How to Protect Android Endpoint Devices Despite Flaws

[fa icon="calendar"] Nov 14, 2016 2:06:26 PM / by David Geer

android-threats.jpgComputer chips have vulnerabilities. Some 900 million Android devices including tablets and smartphones are vulnerable to attack due to Qualcomm chipsets that have four flaws in the associated chipset code. If companies / users don’t or can’t apply patches, hackers could gain root-level control of the devices using a malicious app without the app requiring any special privileges from the user.

Though Qualcomm has issued patches, these apply to versions of Android that phone vendors have not customized. For customized versions of the OS, there is a delay in patching as the makers or carriers must offer special patches that work for these devices. With respect to two of the vulnerabilities, which lie in a Qualcomm driver, carriers and distributors must create the patches themselves. They can only do this once they have the new driver packs that Qualcomm must generate by repairing the previous driver packs.

Regardless of how this security issue plays out, for every flaw that vendors patch, there are more waiting that hackers will exploit. The brand new Drammer proof-of-concept attack on mobile device DRAM chips, which also affects Android devices and permits root-level control, is a perfect example.

Given the continuing parade of vulnerabilities, how does an enterprise protect its data against mobile security holes that remain unpatched?

How to protect employee devices when patches are not available
While you could try to avoid affected devices for the foreseeable future, especially when you supply these, BYOD means many employees are already invested in these devices and unlikely to purchase new ones to address employer concerns over security and delayed patches. What you need is a layered approach that assumes the devices will remain unpatched and in service until the patches come through, and that new vulnerabilities will appear.

As BYOD protections evolve and new mobile security approaches come into view, virtual solutions such as containers combined with network access control, behavior-based detection, fine-grained security policies, and user education improve the odds that you can mitigate malicious mobile apps that could gain control of the user device.

While it is still possible for hackers to breach corporate data inside secure containers on smartphones, you can mitigate this risk by searching specifically for solutions with the best track record of defending against malicious mobile apps and hackers who have gained complete control of the device.

Network access control ensures that no device can connect to the corporate network until it passes inspection, which should include updating security software such as anti-virus and anti-malware programs and running scans.

Through behavior-based detection of malicious apps on Android devices, enterprises should be able to more quickly and easily detect these apps and stop attacks that establish root-level control of Android gadgets that connect to the organization’s network.

Fine-grained security policies should enable information technology to revoke a device’s privileges on the network altogether, when necessary, such as when a security event tied to the device occurs. Policies and enforcement should prevent employees from jailbreaking phones and connecting to the enterprise with phones that users have opened up in this way. This is especially important since jailbreaking can permit malicious apps onto the device in the first place.

User education should tie mobile device and network usage policies to the specific issues that breaking policy creates. Make a lasting impression on employees about what the issues cost the company. Complete the circle back to the user behavior that employees must avoid.


Learn how a node-based platform can increase security across all mobile devices to stop breaches

Download Now

David Geer

Written by David Geer

David Geer writes about security technologies for CSOonline.com and other publications. His website is www.davidgeer.com