HTC breach a reminder on mobile security
- 07 October, 2011 15:58
It's hardly the kind of thing any company wants attached to its name, but HTC's rapid acknowledgment of confessed "serious" security exploit, discovered and published this week by security researchers, may ultimately help deflect criticisms and will, regardless, serve as a valuable reminder to CSOs that mobile devices represent a new and still-evolving security threat within the enterprise.
That's the consensus after the bug was published by researchers Trevor Eckhart, Justin Case and Artem Russakovskii, who contacted HTC with news of the vulnerability they had discovered and waited five days without a response before pantsing the company in front of the security and mobile worlds.
The resulting admission involved the kind of PR contrition that no company wants to have to face, but the fast-growing Taiwanese mobile maker has subsequently rushed to patch its Sense user interface to prevent exploitation of the bug, which allows malicious apps to obtain information including user details, calling history, SMS logs, and more.
HTC Australia declined to speak about the bug, offering only its standard statement that
"in our ongoing investigation into this claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application….potentially acting in violation of civil and criminal laws….As always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."
The fact that the bug was exposed before HTC had time to fix it left some security commentators incensed and more than a little concerned, but CSOs may find temporary consolation in the relatively low penetration of Android handsets in Australian businesses.
While IDC Australia's latest Mobile Device Tracker research suggested Android phones were our second most-popular smartphones with 30 percent market share behind the nearly 40% market share of Apple's iPhone, surveys indicate that the iPhone has a much larger presence within businesses.
A recent survey by Intermedia, whose ActiveSync hosted mail service supports a range of devices, suggested the iPhone accounted for 61% of smartphones in businesses and Android, just 17% (for the record, Apple's iPad outranked Android-based competitors by 99.8% to 0.1%. These figures aren't likely to be helped by the ongoing discovery of vulnerabilities in Android smartphones, which have suffered a flood of security breaches as a 400% year-on-year surge in the volume of Android malware keeps Google – and businesses in the field – on their toes.
Could the ongoing spate of vulnerabilities damage Android's credibility with enterprise security executives? Yee-Kuan Lau, market analyst with IDC Australia, isn't entirely convinced.
"It would be too precipitous to say Android-based smartphones are not appropriate for business usage as a result of this one incident," she explains.
"Every platform has inherent security risks and this will be no different for Android as for other mobile OSes. Organisations should be utilising a range of security solutions to ensure secure access to apps and data regardless of the kind of device that is chosen. The question of appropriateness for business comes down to the organisations' goals and ICT imperatives."
It could take a while for the industry to catch up, however. Although new solutions such as Symantec's Data Loss Prevention for Tablet are designed to let security staff restrict the flow of information from iPads, which have emerged as another of the significant mobile data holes, like USB memory sticks.
Symantec debuted its iPad version of the software this week, but it will be next year before an Android equivalent debuts; in the meantime, CSOs contemplating management of Android will have to rely on more conventional techniques such as careful patching, user education – and, of course, the regular crossing of fingers.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Oracle Fusion Financials Cloud Service
- Secure by design - How to dramatically simplify data protection, access control and other critical security tasks
- All Flash and Databases - Storage Switzerland
- 5 Best practices to make security everyone’s business
- Avoiding Common Pitfalls of Evaluating and Implementing DCIM Solutions
Ruggedized scientific calculator perfect for extreme math
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
CIOs to Become In-House Brokers -- and That's a Good Thing
The future of computing
Is Your IT Infrastructure Keeping Up?
This helpful infographic demonstrates how, when IT is the backbone of modern business, a converged infrastructure system can solve the challenge of cost, complexity, availability, rapid provisioning and flexibility.
Smarter Data Centre Outsourcing: Considerations for CFOs
Deloitte explores the business and finance implications associated with managing data centres. This paper outlines the options available to structure an organisations data centre and complementary IT services and provides the key considerations that need to be reviewed when determining which option works best for them.
Case Study: ETEL Limited
Read how ETEL Limited, a pioneering design and manufacture business in New Zealand, managed to perfect their expansion into new markets by utilising an ERP system to support growth and provide “one source for truth” accessible to the entire organisation.