What Do ‘Quicksand’ and ‘Stagefright’ Mean for MDM?
We’ve just been bombarded with two major security flaws on the two most popular operating systems; Android and iOS. While neither of these breaches are detrimental to each OS as a whole, the lasting effect could be a huge problem if devices are not updated with the necessary patches to fix these problems.
Quicksand has been a hot topic over the past few weeks and was deemed especially problematic for the enterprise because it accessed information via the Managed App Configuration setting to configure and store private settings and information. Apple has since released a patch remedying the Quicksand security gap, but if your employee hasn’t updated their iOS device with the latest patch they are still vulnerable.
Android has run into a very similar problem with Stagefright. This vulnerability let hackers access your device by sending a text with a link in it; users didn’t even have to open the link to be hacked. Secunia has just realized a vulnerability update addressing Stagefright and its impact on the EMM and MDM market.
“While Google acted quickly and issued a patch for Android, Google has no control of its patch status on majority of the devices that run Android because those devices are produced and maintained by third-party vendors. Therefore it is up to the individual phone vendors to push security to the end-users. This has historically been a challenge and one of the primary reasons Android devices are considered far less secure by the security community than an operating system like Apple’s iOS – simply because Apple can issue patches and push updates directly to all devices running iOS; a much more controlled process than Android’s.
‘While there is no question that the Stagefright vulnerabilities were a nasty bunch, some good did come of the scare: As a direct consequence, both Google and some of the phone vendors behind Android devices have upped their focus on security updates: Google, Samsung, and LG have made a commitment to send out monthly security patches to users that will fix any upcoming issues in the operating system. And the entire Android vendor community is rallying to improve – Motorola, HTC, AT&T, Sony and others have addressed the matter and are, or will be, issuing security updates to their products more proactively this time than they have in the past.”
Like the report says, Android is run by many vendors and this is what made Stagefright so threatening. If one vendor isn’t in a hurry to make the patch available to customers, those devises could still be vulnerable and have no idea. While most vendors will comply with Google and make updates available right away, that might not always be the case.
What security gaps like Quicksand and Stagefright mean for MDM is that no matter how prepared and secure your corporate devices are, you are still vulnerable and at the mercy of an update from the OS or service provider. The best way to protect your data is to be vigilant about updates and make sure that your employees don’t delay updates.