Want to secure BYOC/BYOD? Just assume bad guys are recording everything.

At one of our our TechTarget Desktop Virtualization 2013 seminars in San Francisco last week, an attendee asked me about whether it's possible to ensure that BYOD / BYOC devices haven't been rooted and/or compromised. The answer?

At one of our our TechTarget Desktop Virtualization 2013 seminars in San Francisco last week, an attendee asked me about whether it's possible to ensure that BYOD / BYOC devices haven't been rooted and/or compromised. The answer? You can't. In other words, if you want to do BYOC or BYOD, you have to assume that your users' devices have been rooted and that attackers have the ability to record videos of their screens and to capture all the keys that they type.

Then you have to be okay with that.

If you can design a security solution or application delivery environment around the assumption that everything on the end users' device has been compromised, then you're ready to go. Simple!

I know I sound pretty flip about this, but that's the reality of today. Sure, there are security solutions and products out there that claim to be able to detect root kits and compromised devices, but the reality is that's a cat-and-mouse game and as soon as security vendors update their detection capabilities, the attackers find ways around them.

And yeah, you could decide to use Intel vPro with trusted encrypted secure whatever, but then you're not talking about BYO—you're talking about corporate-issued devices used remotely. (Which is fine, but not what this article is about.)

Besides, none of this can prevent a camcorder pointed at the screen. (Or a small camera hidden in the ceiling, in the next cubicle, in the pencil holder, etc.) Geez, even the most secure Citrix XenApp remote application with NetScaler Gateway SSL-VPN with full endpoint analysis is susceptible to Camtasia and Snagit. Patient data, corporate emails, financial reports.. it's all on YouTube now!

So the only way you can sleep at night is to flip that model on its head. Just go ahead and assume that every screen and every key press of every application is being recorded.

How do you do that? For starters we're talking about two-factor authentication. For everything. Then you probably want to follow that up with some kind of modern enterprise-specific file sync product (like Citrix ShareFile, WatchDox, etc.) which ensures that attackers can only get pictures of your data instead of the actual raw data itself. (With two-factor authentication of course.)

But beyond that, is there anything else you can do? Not really. (Though I'm curious to hear your thoughts?) Basically you do what you can and then don't worry about rooted devices. Done.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Pretty sure Citrix XenMobile has an option to check whether a device has been rooted or not?

(although even if it does, it's still only a partial fix to the issues you've outlined).


Wouldn't company owned devices would have those same security vulnerabilities?  If we are worried about key-loggers, screen shots, webcams, or pencil and paper then we would just shut down all mobility for our users.  

But that's not the real world.  It's no different that accepting the risk of driving your car.  There is a decent chance you'll die while driving that car but the reward is greater.  Many just ignore the risk.  Some take risk mitigation steps;  buckling their seat belts, driving a car with a high safety rating, performing maintenance, paying attention, etc.  Then there are the regulations that are there for safety improvement.  Speed limits, Seat belt laws, automotive safety rules.  I guess that makes Cops the IT guys.  No wonder we both love and loath them.. </jk>

I have seen two extremes here, and somewhat of a middle ground.  I have seen government agencies that not only refuse to support BYOD, they make you lock your device up outside the facility or will confiscate it for destruction.  Their rules are so draconian that they now have difficulty hiring the most qualified college grads.

I have seen a company that allows BYOD/C.  They put MDM on iPads and such.  They say they are looking for jailbreaking/rooting but they don't.  They don't offer any apps.  They let their people use the default mail app.  They don't have any VPN for mobile devices (other than laptops with a smart card reader).  They have no file sharing capacity at all.  Just a huge security breach waiting to happen.

Then I have seen something of a middle ground.  A company providing call center services for various customers.  Enabling BYOD but having to remain PCI compliant.  They require a 3rd party app to lock down the privately owned PC whenever their client is launched.  The end user only gets back control when they log off their corporate session.  They also have auditing functionality to insure those PCs are locked down.  

I'm intentionally being generic to protect identities of the guilty and innocent (^_^)

I've seen the full landscape out there and at the end of the day all of this depends on people.  Devices, policies, software, and law enforcement will only get you so far.  You still have to train your people.  You still have to explain your policies to them.  You still have to deliver the services they need to do their job.  But just remember, at the end of the day, you can't stop stupid, crazy, or determined criminals, you can only hope to mitigate the damage.  


As for these various EMM products that offer "Jailbreak Detection," I would say the full feature is "We can detect some jailbreaks, but not all." The way those products work is they try to use a feature or API that the jailbreak allows but that the locked vendor OS does not, and if that call is successful, they have a jailbroken device. The problem is that jailbreaking is essentially "rooting" a device, so the jailbroken OS always runs below the EMM agent that's trying to detect it. That means that there are lots of apps in the Jailbroken app store whose sole purpose is to lie to the EMM agent. They specifically detect the what the agent's doing and make it look like the device is not jailbroken. So long story short, jailbreak detection isn't foolproof and doesn't guarantee a non-jailbroken device.

As for whether or not the corporate devices would be susceptible to the same rooting / jailbreaking, in general, yes. Though again if we're talking about laptops there are options with vPro, etc. that can prevent that, but only with certain models and certain software. (And who knows.. that's probably not foolproof either.)

So I also agree with Rick. People are a risk. Find a middle ground. Assume everything outside your control has been cracked, and you'll be fine. :)


As with any technology in this area, when designing the system there needs to be a balance of Productivity vs. Security/Risk as described by Rick.

With the more recent news regarding NSA and PRISIM, etc. this simply brings it to the forefront that there will always be ways of subverting just about any form of security - it's really a case of how far do you have to go to ensure that generally the right people are accessing the right stuff?

Taking it one step further as to what is being recorded, it might be worth checking out this article in the New Scientist - "Matchstick-sized sensor can record your private chats" (www.newscientist.com/.../mg21929364.400-matchsticksized-sensor-can-record-your-private-chats.html)


I wonder how much most organizations really care about data security vs. just thinking about regulatory compliance and liability


Well timed post. iOS 7 finally killed our ability to stop mobile screenshots (to an extent) - we still can do it through a browser though: www.watchdox.com/spotlight

Re: jailbreaking, Brian's take is spot on - at least on iOS, we can detect known techniques and have the app not open. Even if the device is jailbroken, we encrypt at the file level so the attacker would have to compromise the auth as well. Android is a totally different story.