by Rik Ferguson

Assessing the security of the devices entering the CIO’s domain

Dec 10, 20124 mins
Security Software

There appears to be room for a “big three” at the top of the smartphone tree at the moment. The operating systems that appear to have solidified their dominance, at least in the consumer marketplace are Apple’s iOS and Google’s Android, leaving Microsoft and Research in Motion slugging it out for a place on the podium with Windows Phone and BlackberryOS respectively. Naturally one of the considerations that people are increasingly taking into account when selecting a mobile device, is security. The top developers are aware of this and have been continuously adding security and management features with every iteration of their operating systems.
The last few months have seen no shortage of announcements in the smartphone space, Windows Phone 8, iOS 6 and Android 4.2 (aka Jelly Bean). Of course each new version comes with a raft of consumer friendly features in the competition for your cash, they equally come with security enhancements, which should not be ignored.
The release of iOS6 has given the user a much more granular control over privacy as it relates to installed apps. A user has full visibility and importantly individual control over which apps have requested and are allowed access to Contacts, Calendars, Reminders, Photos, Bluetooth, Twitter and Facebook. This is something that in the past has been entirely impossible to manage.  Another welcome addition was the addition of an option (although particularly well hidden) to minimise the amount of information your handset gives up to advertisers. The other big headline security change in iOS6 was the introduction of Kernel Address Space Layout Randomisation, in brief this feature makes the memory location of the OS kernel impossible to guess, making exploits much more difficult. Other new features which may have an impact on privacy; such as shared photo streams and passbook integration were also introduced and at the same time integrated with the enterprise management capabilities of the device.
The other heavyweight, Android has also seen a recent update to 4.2, particularly in the user-facing area. The biggest ticket item is the introduction of real-time app scanning for all apps installed on the device, regardless of provenance. This represents an extension of the Bouncer functionality introduced in the Google Play store several months ago, but extends that baseline protection down to the device where it can also be used to scan “non Google” supplied apps. Alongside this, the all-too-often ignored app permission screen has been given a makeover to make it clearer and easier to understand, hopefully enabling users to make more informed choices about what they install. The granular control post-installation of iOS6 is still lacking so this screen is particularly critical. In reaction to the premium service abusing Trojans, that dominate Android malware, Android will now require user confirmation before an app is allowed to send an SMS to a known premium number, which is certainly no bad thing. Google also threw in a couple of real differentiating points, support for multiple user accounts and always-on VPN.  The multiple user accounts becomes particularly relevant when considering the family use of tablet computing devices and allows enforcement of separation of user data and the always-on VPN will be particularly appealing to the enterprise. The main problem for Android and for enterprise adopters remains fragmentation. The installed version of operating system, and thus the available security features and manageability still vary considerably by manufacturer and there is little guarantee that an older device will ever be upgraded to support more modern versions of operating system.
Windows Phone 8 is still in its infancy as regards individual or enterprise adoption but does offer a range of security technologies comparable to most other devices, encryption and secure boot mechanism, enterprise app deployment mechanisms and a degree of feature lock-down control. While some of this is less fully featured than existing BlackberryOS and iOS its depth of integration with already established Windows management tools and infrastructure will make it very attractive in the enterprise, as will the non fragmented,  wall-garden approach similar to Apple’s.
As for Blackberry, only time will tell, we still await with bated breath the arrival of Blackberry OS next year. The battle for Blackberry this time around will not be waged in the security field; they already have a solid reputation there. If they cannot win the hearts and minds of individuals by building a consumer-focused device then they will fail to hold on to that podium position.
The enterprise is no longer the supplier of smartphone devices for use in the workplace. Consumerisation as a phenomenon means that we are increasingly and irreversibly using our own choice of device in the workplace. It’s the individual not the enterprise who will call the shot for years to come.

A balanced BYOD policy is better all round