It only takes one employee using a jailbroken smartphone to wreak havoc with corporate cyber-security.
Jailbreaking - the modification of a smartphone to strip out manufacturer software security controls - opens a door to danger which organisations ignore or underestimate at their peril.
Jailbroken devices can sidestep sanctioned apps to run software from unauthorised sources containing who-knows-what malware; often this malware is bundled within “legitimate” looking applications, offered through third-party app stores that sidestep manufacturer or corporate review and approval processes. If a smartphone has been enabled to roam the cyber Wild West and then connects to the corporate network, the organisation is exposed to infection and hacking.
Employees tend to treat their phones as their personal domain, even if the device is corporate issue. While most people may have no interest in bypassing the manufacturer's restrictions, there is a whole ecosystem of support out there to help anyone who does - and it only takes one jailbreaker to give malicious software a way through the workplace cyber-perimeter.
This threat puts smartphone management on the C-Suite's agenda. Industry estimates suggest that jailbreak rates on the heavily locked down iPhone platform are between five to 10 percent of an active user-base of around 700 million units, and in Android, where enabling non-approved app loading is a simple toggle setting, piracy rates of 95 percent are regularly reported for popular apps, suggesting that a very high percentage of users are prepared to install non-vetted applications to their devices.
Security is not the only issue with jailbreaking, which can also shorten battery life, disrupt services, and prevent updates.
Common misconceptions with smartphone security
Organisations commonly make two mistakes about smartphone security. They put their faith in manufacturer controls, overlooking the fact that jailbreaking involves explicitly sidestepping these, and they underestimate how much damage can be caused by a smartphone breach. Today's smartphones are a richer source of personal and corporate data than yesterday's laptops.
All smartphones used for work, whether personally owned or corporate issue, must be closely managed to avoid the potential security vulnerabilities caused by installing unapproved programs.
Jailbreak tweaks make smartphones vulnerable and it is impossible to tell if an app downloaded from an unauthorised source has been injected with malware. An early version of SnapPea, a free utility for backing up Android phones to a Windows PC, contained no cryptographic authorisation and verification mechanisms; this enabled hackers to mimic it with a rogue app that installed malware on phones to extract personal data. Google has since closed the loophole the malware was using, but an estimated 150,000 to 200,000 accounts were compromised.
Some companies, specifically PayPal and Snapchat, have responded to the threat by designing their apps to crash if they detect they are running on a jailbroken phone, but they are in the minority.
Beating the jailbreakers
While an employee might view a few smartphone tweaks as a “get out of jail free” card, the resulting escape from manufacturer safeguards can come at heavy cost to an organisation.
In fact, the potential security threat posed by compromised smartphones is greater than the cyber-security risk of using a PC. The good news – and the compelling business case for senior management – is that protection is relatively cheap and straightforward because smartphones and their operating systems are designed to be secure when configured properly.
The best smartphone advice for businesses is to:
- include mobile phones in the organisation's “bring your own device” (BYOD) policy
- make sure the IT management policy covers corporate phones as well as other devices
- prevent phones connecting directly with the corporate network using Wi-Fi
- put IT – not telecoms – in charge of phone policy and deployment.
Contributed by David Cohen, principal consultant, Mason Advisory
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.