Deploying WhatsApp in a BYOD environment
Several people have reached out to me regarding the recent blog I wrote about how Jeff Bezos’ iPhone was hacked and how it could have been prevented. The solution assumes that the mobile device is company-owned and more stringent policies can be enforced like banning all versions of WhatsApp and blocking the entire app bundle completely. Some of the feedback has been, “WhatsApp is the most popular and downloaded messaging app around the world, how do you protect mobile devices from malicious threats if there is a personally enabled component like a BYOD policy?”
To answer the question, BYOD deployments assume that there are two personas that co-exist on the managed mobile device. The function of unified endpoint management (UEM) - and mobile threat defense (MTD) - is to protect the Android Enterprise work profile or iOS user enrollment partitions’ apps and content, without touching the personal side preserving personal privacy. The personal side is controlled by the owner, who has the option to install any app into that partition. If a malicious app is downloaded on the personal side that roots an Android device or jailbreaks an iOS device, MobileIron UEM and MTD will detect the new device state and can enforce a compliance policy since the exploit has evolved to the device level. In a rooted or jailbroken state, the personal and work partition separation security is no longer reliable.
So, how can a CISO and security architect implement a company security policy that satisfies employees who want to use popular messaging tools like WhatsApp and WhatsApp Business in a BYOD deployment? First, the app must be properly vetted. MobileIron Threat Defense (MTD) provides built-in advanced app analytics service that provides an enormous amount of details about app characteristics and behavior based on privacy and security risks, including data leakage assessment. Additional company Red Team activities can include app security penetration testing using a protocol fuzzer on all apps that will be installed on managed mobile devices.
Figure 1 – App characteristics within App Policies of MTD management console
The company security policy can allow only the vetted version of the app to be installed, designate older versions of the app as out-of-compliance, and block known vulnerable versions from the work partition. The procured app can also be managed and installed into the work profile so versioning can be controlled by the UEM administrator via the App Catalog and pushed by the enterprise app store. For Android deployments, Samsung KNOX and Zebra devices allow the app to be silently installed without a user prompt.
If this best practice is not implemented, the device compliance action for an out-of-compliant app can be to notify the user and admin that an older version is installed on a managed device. Then, it can apply a tiered compliance policy to allow the user to manually update the app to the allowed version in a specified grace period like one to four hours. If the user fails to update the app, the device can be blocked from accessing corporate resources and/or quarantined by removing or hiding the other managed apps and content until the device state is returned to a compliant state.
MobileIron UEM can also send a reminder to the user to enable two-factor (2FA) verification and to create a 6-digit PIN for added security to their WhatsApp account. Think of the PIN as a secret that should never be shared with anyone, and changed frequently.
Itemized below is the list of known vulnerable versions of WhatsApp to the Pegasus spyware implant. These versions should be blocked from installation onto any mobile device. Rooted or jailbroken versions of any app from a non-sanctioned (third party) app store will automatically be blocked by UEM and MTD as an unknown source and/or as a sideloaded app threat.
Figure 2 – List of vulnerable versions of WhatsApp
The screenshot below shows the MTD management console Apps list and different versions of WhatsApp installed on managed iOS and Android devices. In the app policy depicted below, vulnerable versions are blocked (Deny), older versions are marked as out-of-compliance, and only the latest versions can be installed onto the managed devices (Allow).
Figure 3 – App policy
Proactively, the UEM administrator can manually upload the latest versions of the app directly from the iOS App Store or Google Play Store using the app URL within the Apps tab of the MTD management console. Once imported, MTD will perform an advanced app analysis of the app checking for privacy and security risks. This data can be the basis for their corporate app policy for all apps installed on a managed device.
Deploying mobile-centric, zero trust security tools like unified endpoint management from MobileIron with integrated MobileIron Threat Defense capabilities ensures protection of both managed and lightly-managed mobile devices from malicious apps and phishing, as well as from device and network threats.