twitter facebook rss

CESG advice on securing Android in a BYOD environment

Posted by on June 10, 2014.

cesgCESG, the infosec arm of GCHQ, has released updates to its advice on the secure use of Blackberry, Android and Chrome, to cover the latest versions. The advice is aimed at public sector use of BYOD at OFFICIAL level – but it should be required reading for all businesses. It tries to square the circle as far as is possible: BYOD should not be allowed on security reasons, but it cannot be stopped and the security issues must therefore be mitigated as far as possible.

This is what the CESG advice attempts to do. Its value is in outlining just how severe and intractable those basic risks really are. So, using the Android advice as an example…

Android phone

An Android phone

One of the biggest problems is that BYOD devices are personal devices designed for personal use; but applied to business environments. From a business point of view, two basic decisions are urged:

All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic, and to allow the devices and data on them to be protected by enterprise protective monitoring solutions. The VPN should be configured in always-on mode where possible.

Arbitrary third-party application installation by users is not permitted on the device. An enterprise application catalogue should be used to whitelist and distribute approved applications to devices.
End User Devices Security Guidance: Android 4.4

The difficulty is in enforcing these architectural proposals. “The VPN can be disabled by the user,” notes CESG. “The built-in VPN has not been independently assured to Foundation Grade, and no suitable assured third-party products exist.” As a result, there is a “potential for data leakage onto untrusted networks.”

CESG’s advice here is, “Use the native IPsec VPN client until a Foundation Grade VPN client for this platform becomes available.”

That ability for the user to override company policy lies at the heart of Android’s security weakness (but it is also, of course, what makes it attractive to the user). Company policy should not allow the installation of third-party apps, and there is indeed a growing practice for large companies to provide their own app store of approved apps. This is not realistic for the average SMB, and even if it were, CESG warns

Users can install unauthorised apps (e.g. from the Play store) which have not been approved by an administrator. A malicious or vulnerable application which was not detected during the store’s automated reviews could exfiltrate or leak sensitive data from the device.

There is some hope here, however, since some handset manufacturers have enhanced the operating system to allow supporting Mobile Device Management (MDM) systems to enforce whitelisting to prevent unauthorised app loads.

Another problem highlighted by CESG involves encryption.

Encryption keys protecting sensitive data remain in device memory when the device is locked. This means that if the device is attacked while powered on and locked, keys and data on the device may be compromised without the attacker knowing the password.

This doesn’t mean that encryption isn’t worth using, but just be aware of the limitations. “Use the device’s native data encryption. The data is protected when powered off, but it is not protected when the device is locked,” suggests CESG.

The entire document is required reading for all local authorities – but should also be read by all private industry. Companies that provide personal devices to employees are in a stronger position. Since it is they rather than the user that owns the device, they are in a better position to impose conditions – such as an MDM and app whitelisting. But even here there is a further word of advice:

The enterprise cannot control when the applications or OS software are updated. These updates rely on user interaction. Carriers are responsible for rolling out device updates in a timely manner. As the average duration to patch varies between manufacturers and carriers, care should be taken when choosing which platforms to deploy to ensure that the selected manufacturers and carriers have a good historic record of patching devices.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_encryption, News_privacy | Tags: , , , ,