Context research raises questions about tablet security for BYOD

0

iPad, Samsung Galaxy Tab and BlackBerry PlayBook put under the security spotlight

October 8, 2012 – Context Information Security has identified security failings in three of the most popular tablets, raising concerns for organisations looking to introduce BYOD (Bring Your Own Device).  The Samsung Galaxy Tab was found to have serious weaknesses that make it difficult to recommend for use in the enterprise, according to Context.  And, while the iPad and Blackberry PlayBook performed better, both still have security problems including desktop software that does not encrypt backups by default. The BlackBerry was the only device found to have a workable solution to BYOD and provide good separation between personal and work data.

The full Context report “Tablets – A Hard Pill to Swallow” can be downloaded at: http://www.contextis.co.uk/research/white-papers/tablets/ .

Context found that while all three tablets have reasonably good support for Exchange ActiveSync, which means that the core security configurations can be managed from a central Exchange server, there are significant differences in security levels between the Galaxy tablet and the iPad and PlayBook. Context investigated a number of security controls to determine whether they were suitable for enterprise use. These included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.

Despite its popularity as a consumer device, the iPad was shown to have robust data protection and damage limitation facilities. However, vulnerabilities still include the regularity of new jailbreak attacks and ineffective disk encryption, unless a strong passcode policy is applied. Although the iPad’s disk encryption scheme is well designed, the default behaviour for iTunes backups is to store the files in clear text; the same approach adopted for the BlackBerry. The Samsung Tablet does not ship with a locked bootloader and the disk encryption provides weaker support, which is more intrusive to use. Even when encryption is enabled on the Galaxy, it allows badly-written apps to store sensitive information on the unencrypted SD card.

A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a problem shared with the iPad using the Apple tools available. Context found that the Blackberry is far more advanced in its level of readiness for BYOD than either of the other two tablets. Its Balance architecture in combination with the Bridge application, provide excellent logical and data separation between work and personal modes.

Jonathan Roach, Principal Consultant at Context and author of the report, said, “It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before.

“The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Context’s research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises.”

About Context
Context was launched in 1998 and has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. The company’s strong track record is based above all, on the technical skills, professionalism, independence and integrity of its consultants.

Many of the world’s most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology.  As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants are frequently invited to present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.

www.contextis.com.au

Share.

Comments are closed.