.

Corporate Security: Android vs iPhone

<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu May 05, 2011 4:05 pm

Corporate Security: Android vs iPhone

I need your opinions on Android vs iPhone in the enterprise. In my situation, we have to take Blackberry out, even though they still maintain the tightest control via BES. Don't ask questions, it is what it is.

It seems that iPhone does a better job vetting apps in the appstore, but I don't really have any solid proof. I know there was news in the last few months of a bunch of Android apps having security issues, but what is the real impact here?

I would love to hear what everyone thinks, put on all your hats here: security, admin, user.

Thanks,
C
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 05, 2011 4:12 pm

Re: Corporate Security: Android vs iPhone

Researchers have already stated that the iPhone is more secure. I say, create a mobile policy from work and refrain from introducing N amount more possible entry points where N is the amount of phone users.

http://articles.timesofindia.indiatimes ... le-devices
http://news.cnet.com/8301-27080_3-20009362-245.html
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu May 05, 2011 4:54 pm

Re: Corporate Security: Android vs iPhone

sil++

My only complaint with iPhones is that AppStore isn't perfect, either, based heavily on those who write their apps.  For instance, on my wife's iPhone, the latest Facebook app she pulled from updates clearly says, after installing, that it's an 'employee only' build.  It crashes her whole phone frequently, when she uses it, and uninstall / reinstall brings back the same 'busted' / 'employee only' build...  Facebook has yet to respond to me with a fix.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu May 05, 2011 5:06 pm

Re: Corporate Security: Android vs iPhone

I understand limiting exposure by only allowing folks with a business reason to have phones. That I totally agree with.

My problem with iPhone is that now there is another 3rd party app that you have to introduce to the environment (Itunes) and now you have to worry about patching another 3rd party product.

With Android you get some notification of what an app will do after you install it, however I know that no regular user is every thwarted by that information.

So here we are again, back to the point where its almost even in my mind. And at the point where you might earn some points with users giving them an option..... please tell me I'm crazy and please shoot me down. I want more of your opinions....
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri May 06, 2011 8:38 am

Re: Corporate Security: Android vs iPhone

We're going through this too, which I'm sure is not at all uncommon.  Biggest problem we seem to have right now is having to link iTunes to a credit card since very few employees have company issued credit cards.

There was an announcement from RIM recently about a product that works with BES to administer/control iPhone and Android devices in the same way BES does with BlackBerry devices.  No release date yet though.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

millwalll

Post Fri May 06, 2011 9:53 am

Re: Corporate Security: Android vs iPhone

When I was InfoSec Europe a week or so ago they had live demo of setting up a Access point. They changed the name to BTopenZone what is a free wireless network in the UK. and sat back and watched how many people used this network. They also said I don't know how true this is but most Iphone will try connect to a BTOpenZone by default.

I have a Iphone and I am happy with it but they do have there security problems like any device.

As long as there was a good protocol for employes to follow then I think they would be fine.

Like don't connect to free wireless or even better disable wifi and use 3gs.

Just my 2 pence
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Fri May 06, 2011 2:42 pm

Re: Corporate Security: Android vs iPhone

Not having an i-phone myself (am an android man) I'd ask what security/av software is available for the i-phone?
I know a few of the mainstream AV houses have produced stuff for android and the stuff on my phone has picked up one rogue app so far. 
Net+ Sec+ More to come
<<

millwalll

Post Fri May 06, 2011 3:34 pm

Re: Corporate Security: Android vs iPhone

I have never seen any AV for the Iphone but according to Apple no Apple products would ever get a virus.
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Sat May 07, 2011 2:09 pm

Re: Corporate Security: Android vs iPhone

Android while a great device os is open sourced, the major issue here is that there is absolutely 0 quality control by google over the Android Marketplace.  This makes it extremely easy to introduce malicous software onto the device and potentially back into you environment.  That reason alone was enough for me to make the Android a no go in my environment because why give your users an advanced device then deny them the ability to utilize it to its full potential by blocking the Marketplace (which is the only way I would allow Android in the enterprise).

In Nov. I was just awarded approval by our ISRB (information security review board) to introduce a fully functioning iPhone into the enterprise,  by leveraging 3rd party software I am able to create an encrypted isolated segment on the device that does nothing but interact with the enterprise and it prevents external access from other applications on the device.  By utilizing this method I'm able to give my users iPhones that are not restricted with policy only applying to the enterprise "container".  I can help you out with some of the logistics and some good points of discussion that essentially help me convince the board that providing employees these powerful mobile devices while ensuring the integrity and security of our corporate data was viable let me know.
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Sat May 07, 2011 2:34 pm

Re: Corporate Security: Android vs iPhone

Jamie.R wrote:I have never seen any AV for the Iphone but according to Apple no Apple products would ever get a virus.


Thats not the sort of thing they should be saying really as it throws down the gauntlet - Skype issue on the Mac
Net+ Sec+ More to come
<<

millwalll

Post Sat May 07, 2011 3:02 pm

Re: Corporate Security: Android vs iPhone

I know its one apple key selling points  that no Av is needed so they say!
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Sat May 07, 2011 8:44 pm

Re: Corporate Security: Android vs iPhone

Thats not true at all, in fact if you search apple's support site they strongly recommend antivirus software on their machines.  Apple has never said AV was unnecessary.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sat May 07, 2011 9:00 pm

Re: Corporate Security: Android vs iPhone

@R3B005t

How are you handling the iTunes issue? With the iOS exploit that is now in Metasploit, we can now pull all that juicy info right from the device, as long as itunes is installed on the box.
<<

millwalll

Post Sun May 08, 2011 10:51 am

Re: Corporate Security: Android vs iPhone

Insert Quote
@R3B005t

I have heard many Reps state that one the key benefits of buying a mac is you don't need to buy antivirus software as they don't get viruses.

I have just looked on Apple website and it says they do not get PC Viruses."And you never have to worry about PC viruses" of course you don't as PC viruses are for PCs but no where could I find them recommending me to buy anti virus. Even when I go to buy the item they offer me every other accessory with it Office,printer,iwork,final cut etc but no sign of any anti virus.

I also found this
http://news.bbc.co.uk/1/hi/7760344.stm

Please don't get me wrong I have an Apple machine and I love it. Apple products are amazing they just don't seem to illustrate the fact that you can get a virus on a mac. I would say there is a small chance of that happening at the moment but its still possible.

My only point was that no matter what device you decide on they all have there own security problems. Its a case of finding the right device for the company and finding a acceptable level of risk for the company.

cd1zz What exploit is that I just fired up my metasploit and I can only see a really old iTunes buffer overflow for 4.3. Is this on the free version of meta ?
Last edited by millwalll on Sun May 08, 2011 11:32 am, edited 1 time in total.
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Mon May 09, 2011 8:02 am

Re: Corporate Security: Android vs iPhone

cd1zz wrote:@R3B005t

How are you handling the iTunes issue? With the iOS exploit that is now in Metasploit, we can now pull all that juicy info right from the device, as long as itunes is installed on the box.


Simple we dont allow iTunes to be installed in the environment.  As part of our user acceptance policy for the iPhones we state that:

1) All iOS updates must be applied within 7 days of release or we will disable access to enterprise mail.  For those users unable to update their iPhone's in a timely manner we disable it, update it for them and then re-enable email access.

2) The end user is responsible for backing up any content on their device, we recommend they install iTunes on a computer at home for this purpose since we A) don't allow iTunes on any of our machines and B) My users don't have rights to install sofware, they don't have any elevated privilages beyond the standard user account.

The product we are using for enterprise mail requres that A) Any backup be encrypted by defualt and B)Does not back up data contained in the app only the application itself. 
Next

Return to Mobile

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software