Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

So many Android devices… so little security

Caleb Barlow, IBM

15-September-2015 Opens systems help both good guys and bad.

It’s no secret that Android phones are the most susceptible to vulnerabilities.

It’s common for vulnerabilities that appear in both the Android platform itself and 3rd party Android Software Development Kits (SDKs,) to be exploited by criminal hackers to give malicious apps that supposedly have no privileges, the ability to gain unauthorized access to information and other aspects of the device.

A recent Ponemon and IBM study found that while organizations spent about $34 million annually on mobile app development, only 5.5% of that goes toward app security. And 50% of surveyed companies devote nothing toward securing the apps they develop.

“The first thing to recognize is we have to be fair when comparing the platforms,” said Caleb Barlow, Vice President of IBM Security. “On one hand, Android gets a lot of bugs in play. Good guys like us can find problems, tell Google, and then get published. On the other hand, because it’s an open platform, bad guys can do that too.”

Barlow compares it to Linux, which is secure, because it’s open. Apple is closed, so neither good nor bad guys know everything that’s going on. Apple can jump on a problem and mediate devices in real time.

The challenge with vulnerabilities is Android is heterogeneous, modified by carriers, device manufacturers, and developers A critical patch has to go through several layers.

The one advantage of the Android model is that a serious issue is likely to affect only a portion of the population.

“It wasn’t very long ago that when you got an Android phone its OS didn’t change during its lifetime,” Barlow said. “It’s very encouraging to see that has changed.”

The other thing to examine is how the devices are being designed and built. 

“We’re starting to see the movement away from containerization of applications, where various vendors – including IBM – provide recompiling with encryption, so only enterprise apps can talk to enterprise apps. We’re seeing manufacturers do that at the OS level, so there’s less need for that.”

It’s now possible to provide a high level of encryption with minimal impact to performance and battery life. That’s because of the movement to putting encryption on the dedicated processors – basically in hardware – in the device.

“If you look at the specific vulnerability we found on Android, had Stagefright not occurred two weeks before this, it would have been a big deal, because of the number of affected devices,” said Barlow. “Instead it became one in a series of vulnerabilities that were ethically disclosed and updated.”

Q: What did we learn?
A: There are vulnerabilities in Android and all code.

“We need to have ways to make sure that when critical vulnerabilities are found, there’s a way to update those over the wire.”

In Part 2, we’ll discuss vulnerabilities in other devices.