Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android security in the enterprise - can the worst flaws be fixed?

John E Dunn | Aug. 11, 2015
How do Android's growing list of vulnerabilities affect enterprises and is there much they can do about them?

Devices affected: Affected makers running Android devices up to version 5.1 Year: 2015 Fix: Not easy but will depend on each company updating handsets individually. There's also some doubt about how easy it will be to revoke access to an older version of the vulnerable flaw which implies that attackers could find a way back in even when an update is issued. Tools: Check Point offers a Certifi-gate scanner app which an admins can use to confirm the bad news.

'Stagefright' MMS flaw

The most sever flaw ever to affect Android, largely because of its universality and the ease with which it could be exploited by an attacker to take over a handset by sending a malicious MMS message. Google's Nexus devices should get the fix first straight from Google first although as of 7 August that hadn't happened on our test device. Otherwise, enterprises are at the mercy of the handset maker and network carrier in question unless they run a specialist device such as the secure Blackphone, which has already implemented it. This flaw will be a major test of how fast Android can be updated in the filed for a major issue.

Devices affected: All handsets up to version 5.1 Year: 2015 Fix: Wait for updates for device maker or Google. In the meantime, disable automatic MMS retrieval in the default messaging app if the carrier doesn't do it. Tools: Zimperium has released an app on Google Play to detect vulnerable smartphones called Stagefright Detector.

Android Installer hijacking

Allows attackers to hijack the install process and sneak a malicious application on to the target smartphone. A vulnerability that will still be very common on older Android smartphones although it only affects enterprises using third-party app stores which reduces the danger level.

Devices affected: up to version 4.3 Year: 2015 Fix: Buy a new smartphone or update to Android 4.3_r0.9 Tools: Palo Alto offers a tool on Google Play.

Android FakeID flaw

Slightly older but potentially serious flaw, again affecting older smartphones from version 2.1 to version 4.4. Provides a way for attackers to impersonate a trusted application without that being apparent to the user.

Devices affected: All Android versions up to 4.31 Year: 2014 Fix: Multiple handset makers and carriers released patches for this flaw by early August 2014. Tools: Bluebox Security and others released scanner apps.

Linux futex 'TowelRoot'

A vulnerability that started life with a CVE number but not long after was incorporated into a legitimate rooting tool - the first proof-of-concept exploit in effect, albeit one with a specific purpose. That tool gave the flaw its name, TowelRoot. Unusual in that it also affected Linux itself, and was given the CVE-2014-3153 identifier.

Devices affected: Android up to version 4.4 Year: 2014 Fix: Patched in Android 4.43 Tools: None needed to detect it but some mobile security products claim to block it


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.