IT managers turn to mobile device management to protect corporate assets, but MDM tools might not provide the protection that IT pros are counting on.
Mobile device management (MDM) software helps
For many in IT, the ability to secure smartphones and tablets is the primary reason for investing in MDM. IT administrators can centrally enforce security policies on all mobile devices supported by the software, controlling settings such as password restrictions, data encryption and feature selection. For example, IT can require that all corporate data be encrypted and cameras be disabled on users' mobile devices.
Another big plus for most MDM tools is their ability to remotely wipe devices. If a smartphone is lost or stolen, IT can immediately delete sensitive data from the device without physical access to it. In addition, some MDM tools have added mobile application management capabilities that separate corporate data from users' personal data -- a handy feature for bring your own device (BYOD) scenarios. With this technology, admins can wipe corporate data without touching the user's personal information.
MDM can also block unauthorized apps from being installed on a device and can detect if a device has been jailbroken or rooted. Jailbreaking an iOS device overrides the operating system's limitations on the types of applications, extensions and themes that can be installed on the system. Rooting an Android device permits privileged control over the Android subsystem. In both cases, the device can become seriously compromised and more vulnerable to malware. Some malware even relies on a device being jailbroken or rooted in order to inflict real damage.
Mobile device sandboxing
The core security features that most MDM software offers don't vary a great deal. The operating system running on a mobile device dictates which services the MDM tools can provide. For example, MDM software can offer remote wiping because built into an OS is the functionality necessary to allow the device to be wiped remotely. If the OS did not support this functionality, then the MDM software could not offer it as a service.
Many MDM tools require a client app on managed mobile devices. But because mobile apps run in sandboxes, they are separated from each other and from the device's OS. If one app needs to access another app, the user must explicitly permit that communication. Even with that permission, access from one app to another is limited. As a result, an MDM app cannot control other apps or the OS, regardless of potential security risks that might exist. MDM vendors can create secure containers to isolate, encrypt and protect data, but the vendor's control outside that container is limited by what the OS allows.
Additionally, MDM apps must rely on the mobile device OS to provide a safe environment to operate in. If a device is jailbroken or rooted but doesn't set off the MDM alarms, the MDM app and its data become as vulnerable as any other app or data on the device.
Why rooted devices don't always set off MDM alarms
At a BlackHat conference in Amsterdam, Lacoon Security Ltd. demonstrated how to jailbreak an iOS device and root an Android device without the resident MDM software detecting that there was a problem. Researchers were then able to access secure email on both devices and copy it to a remote location.
Though breaking into a device is no easy task, Lacoon demonstrated that vulnerabilities exist. Other security-related incidents highlight device vulnerabilities as well, such as the 2012 Exynos exploit that gave easy access to an Android device's RAM and made rooting the device easy. In fact, Lacoon used the Exynos exploit to root the Android device without the MDM app ever catching on.
All this leaves MDM vendors trying to perform a tricky balancing act. They rely on a device's sandboxed environment to isolate their own services, yet are prevented by the architecture from being able to better protect that environment or its apps. Yet if the underlying sandbox structure is compromised, the MDM tool can be compromised, undermining its ability to secure the device and its data.
MDM tools in the enterprise
One of the big lessons learned from trying to protect enterprise desktops is that no single tool can safeguard a computer completely. IT can install antivirus software on a desktop, but that software should not be the sole security layer. Rather, it should be part of a larger security strategy that encompasses the entire network and the people using it.
When planning security for mobile devices, consider the applications and data running on those devices and the infrastructure that supports them. For example, provide users with an alternative to Dropbox to control how files are stored and shared. IT could also implement an intrusion detection system or intrusion prevention system on the network to detect unauthorized access. Another option is to require that mobiles devices use a virtual private network to connect to corporate resources. Regardless of the additional precautions an IT department takes, the security strategy should include an education component that explains how employees can safely use their devices and what their responsibilities are.
Ensuring the security of mobile devices is no small task. Even with MDM tools and a strong security strategy, users might succumb to targeted social engineering attacks. Not only are these on the rise, they're also becoming increasingly sophisticated. And the mobile nature of devices means they're more likely to be used on unsecure networks and be lost or stolen. All IT can do is try to mitigate the threats to devices and the corporate network as well as it can.
This was first published in August 2013