Mobile fragmentation security challenges make mobile developers’ and security practitioners’ jobs more difficult. And Apple or Google are not likely to solve the problem, at least not anytime soon. Security leaders need to accept fragmentation as a reality not only now but for the foreseeable future as they work to manage their enterprise’s mobile risk. Enterprises need to make mobile security technology part of their strategy to defend against mobile threats and secure apps that leak personal and corporate data. The problems inherent in the vast number of different mobile devices in use, and whether those devices apply the most recent updates to their operating system (OS), are nothing new. Developers want to provide the latest-and-greatest functionality to the largest number of people possible. CISOs and their teams want employees to keep their devices up-to-date and patched against the latest vulnerabilities. Each group pieces together what they can from the shards but still fails to get what they need.
Mobile fragmentation security implications
OpenSignal reports that in 2015, users installed the OpenSignal app on 24,093 distinct Android devices (a 28 percent increase over 2014). The Verge reported that as of May 4, 2016, only 7.5 percent of Android phones run the latest available version of Android “ version 6.0 Marshmallow. Google made yet another version of Android, codenamed Android N, available for developer preview in March 2016, and the company might announce the public release at its developers conference next week. But who really needs a new version of Android when a majority of Android devices run on an OS released more than two years ago? Don’t misunderstand “ of course updates are good, especially when they include patches and security features. But the slow pace (and in some cases impossibility) of Android update adoption won’t go away. Some manufacturers and wireless carriers do still issue updates for some older versions of Android. But days, weeks, months, and years can pass between when a vulnerability is announced and when hardware manufacturers and wireless carriers push that update through to users of their devices (if they push them at all). For example, the original Stagefright vulnerability was announced in July 2015. Even as of May 2016, hundreds of millions of devices remain vulnerable to the Stagefright attack according to Joshua Drake, who originally discovered the vulnerability. Stagefright led Google to start releasing monthly security updates for their Nexus devices, and Samsung, for example, has issued monthly updates since October 2015. That’s well and good for owners of a Google Nexus device. But even if you use a Samsung device, it’s probably made for a specific wireless carrier and that carrier likely adds yet another layer of development and testing before a fix can be issued. Each step away from the original Android Open Source Project contributes to fragmentation and adds more time to the exposure window. Without timely mobile OS updates, users and the enterprises they work for are left holding the risk and vulnerable to the latest mobile threats. And make no mistake, the adoption of Apple updates also has its problems. While Apple is quick to tout an 84 percent adoption rate of iOS 9, we still need to look a little deeper. For one, there are more than 160 million devices in the wild that are not running iOS 9. In addition, each iOS release for Apple includes security updates, and the adoption rates of point releases (e.g., 9.1, 9.2, 9.3, etc.) might not paint so rosy a picture. Despite security improvements in Android and iOS, we don’t see adoption rates, or the speed of adoption, improving much for the foreseeable future. So security leaders can’t afford to count on the platforms to secure the dual-use devices proliferating across their corporate networks. CISOs need third-party mobile security solutions to pick up the slack.
Managing mobile risk requires security technology
To manage mobile risk, enterprises need to analyze threats across devices, the networks that connect those devices, and the apps residing on those devices. Such an approach corresponds with NowSecure’s SCAN principle for mobile security. SCAN stands for system, configuration, app, and network. Mobile Security requires a holistic approach across four domains: system (e.g., a device’s mobile OS), configuration (e.g., device passcodes), installed apps, and network communications (e.g., WiFi connections). It all comes down to this “ mobile security technologies are a crucial facet of an effective defense strategy against malware and apps that leak data about people and enterprises. An enterprise’s mobile security strategy can be enhanced by security updates to Android and iOS, but in the end companies also need effective third-party solutions to mitigate risk across devices, networks, and apps. If you’re struggling with exposure resulting from the complications of OS fragmentation, contact us today for more information about how NowSecure can help. Or, for more details and statistics about the current state of mobile security, read the 2016 NowSecure Mobile Security Report.