Euro Security Watch with Mathew J. Schwartz

Application Security , Bring Your Own Device (BYOD) , Mobility

Android Stagefright: Exit Stage Left Security Experts Defecting, Should Enterprises Reconsider?
Android Stagefright: Exit Stage Left

In the wake of the Stagefright vulnerability being publicly announced, numerous information security experts say they plan to ditch their Android smartphones and tablets in favor of Apple iOS. Their rationale: When Apple issues an update, all currently supported devices can get it in minutes.

See Also: Secure Access in a Hybrid IT World

Those defections may intensify, following security researcher Joshua Drake at Zimperium zLabs, who discovered Stagefright, warning on July 30 that he believes the vulnerability - a maliciously written multimedia text can be used to seize control of a device - is now being actively exploited in the wild. He also warns that 50 percent of the 950 million devices that are likely at risk from the flaw can be automatically compromised - no user interaction required.

"Apparently the best supported method of updating your Android phone is to buy a new Android phone" 

When the Android open source project, managed by Google, releases a security update or patch, it is then up to original equipment manufacturers to take that patch, add it to the build they have customized for each particular make and model of Android device they still support, test the build, and push it out to consumers. But many OEMs release patches slowly, if at all. And as a result, many of the nearly 1 billion Android devices that are currently vulnerable to Stagefright will remain that way indefinitely.

The number of security experts who are defecting from the Android ecosystem is tough to gauge, although there have been some high-profile exits, including Marcia Hofmann, an attorney who advises the Electronic Frontier Foundation, a civil rights group.

So, in the wake of Stagefright, is it time for enterprises to actively block unpatched Android devices from their networks? Per the bring-your-own-device trend, many organizations allow employees and contractors to plug their own smartphones, tablets and laptops into the corporate network. This so-called BYOD movement offers many organizations a win-lose scenario: they don't have to pay for the devices, but they also do not control the security of those devices.

To be fair, some organizations have gone the extra mile and require users to install sandboxing software - sometimes known as app sandboxes or containerization - on devices that they want to use to handle corporate data. Such containers can be managed by the corporate IT department - information tracked, remotely wiped, and all data encrypted by default, in case the device should be lost or stolen.

Will Google Reboot Android?

When Google first introduced its mobile operating system, it made a decision to grab market share as quickly as possible - and succeeded in a big way - by not emulating Apple's walled-garden approach. Instead, Google released Android as an open source operating system, allowing OEMs to take it and modify it to their heart's content.

But with so many Android devices now at risk from a severe security flaw, and no patches in sight for most users, something needs to change. In the U.S., overtures to the Federal Trade Commission - to allow consumers who have a subscription with a mobile phone carrier to cancel their phone contracts if their carrier doesn't patch the device in a timely manner - seem to have failed.

"Apparently the best supported method of updating your Android phone is to buy a new Android phone," says F-Secure chief research officer Mikko Hypponen via Twitter.

Right now, Google has "exactly the same problem Microsoft had in the early days," in that it depends on OEMs to pass updates on to customers' devices, says James Turner, who's an advisor at Intelligent Business Research Services, an Australian IT services firm, via Twitter. Of course when the machines suffered slowdowns or were compromised by viruses, Microsoft often took the blame, even if it had already released related updates.

The unresolved Android ecosystem patch problem begs this question: Might Google simply pull the plug on Android and start over by building a new version of the mobile operating system that emulates Microsoft Windows?

In the old days, Microsoft released Windows, OEMs took that and pre-installed it on the devices they sold. Then came the Internet. Since then, Microsoft has been refining the way that it updates the Windows operating system that runs on Windows devices. With Windows 10, notably, these updates get pushed and installed by default - on consumer devices. Crucially, Microsoft also chose to ditch Internet Explorer and replace it with a new browser, dubbed Edge, that can be updated anytime Microsoft wants, in the vein of Google Chrome.

These are all great moves, with massive security upsides for end users and enterprises. Apple too can update its OS in this manner.

Kudos: CyanogenMod, Blackphone

But users of Android, because of its open source approach, do not benefit from rapid upgrades and fixes, unless they use a crowdsourced version of the OS such as CyanogenMod, or a commercial, security-focused version of Android such as the one that runs on the Blackphone devices. As noted by security expert Chris Wysopal, CTO of application security firm Veracode, those were the only two versions of Android that quickly received a Stagefright patch. While Google also sells Nexus-branded devices that run a "clean" install of Android, those devices have yet to be patched.

In the wake of Stagefright, if Google wants its devices to remain in the enterprise, something about the Android ecosystem needs to change - and quickly.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network