Recently I’ve been spending a lot of time talking to people about mobile threat detection—it’s getting a higher profile in the EMM space, largely because of increasing enterprise mobile maturity.
As part of the conversation around mobile threat detection (or for any EMM conversation), one of the informative things anyone can do is read Apple’s iOS Security Guide and Google’s Annual Android Security Year in Review, both of which were updated recently. Of course, Apple and Google being the way that they are, the focus of each report is a bit different.
Apple iOS Security
The Apple iOS Security Guide doesn’t discuss the rate of any types of security incidents or malware, rather it’s a close look at all the security mechanisms that are in place. This includes: device and OS integrity assurance; the update model; how Touch ID works; encryption; app security; services like Apple ID, iMessage/FaceTime, iCloud Keychain, and Apple Pay; privacy controls; and of special interest to the enterprise, device controls and MDM.
For actual incidents, we’ll have to look at the security content of iOS updates as well as third-party metrics, but in the meantime the Apple iOS Security Guide is still quite educational.
Google Android Security
Android, being the broad and diverse ecosystem that it is... well, let’s just say it’s the one that’s more likely to be associated with security concernts, so Google’s report takes a different approach.
It does a pretty deep dive into PHAs (potentially harmful applications) and MUwS (mobile unwanted software), revealing their definitions, methodology for finding them, the tools they use, the types they see, and the broader ecosystem trends. The headline statistic is this:
- “By Q4 2016, fewer than 0.71% of devices had Potentially Harmful Applications (PHAs) installed and for devices that exclusively download apps from Google Play, that number was even smaller at 0.05%.” (p. 4)
An important part of Android security is Verify Apps, which essentially acts as Google’s own anti-malware service. Available on any device that uses Google Play (which is probably almost all devices in the enterprise, save for some fringe BYOD devices or specialized embedded devices), it can prevent users from installing PHAs or prompt them to remove ones already on their device.
A triumph of 2016 was the spread of regular Android security patches. Both users and enterprises can easily look up a given device’s patch level, and there’s more good news:
- “In the United States, over 78% of active flagship Android devices on the four major mobile network operators reported a security patch level from the last three months.” (p. 31)
- “In Europe over 73% of active flagship Android devices on the major mobile network operators reported a security patch level from the last three months.” (p. 32)
The report doesn’t spend too much time on the Android OS security model—for that you’ll have to head to source.android.com/security. It does highlight the improvements in Android 7.0, which according to the developer dashboard, along with 7.1 accounts, for 4.9% of Android devices right now:
- There are improvements to how encryption is implemented, and encryption rates are around 80% in Android 7.x, versus around 20% for 6.0 and 10% for 5.1 and earlier (the report didn’t give exact values). (p. 24)
- Among all devices, 48.9% have some type of lock screen enabled. (p. 17)
There’s also a discussion of device rooting:
- “Google’s SafetyNet security service provides a feature called Attestation that can check for signs of rooting. [...] Worldwide 94.4% of all Android devices report passing the basic system integrity check, from which we conclude that these devices are not rooted. The remainder includes devices that were rooted by the user, sold as a rooted device, were unintentionally rooted by a PHA, or that do not match expected characteristics of an intact security model. Verify Apps tracks the ratio of all app installs to user-intended rooting. In 2016, user-intended rooting installs comprise 0.3461% of all installs, with fewer than 0.0001% of installs coming from Google Play. Apps that root devices without disclosure to and permission from the user are significantly more rare. In 2016, malicious rooting apps accounted for 0.00233% of all installs. Most devices are either rooted by the user or the manufacturer.” (p. 40)
Clearly, we can say that the conventional wisdom is true: Keeping your devices patched (which is actually possible for a lot more devices now) and sticking to the official app stores can go a long way.
As I mentioned, the mobile threat detection space (i.e. third-party security products other than mobile device management, mobile app management, and built in device security features) is going through some interesting changes right now. For a bit more on what this space is about, you can read this overview that I wrote for TechTarget’s Access Magazine. Keep an eye out for more throughout the next two months, and if you’ve installed it at your company or are considering it now, I’d love to chat informally (and of course confidentially—many customers still aren’t very public about their mobile threat detection experiences).