The Mobile Security Risks of ActiveSync-Only Devices

Four major mobile security exploits have been discovered on Android and iOS in the last two months. Modern mobile operating systems (Android, iOS, and Windows 10) are architected to be much more secure than traditional operating systems (such as Windows 7), but hackers are smart and determined and will inevitably discover vulnerabilities.

Unfortunately, many mobile devices in the enterprise are not protected against these exploits because they are managed only by ActiveSync. ActiveSync is the industry-standard protocol for push email, but it is not an adequate mobile security solution. Any device that relies on only ActiveSync as protection is at high risk of breach from these types of exploits because ActiveSync cannot detect or mitigate them.

MobileIron introduced the Rethink: Security blog series to provide mobile security insights and best practices to IT organizations. Today’s blog article provides an overview of four recent exploits and provides appropriate mobile security countermeasures to mitigate the risk of data loss.

Stagefright: Announced July 27, 2015

Stagefright, discovered by Joshua Drake at our partner Zimperium, was announced just before the Black Hat USA conference, held August 1-6, 2015 in Las Vegas. Stagefright takes advantage of a vulnerability found in the Android media library. The attacker can send a malicious multimedia message via MMS to an Android mobile device. When the vulnerable Android device receives the message, it is automatically downloaded (default setting) and infects the device through the multimedia preview function. It can steal data, hijack the microphone, use the camera, and essentially behave like spyware on the infected device. The impact has been broad, encompassing 99% of all Android devices. Since the original Stagefright release, a new variant of the exploit, also discovered by Joshua and named Stagefright v2.0, uses websites with malicious MP3 or MP4 files to infect unpatched Android devices when the files are previewed.

Mitigation method: Identify devices with older versions of Android and quarantine them so that they do not have access to enterprise data using the known list of patched devices.

KeyRaider: Announced Sept 1, 2015

KeyRaider malware has stolen the account information of over 225,000 Apple users on jailbroken iOS devices. This mobile security exploit can steal usernames, passwords, certificates, and even private keys. It can also take control of an iPhone or iPad and access corporate email, documents, and other data. KeyRaider malware targets jailbroken devices because jailbreaking eliminates many of the built-in security features of the mobile operating system.

Mitigation method: Proactively identify jailbroken devices and quarantine them so that they do not have access to enterprise data.

XcodeGhost: Announced Sept 17, 2015

XcodeGhost was announced by Palo Alto Networks but was originally discovered by Chinese iOS developers and analyzed by Alibaba researchers. It allowed infected apps to make it into the Apple App Store. iOS (and OS X) developers who develop apps sometimes download Apple’s Xcode SDK from sites other than the official Apple download site. Some of these sites have infected versions of Xcode. When developers use one of these nefarious versions of Xcode for developing their apps, they are unknowingly hiding malware in their apps. Over 4,000 XcodeGhost apps have been identified by MobileIron partner, FireEye, and subsequently removed from the App Store by Apple. But many devices still have these infected apps installed.

Mitigation method: Identify devices that have XcodeGhost apps installed and quarantine them so that they do not have access to enterprise data.

YiSpecter: Announced Oct 4, 2015

YiSpecter leverages “private APIs” on iOS to infect devices. Private APIs are unpublished or unsupported Apple iOS APIs. Mobile apps using these APIs are usually blocked during Apple’s app vetting processes for the App Store. YiSpecter malware is being distributed through ISPs, through a worm on Windows that infects the device when pairing, and through offline app installation. YiSpecter can modify, install, and launch apps without the user’s permission and harvest user information.

Mitigation method: Identify devices that have versions of iOS older than 8.4 installed and quarantine them so that they do not have access to enterprise data.

Mobile Security Countermeasures

None of these four exploits can be detected or mitigated through ActiveSync policies alone. They require an enterprise mobility management (EMM) solution like MobileIron.

For detection, MobileIron identifies:

  • Devices running certain operating system versions , which is the detection model for Stagefright and YiSpecter
  • Devices that are jailbroken, which is the detection model for KeyRaider
  • Apps installed on mobile devices, which is the detection model for XcodeGhost

For XcodeGhost, our mobile securitythreat management partners are uncovering infected apps on an ongoing basis, which MobileIron can then identify if the apps are installed on a managed device.

For mitigation, MobileIron quarantines the device until the problem is resolved and provides:

  • User notification to educate the user community about mobile security threats and recommended actions
  • Conditional access to block access to back-end enterprise services
  • Selective wipe to ensure that enterprise data on a compromised mobile device is removed

We recommend that every MobileIron customer:

  1. Implement the countermeasures above to address these new mobile security threats
  2. Configure ActiveSync traffic to flow only through MobileIron Sentry in order to identify unmanaged devices that are inappropriately accessing data
  3. Ensure that every device with enterprise data is under management because any ActiveSync-only device will be at high risk of breach

Be sure to visit MobileIron's Rethink: Security podcast for the latest updates about new and existing mobile security threats. .

Michael T. Raggo