As with Apple’s iOS, there are hundreds of thousands of applications available for the Android platform. The Android operating system can be found on smartphones and tablets from a wide variety of handset vendors, including Motorola, Samsung, Dell, HTC, and more. In the second half of 2010, Android became the unit market share leader for smartphone operating systems in the United States.
With the Android operating system, the OS itself is open source, which means that malicious entities might have an easier time finding exploits in various versions of the OS. On the other hand, this open source nature also means that a large community of contributors are keeping an eye on the development of the OS and contributing work. The primary security concern associated with Android systems is the lack of policing on the Android marketplace, as well as the availability of non-Google sponsored marketplaces. Several well-known malware applications have now found their way onto Android systems, with more expected to come in the future. This strengthens the need for a comprehensive security story on Android devices.
RIM BlackBerry OS
Research In Motion’s (RIM’s) BlackBerry operating system has been wildly popular in the enterprise for a number of years. Until recently, with the newest wave of smartphones on the market, it has been the de facto standard for corporate data and application access from a mobile device. This OS became popular in the enterprise due to its native support for corporate e-mail, as well as the management and security functionality that is native to the operating system.
Key to the management and security features is the BlackBerry Enterprise Server (BES), which sits inside of the corporate network and provides authentication, security of data in transit, and security of the device itself. The built-in security does not cover everything, however, and a number of third-party security products on the market complete the BlackBerry end-to-end security story.
Many IT administrators, including some reading this book, wish they could return to the days where they needed to support only a single mobile device operating system (BlackBerry OS), which can be controlled by a single management platform (BES). Unfortunately, the “consumerization” of IT has led to the adoption of myriad other devices by corporate users, so the task of securing devices has become much more complicated (hence the need for books like this one).
Most BlackBerry phones on the market run RIM’s BlackBerry OS, though it is expected to be replaced by a new OS (currently known as the BlackBerry Tablet OS; see the following section). Blackberry OS version 7 will actually be this new operating system, rather than a continuation of the prior versions of the Blackberry operating system.
RIM BlackBerry Tablet OS
BlackBerry Tablet OS is, as of early 2011, a new operating system from RIM that runs on the RIM Playbook tablet. This operating system represents a major shift for RIM, as all of its devices have run some version of the BlackBerry operating system. This new OS is based on a real-time OS, similar to Unix, known as QNX.
RIM has announced plans to transition all of its devices to this new operating system as of BlackBerry 7. Given the tremendous popularity of RIM devices in enterprise environments, it is likely that many mobile device security vendors will adapt their products to support this operating system as BlackBerry 7 devices begin to hit the market. While this operating system may not be a big concern for the corporate IT department in 2011, moving forward, it is something to plan to support.
Microsoft Windows Mobile and Windows Phone
Windows Mobile and Windows Phone are Microsoft’s mobile operating systems. Until version 6.5, Microsoft’s mobile device OS was known as Windows Mobile and was heavily focused toward the enterprise. Version 7 onward is known as Windows Phone, and at least initially, the operating system is built primarily for consumer use. In early 2011, Microsoft’s mobile operating systems continue to fall in market share, making them far less popular than several of the other operating systems described in this section.
Because Windows Mobile (6.5 and prior) was targeted toward the enterprise, it includes many built-in security features and provides the OS capabilities and APIs for third-party security developers to create applications that help secure these platforms. Over time, Microsoft will be phasing out Windows Mobile 6.5 in favor of the newer Windows Phone 7 operating system.
The continuation of release number from 6.5 to 7 is a bit of a misnomer, because Windows Phone 7 is an entirely new operating system and is very different from Windows Mobile (6.5 and prior). A number of functions are currently missing from Windows Phone 7, including virtual private network (VPN) support and on-device encryption, and that prohibits it from being properly secured and connected to enterprise networks.
It is likely (though not confirmed) that over time, Microsoft will add some of these missing enterprise features. For the time being, however, it is important to note that Windows Phone 7 does not necessarily include features that your enterprise might be using on Windows Mobile 6.5, and that your existing security products might not support this newer operating system yet.
Nokia Symbian
Symbian is an open source operating system managed and maintained by Nokia (though it is licensed by the nonprofit Symbian Foundation). Symbian is primarily found on Nokia devices today, with prior licensees, such as Sony Ericsson, Samsung, and others transitioning to competitive platforms, such as Android. Even Nokia’s dedication to the platform is questionable, as it has begun to introduce new high-end smartphones based on the MeeGo operating system. Nonetheless, despite the onslaught of new competitors over the past few years, Symbian remains the global market share leader for smartphone sales and installed base.
Having been on the market for several years, there are a wide variety of security solutions available for Symbian. This is important because there have been several outbreaks of malicious code/applications on Symbian platforms over the past several years.
In 2011, Nokia made several high-profile announcements indicating that its new devices will transition from Symbian to Windows Phone as the primary smartphone operating system. As a result, the introduction of new Symbian devices into the market will be limited. Despite this news, Symbian remains a popular platform globally and must be a part of any global organization’s mobile device security strategy until the installed base of Symbian devices declines to insignificant levels as users move to newer devices.
HP Palm webOS
webOS is another Linux-based mobile operating system. After a long history of personal digital assistants (PDAs) running the Palm OS platform, Palm introduced webOS as its next-generation operating system in 2009. The Palm Pre and the Palm Pixi are the most well-known device families to run on the webOS operating system.
Despite great reviews, the webOS platform struggled to gain traction in the marketplace, especially against prominent competitors such as Apple’s iOS and Google’s Android. Hewlett Packard (HP) purchased Palm in 2010. HP webOS (as it is now known) is on version 2.0 as of early 2011, and HP’s long-range plans for this operating system are not yet known, though a device known as the Pre 2 is on the market in several areas of the world.
As with some of the other less popular platforms, few mobile security platforms support the webOS operating system, but it is not impossible to find them, as webOS has enjoyed some success in the market, albeit small.
MeeGo
Like many mobile device operating systems, MeeGo is Linux-based. In fact, MeeGo is an open source operating system and is part of the Linux Foundation. MeeGo is capable of running on a wide range of devices, leveraging a common platform foundation with user interfaces built specifically for different types of devices.
MeeGo was first announced in early 2010 and had yet to gain significant traction with device vendors or with end users when this book went to press, though Nokia is expected to launch one or more MeeGo devices soon.
Very few (if any) mobile device security platforms currently support MeeGo, so keep that in mind if you start to hear demands from end users to support this pla
tform. It is likely that if it increases in popularity, security vendors will adapt their products to this platform.
Samsung bada
Yet another Linux-based platform, bada is developed by Samsung. Samsung’s aim is to use this operating system to replace the operating systems on both its smartphones and its feature phones, further blurring the line between the two types of devices. When this book published, Samsung had shipped only a single bada device, the Samsung Wave smartphone.
The future of bada is unclear, as Samsung also ships a variety of devices running the very popular Google Android platform. It will be difficult to find security platforms on the market that cover the Samsung bada platform, but as with MeeGo, it is likely that if this platform takes off and becomes popular, vendors will respond with products designed for or adapted to the bada platform.
Discovering Data Connections
It is no longer uncommon for a mobile device to have the ability to connect to multiple types of data networks. At the same time, it is increasingly common for sensitive corporate data to be stored directly on these devices. That means that your security deployment needs to have the capability to protect devices accessing corporate data in both online and offline mode as follows:
An online device is one that is actively connected to a network. This can be any type of network capable of transmitting data either to or from the device. The most common data network interfaces are Wi-Fi and standard mobile data networks (3G and 4G/LTE), though there are other ways of transmitting and receiving data on a mobile device, as shown in Figure 1-3. These include Bluetooth; short message service (SMS); multimedia message service (MMS); and tethering or synchronizing a device to another device, such as a laptop. When a device is online, your security deployment needs to protect data and applications on the device, as well as provide protection for data as it transits the network.
Over the next few years, many mobile operators will be transitioning from their current 3G networks to faster, higher-capacity 4G/LTE networks. Technically, Long Term Evolution (LTE) networks do not qualify as 4G, or Fourth Generation, networks, but many carriers market their LTE networks as 4G. In either case, these networks are significantly faster than the 3G networks they are replacing, opening up a huge wave of additional smartphone capabilities and, more than likely, additional security concerns along with those capabilities.
When online, you must protect the device regardless of the type of data connectivity it has.
Figure 1-3: Modern smartphones have a wide range of data connectivity options.
An offline device is one that is not actively connected to any network. In this case, the potential attack vectors (methods by which a device can be accessed for malicious purposes) are limited because there is no way to get data onto or off of the device. Still, it is important to protect data and applications on the device. Loss, theft, and dormant malware are still issues to be concerned about with a disconnected device.
The techniques and technologies described in this book are targeted toward building a complete mobile device security strategy, one that will allow your organization to protect the data, applications, and devices themselves regardless of the type of network (or lack thereof) the device is connected to.
Applications Galore: Exploring Mobile Device Applications
Other variables that will impact your mobile device security strategy are the applications and data running on these devices. We define four types of applications (e-mail and messaging, web-based, client/server, and standalone) for the mobile device use case. Each type of application comes with its own set of security concerns, such as the ability to control who gets access to the application (access policies), as well as the ability to restrict specifically what each individual user may access within each application (granular control), and all are addressed in this book.
E-mail and messaging
E-mail and messaging applications are among the most popular enterprise applications leveraged on mobile devices. The most common include e-mail send/receive, calendar, contact, and task synchronization. These applications are typically accessed via a Microsoft Exchange e-mail server (or similar).
Other messaging applications include chat or instant message, short message service (SMS), multimedia message service (MMS), and, potentially, video-conferencing applications.
The primary concern that enterprises have when enabling e-mail access from mobile devices is the loss or theft of the e-mail data. Enterprise e-mail can contain all types of sensitive information, from financial results to product designs. Sending that data to a mobile device that can easily be lost or stolen can be a scary proposition. We explore how to mitigate these concerns throughout this book.
Web-based applications
Every smartphone on the market today includes a web browser for viewing web pages and for leveraging web-based applications. In some cases, the application developer has optimized special versions of the application for mobile device access; in other cases, the web content is the same whether it is viewed on a smartphone or on a desktop PC. Regardless, these applications are unique in that they are accessed exclusively through a web browser, with no installed device application or other client-side component.
Despite the fact that web-based applications are hosted on a server in the network, there are still exposure and security concerns that you need to be concerned with, including the following:
Some data might be downloaded and stored on the device.
There is the possibility of man-in-the-middle or other types of attacks that can hijack or intercept the web application session and leverage that to steal data or to download malicious code to the mobile device.
Client/server applications
Client/server applications are traditional fat client applications, which require that the device has natively installed software to run the application. These installed applications communicate with application servers running inside the corporate network.
Until recently, there were very few client/server applications in use in a typical enterprise environment. Over the last few years, however, their use in the enterprise has really started to gain in popularity. As enterprises have embraced smartphones and tablets as productivity tools, and increasingly as primary devices, the need to allow users to access everything that they are able to access on their laptops and desktops has become prominent. As with other applications, these types of applications aren’t without their security issues, so when rolling these out, ensure that your security strategy can protect the data associated with these applications.
Standalone applications
Standalone applications are those that function on the device itself, with no server-side or backend component. There are many such applications. In the enterprise, the most common applications in this category are office or productivity applications. Many of these applications have a web-enabled component, but they are primarily used for viewing and editing spreadsheets, documents, PDFs, and presentations.
The issue is that these are the types of files that typically contain your most sensitive corporate data. The security techniques described in this book will help you to ensure that you are properly securing this data, both when it is stored on the device and when it is transmitted to or from the device.
Allowing Smartphones onto Your Network
This book shows you that you need to take many factors into account when planning your mobile device security deployment. Because this solution spans multiple types of technology, you need to properly plan every piece of the process and follow those plans in that order.
In the following sections, we give you an introduction to the different components of a successful deployment. We discuss most of these topics in great detail throughout the various chapters of this book. Be sure to mark down areas that you and your organization might find difficult, and then find out more about those topics, either by referring to the appropriate chapters of this book or by doing your own organizational and self-directed re
search.
Educating yourself on the risks
Reading this book is a great start to educating yourself on the risks of allowing mobile devices on your network. Throughout this book, we go into detail about the types of risks facing mobile devices and provide insight into the ways that you can mitigate those risks in the real world. Chapter 14 provides a number of additional online resources you can consult to dig deeper in various areas. Additionally, the threat landscape changes often and quickly, so stay on top of the latest mobile security news.
Scoping your deployment
You may work in an organization where a large percentage of the employees need to access corporate data from their mobile devices. On the other hand, you might work in an organization where only a small portion of employees would benefit from the increased productivity that mobile device data and application access can provide. Regardless, limit access to only what’s necessary; after all, every additional person who has access to corporate data on a mobile device represents another potential area for data to be lost or stolen. Prior to rolling out a solution to your end users, determine who should have access and from what types of devices, for instance, corporate- or employee-owned, and any operating system or only certain operating systems? This helps you contain the size of your deployment and limit access to devices and users where you feel you have a good handle on risk.
Creating a mobile device security policy
Your mobile device security implementation is only one piece in a broader corporate security policy that governs the technologies that are implemented to ensure proper security in your organization’s network. This policy provides guidelines that you can follow when planning to allow mobile devices into your network; it also is a great reference for the implementation team as it evaluates vendor solutions and begins the deployment. Chapter 4 introduces the topic of mobile device security policies and includes an example from our ongoing AcmeGizmo case study. (See the next section for an introduction to this case study.)
Mobile Device Security For Dummies Page 4