VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”
VPN Haus: Do you think security concerns will keep the enterprise from embracing Android? Is there anything the enterprise can do to bolster the security of Android devices?
Thomas Cannon: I don’t believe openness will stop organizations from embracing Android, I see it as an advantage. I do think there is a real opportunity for a company to offer support and management of Android devices for organizations, and perhaps that will be a catalyst. In terms of bolstering security of an Android device, the weaknesses are fairly universal across mobile platforms so the same kinds of solutions apply; applications that sandbox and encrypt corporate data, virtualization (you will soon be able to get VMWare on Android), and keeping data in the cloud (web based services or Citrix).
VPN Haus: Are there any other key security concerns surrounding the open platform model for mobile devices? (as Windows is taking a similar approach)?
Cannon: Currently, I’m not finding other key security issues concerning an increased choice in hardware. I very much see these devices as consumer grade equipment and they should be risk assessed as such. That risk may be an acceptable trade-off for increased productivity, lower costs, and keeping the end-user happy. If the risk is not acceptable, I don’t think the locked-in hardware and closed platform is the answer. I think you need to look at what the actual investment in security is by the vendor. On that note, buzzwords such as “hardware encryption” and “sandboxing” may get a tick on your checklist, but unless you verify it works with an expert security evaluation you may be trusting a sales pitch. On iOS for example, we’ve seen successive exploits that allow an attacker to get around both encryption and sandboxing, allowing access to data stored on lost or stolen devices, and Android is no better in this regard.
VPN Haus: Very interesting. Thank you, Thomas.
For the first two parts of Cannon’s Q&A, click here.