Device attestation: Another option for securing BYOD, contractor, and partner mobile devices

This provides a middle-ground option for companies to determine the trustworthiness of users’ devices.

Many organizations use mobile device management or mobile application management to keep an eye on endpoints accessing company data. But what is a company to do if they still want assurance around devices and apps that they can’t manage directly, like for contractors and some BYOD use case scenarios?

This is where device attestation becomes a possibility.

What is device attestation?

Very simply, with device attestation, organizations can discover how protected or safe user devices are before allowing access to business apps (both in-house and third party). The goal is to provide at least some minimal check on the potential trustworthiness of a device.
This enables a couple different use cases. One example is for organizations that work with a lot of contract or gig employees who might have other company apps on their devices, making management from one specific company difficult or impossible, if the device is already enrolled in some other MDM. Another is for the previously mentioned BYOD deployments.

Vendors offer organizations an app, agent, SDK, or some combination. The SDK is useful for implementing with in-house apps, reducing the need to require employees to download additional apps onto their devices. What device features each tool searches for on devices will differ, but largely they look for basics like lock screens enabled, whether the device is jailbroken or rooted, and if the OS is up to date.

Duo Mobile App

I have device attestation on the mind because back at RSA 2019, I sat down with Wendy Nather, head of advisory CISOs for Duo Security. When I asked about BYOD use cases, she told me about their Duo Mobile app, which is used for multi-factor authentication, and includes a Security Checkup feature that provides a cyber hygiene review.

On Android, it checks: 

  • Is OS up to date
  • Is the Duo Mobile app up to date
  • Is there full disk encryption enabled
  • Is the screen lock enabled
  • Is the device not rooted
  • Is fingerprint enabled
  • Does it pass Google SafetyNet Attestation

On iOS:

  • Is OS up to date
  • Is the Duo Mobile app up to date
  • Is the screen lock enabled
  • Is the device not jailbroken
  • Is biometric verification enabled

Primarily, the Duo Mobile app serves as your multi-factor authentication, either integrating with your identity provider (e.g., Azure AD, Okta, etc.) or with business apps directly. From there, the access decision is made according to authentication policies: pass device attestation and gain access to the apps or fail the checkup and be denied until you fix what’s missing.

When we were sharing notes on our RSA meetings, Jack commented that he likes how it wraps up two key security pieces together, handling MFA while also checking to ensure the device is likely secure; it is a textbook example of conditional access / zero trust.

Other options for mobile device attestation

Duo isn’t the only option for device attestation; other examples include the Lookout App Defense SDK, Zimperium’s zIAP in-app protection SDK, and Samsung Knox SDK. These mobile threat defense SDKs often have many of the same device inspection features offered by their parent MTD platforms.

Plus, a security-focused app developer could figure out how to do some of the simpler device attestation tasks in their own. As mentioned above, any app can query the Android SafetyNet API. And Android Q, which as of this publication is in beta, offers apps the ability to query whether a device has a lock screen enabled.

Essentially, for years, even when official APIs weren’t in place, developers have been figuring out workarounds to query various aspects of device security.

Final thoughts

When I learned about Security Checkup, I thought it was an interesting feature that I’d be more willing to allow on my device if my employer wasn’t into letting me run around with access to data unsupervised. I’m not about to hand over control of a personal device; I’d rather just deal with two devices if MDM was my only other option.

So much of what device attestation tools often look for are basic cyber hygiene aspects that most people should follow anyway. Jailbreaking or rooting a device you use for business is inviting disaster and not having a lock screen is like failing security 101 at this point. (The Verizon Mobile Security Index 2019 showed Wandera data that revealed up to 2% of all mobile devices in an organization don’t have a lock screen enabled.)

Again, device attestation is one of many options for organizations trying to keep their data safer and participate in a limited way in the zero trust movement. It allows you, to a degree, to trust devices in your environment. Other options on the table for similar use cases can be Android Work Profile, freestanding mobile threat defense agent, or having two devices (one COBO, the other personal).

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.