Page 18 - Mobile World Daily - Day 3
P. 18
SECURITY | TRESYS TECHNOLOGY
Robert Stalick, Chief Executive Officer, Tresys Technology
Android Security:
More Cooperation,
Discipline Needed
The success of Android™ in the smartphone marketplace has clearly interesting position because while they claim implementations continue to plague the
demonstrated that open source software is a viable foundation for security advantages, they necessarily have industry. Thus, independent analysis is ever
Communications Service Providers (CSPs) and device manufacturers. many of the same vulnerabilities as the more important—security architecture
Unfortunately, the dynamism and diversity that result from open source underlying OS. In fact, many vulnerability assessments that focus on defense in depth,
development models are inherently more risky to deploy into Enterprises. researchers and attackers focus on these vulnerability assessments, and red teams are
platforms precisely because it can be definitely money well spent.
CIOs and CISOs need to be able to critical security fixes will be provided in a assumed that anyone buying them has
quantify and manage risk. In their timely manner and that the devices their something to protect. Samsung’s partnership Effective security is a constant struggle
minds, Enterprise solutions should users depend on will be supported long with Google to release portions of the Knox against ever-evolving adversaries. Designing,
have reliable release cycles, strong customer enough to recoup their IT investment. code as part of Android L is a good step developing, deploying, and managing
and technical support, and a commitment to Consider Enterprise rollouts in the desktop or toward improving open source Android systems that are less susceptible to
patching critical bugs in a timely manner. By laptop space—most Enterprises go three or security. But, there needs to be a consistent exploitation requires discipline. Identifying
their very nature, open source solutions have more years before doing major upgrades or focus on security and cooperation among all and addressing vulnerabilities in a timely
inherent disadvantages in these areas, though operating system refreshes. And, they do a of the Android stakeholders. manner requires coordination and
unfortunately, not all proprietary solutions great deal of testing before performing a new cooperation between the developer, vendor,
effectively deliver on these goals either! rollout or applying a widespread patch. In the The history of server (and, to a lesser and user base - including CSPs, OEMs,
mobile space, those cycles have to be extent) desktop operating systems shows us security application vendors, security
Linux is an instructive example of open shortened tremendously. Mobile operating that closed, proprietary operating systems consultants and independent experts,
source done well. By all measures, Linux has systems have been evolving much more are excellent launching points for Enterprise academia, and government. We encourage all
a strong share of the server market. Linux has quickly than traditional operating systems, solutions. However, the closed nature of stakeholders to work together to make
an active developer community, with deep while hardware often comes and goes in those operating systems can lead to effective mobile security as ubiquitous as the
support in the technology industry and under a year. Enterprise mobile deployments stagnation, while the open source community flexible functionality to which users have
academia. Security is a primary focus for the will have many more hardware and software will continue to push features and fixes into become accustomed.
Linux development community, with combinations to manage, dramatically the entire range of computing applications. Android is a trademark of Google Inc.
vulnerabilities rapidly fixed and accessible to increasing the potential number of possible The very nature of open source, with the
administrators worldwide. security vulnerabilities. diversity of perspectives that can be brought “For Android to be a viable
to bear on software, can even help address option for Enterprise
Recently identified vulnerabilities in For Android to be a viable option for the security vulnerabilities in Android—if mobile deployments, the
Android underscore the contrast with Linux. Enterprise mobile deployments, the process only there was an efficient way for these fixes process for addressing the
Google announced in January that it will not for addressing the inevitable security to move into upstream or CSP versions of inevitable security
address vulnerabilities in any versions of vulnerabilities needs to be improved. If Android. vulnerabilities needs to be
Android prior to 4.4, leaving OEMs and CSPs Google is going to continue to own the improved. If Google is
to fend for themselves. January 2015 upstream Android distribution, they need to While the open source model is successful going to continue to own
statistics from the Google Play Store showed be much more proactive about addressing all for the operating system itself, it appears to the upstream Android
that 54% of Android devices using Google security vulnerabilities for all widely fielded be less successful when it comes to security distribution, they need to
Play were on versions 4.2 and older. That Android versions. If CSPs are going to applications on the device or in the be much more proactive
means that Google will not be addressing continue to own the operating system and supporting infrastructure. If the products about addressing all
vulnerabilities for over half of the Android upgrade path for their customers, then they used to protect open source solutions are security vulnerabilities for
users in the world! And even if Google need to increase their ability to independently themselves closed, how confident can users all widely fielded Android
provides a patch for a vulnerability, the vast develop or integrate security-relevant be about the security vulnerabilities in those versions.”
majority of individual users cannot apply that patches. And Enterprises need to hold their products?
patch until their CSP either backports the mobile vendors accountable for supporting
patch to whichever Android they are their products in the same way they hold their Mobile solutions make enterprise
providing (and then rolls that out to the users) desktop and server vendors accountable. applications available from anywhere via the
or the CSP eventually upgrades the user to a Cloud. This means user authentication and
later Android version. Proprietary solutions based on the Android data in transit protections are critical. These
Open Source Project (AOSP), e.g., Samsung problems have been solved conceptually
So, how should a CIO or CISO feel about Knox, LG Gate, Blackphone, are in an since the days of mainframes, but the recent
this situation? Enterprises need to know that SSL vulnerabilities remind us that poor
PAGE 18 Wednesday 4th March MOBILE WORLD CONGRESS DAILY 2015 | www.mobileworldcongress.com
