky platform. Why? Simple economics. Cyber crime is a multi billion dollar industry, funded and resourced like legitimate business operations. The criminal gangs need to know that any investment in their own resources is going to provide a decent return, and the best way of guaranteeing that is by targeting the one large homogenous platform, just as they did with Windows in the 90s. In the mobile world, this means iOS.

Android’s strength is that it is so diverse. Although the OS may be winning the market share wars, the fact that it has multiple variants all slightly different from each other depending on the OEM, makes it much more difficult and cost-effective for the criminals to target all of them.

But there’s another reason why Apple’s iOS might not be as secure as is first appears. The very control which the firm applies so rigorously to its ecosystem could be its undoing. You’ve probably noticed, but users don’t take kindly to being told what to do. Apple has blocked content in the past, and it has forced users to pay additional charges to turn on Wi-Fi hotspot functionality. This kind of uncompromising philosophy has driven many to jailbreak their phone with a “my device, my rules” kind of attitude. And a jailbroken phone is not a secure phone: there have been real world cases of malware targeting jailbroken devices such as the first “iPhone worm Ikee”, the most recent “iPhone/Privacy.A” and many others. Think about it: If the device can be jailbroken, by definition it can be exploited – the jailbreaking procedure itself is de facto an exploit.

How many have done this we don’t know as Apple will not release the data. The firm would probably rather not think about how many users it is driving towards insecure mobile practices with its suffocating policy of control. What is clear is that Apple is not the panacea for secure, manageable consumer devices in the enterprise that many believe.

Note: the two new studies mentioned above are part of the Consumerization Toolkit released by Trend Micro at the Mobile World Congress 2012 in Barcelona, 27 February – 1 March. More at http://www.trendmicro.co.uk/newsroom/pr/trend-micro-gold-sponsor-at-mobile-world-congress-2012/

About Cesare Garlati
Co-Founder, Hex Five Security, Inc. - Chief Technologist prpl Foundation

3 Responses to Jailbreaking BYOD Control. Is Apple ready for enterprise primetime?

  1. Pingback: How Secure is Your Smartphone? Android, iOS, BlackBerry and Windows Phone Under Attack « BringYourOwnIT.com

  2. Joseph says:

    This is a BS article – SHOW US WHERE iOS has been LESS SECURE then ANDROID in the real WORLD! Even with Androids “many variations” it still is the easiest and most HACKED phone OS on the market. iOS is inherently more secure by design and the fact that there are few iOS varieties makes it VERY EASY to PATCH should there ever be a problem. The WIFI hotspot feature has been BUILT into iOS since iOS 3.33 and with 500,000+ apps there is something for everyone. Those who JailBreak their phone do so at their own risk, but I have yet to hear of any problems with this.

    Try getting every manufacture to cooperate and come out with a Patch that works to fix Android flaws. And BTW, many ANDROID users hack their phone to gain ROOT access, this is a lot more dangerous then a iOS jailbreak.

    • Hey Joseph, I appreciate your comment!

      Security of modern mobile platforms is a three-legged table. Hardware, OS and applications all need to be taken into consideration – the so called ecosystem – as security is only as strong as the weakest link. Jailbreaking an iOS device is like pulling away one of the three legs. The table may still stand, but its equilibrium becomes unstable. Jailbreaking per se doesn’t represent a security issue although it makes the all system much more vulnerable to poorly written code or plain malicious apps.

      And yes, there have been real world cases of malware targeting jailbroken devices such as the first “iPhone worm Ikee”, the most recent “iPhone/Privacy.A” and many others – see references below. Think about it: If the device can be jailbroken, by definition it can be exploited – the jailbreking procedure itself is de facto an exploit.

      As an end-user you may be willing to take on the risk. But as an IT professional trying to secure the influx of consumer technology in the enterprise, the risk is totally unacceptable. That is why most Mobile Device Management solutions in the market provide specific mechanisms to detect and quarantine Apple jailbroken devices.

      You may argue that the Android table lacks this third leg by default, as Google doesn’t exercise much control on apps and developers. However, this level of control is in fact delegated to the end-user through the Android permission model. The real problem with jailbroken devices is that none of these two alternative security models is in place. And this represents a very real problem for both the end user and the corporate network and data he/she may access for work related activities – so called BYOD or Bring Your Own Device.

      Thanks for stopping by.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: