There has always been a dual between Android and iOS users. Which is more user friendly? Faster? More storage? Longer battery life? And the list goes on and on.
But one thing users seem to forget about is which operating system is safer. There is an inherent risk with the use of any mobile device in the enterprise, Android presents a much bigger target for malware attacks and, in turn, corporate security issues.
There has been a massive growth of Android-powered devices in businesses over the past couple years, companies need a strategy to minimize any risk the platform may pose, according to industry firm J. Gold Associates.
"Because Android is basically open source, anyone can look at what's in Android. You can't do that with iOS," said Jack Gold, principal analyst with J. Gold Associates. "If you're LG, for example, and you put out a phone with modification to the OS, and you didn't do a good job with it, there's a potential vulnerability. And, in this day and age, someone will find it."
Even if a developer makes a small modification to an app running on Android, it can create a security hole, Gold said.
"Even if you modify the look and feel of a messaging app, you may not know you've added a vulnerability," he said. "That's the problem with open code, you never know until you've tested it."
Conversely, Apple's iOS is much more restrictive with what developers can do and Apple doesn't release its source code. That means, generally, that iPhones [and iPads] are harder to jailbreak than Android phones, Gold said, "because Apple puts all kinds of restrictions on them and they'll check you every now and then. And, if they find a phone is jailbroken, they'll shut you down. And, because Apple controls the hardware and the software, they have the ability to impose tighter security," Gold added.
Android and iOS now account for 94% of the mobile operating system market worldwide, according to Forrester Research's just-released "Mobile, Smartphone, And Tablet Forecast, 2017 to 2022." Android is the dominant platform for smartphones, capturing 73% of the market with more than 1.8 billion subscribers in 2016, according to Forrester. The battle between the two mobile platforms are present in Charles, Calvert, and St. Mary's Counties.
Android is expected to maintain the lead this year, according to Forrester, with 74% market share, followed by Apple with 21% and Windows Phone with just 4%.
"The truth is, when Android gets attacked, it tends to be more vulnerable because there are more devices out there and more people also hear about it," Gold said. "Android also has a problem in that the latest version of Android OS is generally a small portion of the base of devices in the marketplace. So, when upgrades are issued, not everyone gets them. Whereas, when Apple upgrades, everyone gets it."
Applications today are rarely coded from scratch, particularly when software is created outside a company's development and operations units. Developers typically go to online libraries for open-source components-chunks of code that act as building blocks- to assemble custom mobile apps. Not only can chunks of code be modified, but they can natively contain vulnerabilities.
According to Symantec's Internet Security Threat Report issued in April, overall threat detections on mobile devices doubled last year, resulting in 18.4 million mobile malware detections. Similar threats were seen in 2015, according to Symantec, with 5% of all devices being targeted for infection in each of the past two years.
According to Symantec, from 2014 through 2016 the level of iOS vulnerabilities remained fairly flat. And while new Android malware families dropped significantly, from 46 in 2014, to 18 in 2015, when the number of malicious apps increased by 152%.
Mobile malicious threats are grouped into "families," and "variants." Malware families are a collection of threats from the same or similar attack groups. In 2014, there were 277 malware families overall. That grew to 295 families in 2015 and 299 in 2016. So while the number of new families grew more slowly, the overall number of threats remained sizable.
The overall number of vulnerabilities doesn't tell the entire story, according to Gold.
"The number of malware variants that attempted to exploit these vulnerabilities is far more numerous," Gold said in a report he issued last year tilted, "Android in the Business Environment: Is It Safe?"
Variants are modifications hackers make to malware, and then they can number in the thousands, overall. For example, last year there were 59 variants of 18 new malware families, which translates into more than 1,000 new mobile malware variants, according to Symantec. Mobile malware variants per family increased by more than a quarter in 2016, slightly less than the 30% increase in 2015.
While rare, three zero-day vulnerabilities in iOS were exploited in targeted attacks to infect phones with Pegasus malware in 2016. Pegasus is a spy software that can take over an iPhone and access messages, calls, and emails.
The Pegasus malware can also gather information from apps, including Gmail, Facebook, Skype, and WhatsApp, according to Symantec.
The attack worked by sending a link to the victim through a text message. If the victim clicked on the link then the phone was jailbroken, Pegasus could be injected onto it and start spying.
The vulnerabilities that allowed the Pegasus attack to take place included one in the Safari Webkit that allowed an attacker to compromise the device if a user clicked on a link, and information leak in the OS kernel, and an issue where kernel memory corruption could lead to a jailbreak, Symantec said.
Just one mobile device infected with malware can cost an organization on average $9,485 according to a report issued last year by the Ponemon Institute. The potential financial consequences if a hacker compromises an employee's mobile device to steal their credentials and access sensitive and confidential company data can be larger; it costs an average of $21,042 to investigate, contain and remediate damage from such an attack.
Most attacks on mobile devices are related to hackers trying to steal confidential information, such as contact lists, trying to send text messages, or launching a denial of service attack. Mobile devices and computers are hacked frequently within the tri-county area. To date, ransomware attacks, where blackhat operators lock a device and require a "ransom" be paid to unlock it, have been far rarer, according to Gold. However, "I'd bet ransomware is coming to mobile devices in the near future. I can't imagine why it wouldn't."
"Think about what the average user has on their phone. If someone shut down your phone tomorrow, it would be a big problem," Gold said.
Among new malware attack vectors, Android continues to be the most targeted mobile platform, according to Symantec.
A noteworthy change in 2016: Android surpassed iOS in terms of the number of mobile vulnerabilities reported, a stark contrast with previous years, "when iOS far outstripped Android architecture and an ongoing interest by researchers in mobile platforms," the report noted.
"Following an explosive year in 2015," Symantec said, security improvements in Android's architecture "have made it increasingly difficult to infect mobile phones or to capitalize on successful infections."
William Stofega, IDC's program director for mobile phone research, agreed Google has made a concerted effort in recent years to take back control of its Android OS compared to its "wild west" early days. when anyone could change the source code.
For example, Google now manages its source code to ensure app developers and smartphone manufacturers must go through Android compatibility testing.
In addition, the upcoming release of Google's newest mobile OS, Android O, may not be as open as its predecessors.
"It's been implied that they're going to rebuild it and it won't be under public license, and they'll avoid disclosing source code," Stofega said. "It hasn't been implemented yet, but it would make it more difficult to break in."
Android smartphone and tablet manufactures such as Samsung have also upped their security. For example, Samsung's Knox, a free containerization security app, enables greater separation between enterprise and personal data by creating a virtual Android environment within mobile devices - complete with its own home screen - as well as its own launcher, apps and widgets.
Knox creates a container so that only authorized personnel can access content within it. All files and data, such as email, contacts, and browsers are encrypted within the container.
As more companies adopt a "mobile first" business strategy, the most common solution to avoiding malware is relatively simple: keep software on the devices regularly updated. Updating software to the latest platform helps address OS variants. Of course, while technically simple, all things are relative.
Companies that do issue mobile devices to employees should ensure that Android devices are enhanced for corporate use. Google is addressing the needs of many business Android users by offering an enterprise-class upgrade known as Android at Work. The Android at Work mobile devices offer segmented work spaces and profiles to keep corporate and personal apps separate.
They also require companies to first deploy a set of enforcement tools on a mobile device, either through mobile device management or a wider-encompassing enterprise mobility management tool set, according to Gold.
Some new mobile malware has been identified as having rootkit capabilities, or modified OSes that can be used to gain administrative access to corporate systems. So enterprises should also install root infection software on mobile devices, or better yet, purchase mobile hardware already configured with root detection software.
Device manufactures can also play a key role in making phones and tablets more secure. Some mobile vendors have been known to delay OS updates for months; that practice, according to Gold's report, should indicate to an enterprise that the vendor is an unacceptable hardware supplier.
Lastly, while adding security feature to mobile devices is recommended, it's not as useful as simply stick to good practices. Educating employees about best practices, such as not downloading apps they've not vetted or opening unexpected attachments in messages, is crucial.
Give us a call to learn more about how to manage a safe mobile device for yourself and your business.
