The Need for Network Security in the Face of Android Vulnerabilities

Tuesday, September 10, 2013

Patrick Oliver Graf


Android has recieved at lot of attention over the past year, and rightfully so. The operating system is, after all, the most widely used in the world. Yet, with each version and new feature that Google rolls out, the security of mobile devices with older Android releases falls farther down the priority ladder, and unfortunately for IT executives, this means their enterprises become more susceptible to potential attacks.

Recognizing this, the Department of Homeland Security (DHS) and the FBI have issued a warning to police and fire departments, as well as emergency medical service providers that mobile devices with outdated Android versions pose a serious security risk to their organizations. ThreatPost reported that the warning came via an unclassified memo distributed to the aforementioned organizations back in July, though it was only recently made public. Citing unspecified industry statistics, the memo stated that 44 percent of Android users are currently running Gingerbread, which was originally released in 2011 and is now significantly less supported.

Improvements have been implemented in more recent versions of the operating system, but Gingerbread has had quite a few security vulnerabilities, such as premium-rate SMS Trojans, rootkits and fake Google Play domains that attackers use to trick users into installing malicious applications. The obvious concern here is that employees that have not updated their personal mobile devices are exposing critical networks and sensitive information to unnecessary risk. The FBI and DHS have urged their employees to regularly update their smartphones and tablets and to only download applications from the official Google Play store. But will those precautions be enough? What happens when someone attempts to access his/her corporate network on an unsecured mobile device?

The simple answer is: nothing good. As we recently discussed, putting faith in your employees is a nice gesture, and continuously educating them can be helpful, but these steps alone do not make the best security strategy. Rather, centralized VPN management of these devices is critical for government agencies—and enterprises more generally—that are seeking to protect themselves against data breaches. This can help IT executives keep security under control, while still providing employees with the flexibility they want in terms of mobile device and operating system.

With centralized VPN management, network administrators can oversee all aspects of—and even optimize—users’ connections, and ensure policy compliance and the latest security updates are in place. If an Android-based device is compromised, for example, a network administrator can revoke access to the corporate network immediately, to prevent sensitive data from being exposed. To complement centralized VPN management, a comprehensive secure remote access framework should be implemented, to provide a preventative layer of network and data protection against a wide range of threats. However, the framework itself must continually evolve to prevent new threats, as new mobile devices and operating systems are introduced to the market and are embraced by enterprises.

This post originally appeared on

Related PodcastAndroid Security Under the Microscope

Related ReadingiOS Apps Just as Intrusive as Android Apps: Research

Possibly Related Articles:
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked