Employees increasingly want to use their own devices – home computers, tablets, smartphones – to access corporate networks. Many employees have strong preferences for the technology platform they prefer, and in many cases they have no desire to be forced to use (and carry) a separate device for work-related tasks.
Companies, of course, have much less control over employees’ personally owned devices than they do over corporate devices. Employee devices are exposed to every piece of malware on the planet. As we pointed out in our article “For Data Security, Employees Are the Weakest Link” employee behavior creates many security vulnerabilities.
We see an example of the challenges posed by BYOD in a recent paper published by three Columbia University computer science students, “A Measurement Study of Google Play.”
The researchers, PhD students Nicolas Viennot, Edward Garcia, and Jason Nieh discovered several flaws in Android apps that severely compromise data security.
They created a tool called “Play Drone” that uses hacking techniques to crawl Google Play. They downloaded over a million apps and decompiled over 880,000 free apps. The authors found that
By simply analyzing Android application content, we show that malicious attackers can go beyond Android devices to compromise server resources without even having users execute vulnerable Android applications.
They discovered that Android apps contain thousands of leaked secret authentication keys; these keys can be used to access server resources such as Amazon Web Services and Facebook accounts.
On corporate-owned devices it’s possible to limit the vulnerability to poorly designed apps by only allowing the installation of approved apps. There are no such protections for employee owned devices, and with over a million Android apps to choose from no doubt many employees will download ones that include malware and security vulnerabilities such as the ones mentioned above.
Efforts to control employee behavior on their own devices are not likely to be effective. A better solution is PACid’s Bolt-on Strong Security (BoSS). With BoSS cybercriminals would need to have physical access to the employee’s phone and have the employee’s password to be able to access protected data. A smartphone’s biometric and user access codes would provide additional protection.
With the BoSS system, the secrets that are passed between the phone and the computer are used only once, and they expire after three minutes. Malware that intercepted the secret as it was being transmitted from the phone would therefore have a very short shelf-life. However, with our Level 4 solution, the PACid Bunker is an application-specific secure island that generates the m-bit result used in the encryption solution or authentication. With a Level 4 solution, malware would intercept an encrypted stream that would be of no use without the keys. Click here for more information on PACid’s five levels of security.