Conversation with Thomas Cannon on Android Security, Part 3

VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”

VPN Haus: Do you think security concerns will keep the enterprise from embracing Android? Is there anything the enterprise can do to bolster the security of Android devices?

Thomas Cannon: I don’t believe openness will stop organizations from embracing Android, I see it as an advantage. I do think there is a real opportunity for a company to offer support and management of Android devices for organizations, and perhaps that will be a catalyst. In terms of bolstering security of an Android device, the weaknesses are fairly universal across mobile platforms so the same kinds of solutions apply; applications that sandbox and encrypt corporate data, virtualization (you will soon be able to get VMWare on Android), and keeping data in the cloud (web based services or Citrix).

VPN Haus: Are there any other key security concerns surrounding the open platform model for mobile devices? (as Windows is taking a similar approach)?

Cannon: Currently, I’m not finding other key security issues concerning an increased choice in hardware. I very much see these devices as consumer grade equipment and they should be risk assessed as such. That risk may be an acceptable trade-off for increased productivity, lower costs, and keeping the end-user happy. If the risk is not acceptable, I don’t think the locked-in hardware and closed platform is the answer.  I think you need to look at what the actual investment in security is by the vendor. On that note, buzzwords such as “hardware encryption” and “sandboxing” may get a tick on your checklist, but unless you verify it works with an expert security evaluation you may be trusting a sales pitch. On iOS for example, we’ve seen successive exploits that allow an attacker to get around both encryption and sandboxing, allowing access to data stored on lost or stolen devices, and Android is no better in this regard.

VPN Haus: Very interesting. Thank you, Thomas.

For the first two parts of Cannon’s Q&A, click here.

What We’re Reading, Week of 12/20

Information Week, 10 Steps To Mobile Worker Support
PC World, Crack Your Own Passwords for Better Security
Wi-FI Planet, 2010 in Wi-Fi: the Year in Review
ZDNet UK, What’s Changed Since 2001?

Conversation with Shahid Shah on mHealth, Part 4

This week, we feature the final post in our series with Shahid Shah, an enterprise software analyst that specializes in healthcare IT with an emphasis on e-health, EMRs, data integration, and legacy modernization.  He is also founder of the popular Healthcare IT Guy blog.

VPN Haus: When we last spoke, you said mobile phones will be just a small area of mobile health. What else can we expect?

Shahid Shah: There are going to be sensors as you walk into hospitals that will be placed on you, the way band aids were placed on you. Those sensors are going to collect information and that information is going to have to be shared somehow. So this data will have to be treated in a HIPAA compliant way.  So if you’re interested in healthcare IT in general, you typically hear about medical records, but really the big growth area is with the sensors, body area networks, wireless within hospitals and the ability to tie in the patient’s home to make the patient’s home a tie-in to the doctor’s office or hospital.

VPN Haus: How would this data be protected?

Shah: I would like to see smart information architectures, like patient data management, that keep the patient’s clinical data fully segregated from the patient’s ID data. So if you’re looking at a patient’s demographics, that might sit in on database separately than clinical or HIPAA protected information. So if somebody stole all the clinical data, it wouldn’t mean anything because they can’t identify the data.

VPN Haus: Thank you, Shahid.

For the first three parts of Shahid’s Q&A, click here.

What We’re Reading, Week of 12/13

Internet News, OpenBSD Backdoored by the FBI?
Computerworld, Look, It Makes Them FEEL More Secure, OK?
Network World, What You Should Know About Next Generation Firewalls
Enterprise Network Planet, IPv4 Space Continues to Dwindle

Conversation with Thomas Cannon on Android Security, Part 2

VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”

VPN Haus: Impressively, the Android Security Team responded within 20 minutes of your notifying them. But despite this quick response, you have concerns on how quickly users will get the patch since Android OS updates typically come through OEMs and carriers. Do you think there should be some kind of industry standard to expedite patches for mobile devices, as OEMs or carriers are typically involved?

Thomas Cannon: If we look at the desktop computing industry we can see an industry standard for patching just hasn’t happened, and I feel it is unlikely to happen on mobile devices either. What would be the incentive? It would require the public to care enough about security – to hold their carrier, manufacturer or OS provider accountable for timely fixes. We see usability, features, marketing, design and fashion win out over security in consumer devices. Being secure can be a unique selling point, one that RIM has used to dominate the business and government markets. As we see the push to introduce other mobile devices into the business by tech savvy staff, we are seeing companies like Apple respond by introducing enhanced security so that they become more acceptable to the business. When using security as a selling point, you don’t want to follow an industry standard; you want to be better than your competition.

VPN Haus: Do you think Android being an open platform can make developing a patch and maintaining the software a tricky business?

Cannon: I don’t agree that being open means developing a patch is tricky. Being open allows more people to understand the code and the patch. I don’t think being open is the cause of software maintainability issues either. That said, in the case of Android it has enabled OEMs and carriers to modify the OS, and if they don’t invest in maintaining their version of the OS then that causes maintainability issues. It is similar to Desktop Linux – some vendors maintain their distributions very well, others don’t. You can of course get an Android device that gets updates directly from Google, in the same way the iOS devices get updates directly from Apple.

Next week, we’ll conclude this conversation with Cannon, talking about the Android’s future in the enterprise and key security concerns around open devices.