The recent findings of an Android VPN vulnerability (http://cyber.bgu.ac.il/blog/vpn-related-vulnerability-discovered-android-device-disclosure-report)
have had Samsung and Google scrambling to provide commentary on the legitimacy
and level of threat posed by the vulnerability. Samsung has blamed Android and
Google has said this is a known man-in-the-middle (MITM) attack. There are few
details on the attack, but let’s take a closer look at the issue in general.
If an app uses a VPN, then the apps communication is passed
to the VPN, which in turn encrypts the data between the VPN and the corporate
network where the VPN is terminated. The
attack is on this short piece of unencrypted traffic from the app to the VPN in
the mobile device. Apparently using a regular downloaded app, presumably with
some explicitly allowed permissions to access the network communication – this part is not clear – the malicious app
can sniff or siphon this unencrypted traffic before it reaches the VPN client.
This is not exactly a man-in the-middle attack (more a man looking over your
shoulder attack), but has the same effect. Google is correct in that this is a
known attack against a VPN. VPNs generally assume that the device operating
system is trusted.
So what are the possible solutions? First, the app could use
SSL/TLS directly which is what most browsers can do. The malicious app can
still grab the message, but it is already encrypted. HTTPS on a browser is not
the same as a VPN, but it does prevent the attack.
Second, the app could implement newer technology called
per-app VPN – which is what a number of companies offer to address precisely
this issue, including as a feature of Samsung KNOX. This encrypts the data
using SSL/TLS (usually) like in the browser example above, so the malicious app
can only grab encrypted data. However, per-app VPNs require the app to be
modified – with either a wrapper, or a “container” in the case of KNOX.
Third, you could make sure the app is not present to do the
sniffing in the first place.
MDM and EMM products alone cannot solve this issue. Mobile
Application Management (MAM) can make sure that only specific apps are present,
but MDM products are not security products, they are device policy management
solutions that may or may not implement some security policy elements. Most
solutions can limit apps in a work space, but not on the whole device – so the
malicious software is still present. If the apps or group of work apps are
wrapped or containerized, then the apps must be modified and choice of
available apps plummets. Look at the low number of apps in the MDM app stores.
Plus, there are additional steps needed for the deployment and maintenance of
corporate or custom developed apps.
Hypervisor or virtualization solutions do provide the
necessary security isolation without the need to modify the apps. By using a
virtual instance for personal apps and a separate instance for work, then apps
in the workspace can be controlled and any malicious apps excluded. Even if the
malicious app exists on the device, the virtualization prevents the app from
grabbing the network traffic, as well as a wide range of other attacks.
Secure Spaces provides exactly the security provided by
virtualization, but without the device integration and performance overhead of
traditional type 1 and type 2 hypervisors.
Secure Spaces is a light-weight system level virtualization that enables
many new business opportunities beyond enterprise security, such as disposable secure
spaces.
Secure Spaces enables the IT administrator to control which apps are
in their employees Work Space, including the VPN. No modification of apps is
needed and choice is not limited. This is the simplest solution to these kinds
of vulnerabilities.
Ask Google when they will support a simple MDM and device
OEM agnostic domain isolation solution. In the meantime, try out one of our
custom Android images that have been only modified to include Secure Spaces.
For more information visit www.securespaces.com
or contact us at info@graphitesoftware.com.
Reprinted from: http://insights.wired.com/
Reprinted from: http://insights.wired.com/
Increase Productivity: When something goes wrong with your IT, everything grinds to a halt and time is crucial to every businesstop10-bestvpn An MSP is there to prevent or reduce any downtime by monitoring the network
ReplyDelete