[Owasp-mobile] Services Can Help Identify Mobile Risks

Jeffrey Walton noloader at gmail.com
Tue Sep 18 19:32:08 UTC 2012

Nothing new here, but it does state some problems that many seem to
ignore (especially the throwback to the 1990's patching philosophy).


For companies worried about sensitive data leaving their network, lost
and stolen mobile devices and employees' use of mobile-friendly
services -- such as DropBox or iCloud -- should be top concerns.
 However, companies need to also increasingly worry about any
vulnerable software running on workers' devices. Viewing mobile
devices as an easy way to get inside sensitive networks, criminals and
hackers have started focus on compromising the systems, say security
experts. To date, most attacks have used a Trojan application, and in
many cases, a vulnerability in the operating system or a popular
application to expand limited application privileges to greater levels
of control.

The problem for information-technology and security managers is they
lack the same control over mobile devices that they have over
employees' workstations, says Marc Maiffret, chief technology officer
with security firm BeyondTrust.

"With mobile, what you are really shooting for is better visibility,
so that you can react and do things that you know are needed," he
says. "If you CFO or some other important figure in your business, is
using a version of iOS that is a year out of date, that is something
that you want visibility into."

Patching on mobile devices, especially phones, is perhaps the biggest
problem facing mobile security today. A security fix for Android, for
example, has to be integrated into a firmware update by the device
manufacturer and checked out by the carrier to make sure it does not
cause any network problems. The two extra steps can add months to an
update. In many cases, providers fail to update even serious security

No wonder, then, that more than half of all Android devices have at
least one major privilege escalation vulnerability, says Jon
Oberheide, chief technology officer for mobile security firm Duo
Security. Over the last seven weeks, the company has run a service,
known as X-Ray, that can be installed on Android devices and will tell
users if any software is vulnerable. The application has been
installed on more than 26,000 devices encompassing some 1,146
different models and found that 59.8 percent of devices are

Determining whether a device is vulnerable is not as easy as listing
the version numbers for each software package, Oberheide says.

"One of the interesting artifacts that we discovered is that a lot of
devices that should be patched, are not," he says. "It is scary to
find out that you can't trust the version number if you are doing
mobile vulnerability assessment, you have to look and probe for the
presence of that vulnerability."

[Only about half of companies have any plans to merge their physical
and digital security departments, but the growing use of mobile
devices is making the integration easier. See Mobile Security,
Critical Infrastructure Issues Drive Physical, Logical Security

While privilege escalation was considered a less serious security
issue in the past, as devices have become more secure and the actions
a user can take more limited, escaping from those restrictions has
become even more important.

Because workers own their devices, IT managers will not have the same
control as they may have over a company's desktop infrastructure.
Instead, using a service to alert when a worker's device has
out-of-date software can at least give security and
information-technology managers more information about their risk,
says BeyondTrust's Maiffret, which offers mobile vulnerability
management services.

"Unlike traditional IT, where you can control what gets installed or
not, and you can yank things off," Maiffret says. "It's a little bit
more of a conversation these days for mobile users. You need the
visibility to know what's out there that may be bad, so you can map it
back to corporate policy and have that conversation."

Companies that want to patch vulnerabilities have few options -- the
best bet is to install currently-available, if basic, host protection
technologies and to educate workers on being careful with the
applications they install on their systems. Otherwise, just like
individual users, companies have to wait for carriers to patch the

It's a situation that cannot change soon enough, and has to change
eventually, says Duo Security's Oberheide. "Carriers don't want this
responsibility," he says. "They don't want to have to test a fix for
six months at a time just to push out a patch for a simple

Unfortunately, carriers and device manufacturers profit from their
current control of the software supply chain, so it's unlikely to
change soon, he added.

More information about the Owasp-mobile mailing list