[bb10adopter111]

How does that differ from people who carry a personal device with them as well as a corporate-issued device?

The two scenarios are identical.

You're 100% right. For companies serious about security I would have them check their personal devices at the door and access them only on breaks in designated areas.

I realize that would make me an unpopular boss!

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[bb10adopter111]

You're 100% right. For companies serious about security I would have them check their personal devices at the door and access them only on breaks in designated areas.

I realize that would make me an unpopular boss!

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

...or just turn them off, of course, if you have good compliance.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[conite]

...or just turn them off, of course, if you have good compliance.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

If you have to depend on people to actually DO something, the system is flawed by design.

I still stand by my opinion that a properly managed EMM/BYOD solution is more than sufficient for the vast majority of cases.

The remaining edge cases would need something rather custom anyway.

[Soulstream]

And how do you think hackers get access to servers? 80% of hacks involve at least one element of social engineering, getting a user to perform a task or compromise their credentials. Websites, apps, and email are the first step in the kill chain.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

Sure, but user error is not dependent on mobile OS. If the user is an idiot and reveals passwords or other private information, he could be on the most secure device ever, it wouldn't matter.

[bb10adopter111]

Sure, but user error is not dependent on mobile OS. If the user is an idiot and reveals passwords or other private information, he could be on the most secure device ever, it wouldn't matter.

Sure, but lots of people who are not idiots are also victims. We work all the time with companies where a very competent, properly trained employee falls victim to a carefully planned and executed spesr-phishing attack that would have been pretty hard to avoid.

As an example, one of our clients receives over 100,000 phishing attacks per year, some of which are from sophisticated organized crime syndicates. In one case, they established accounts as legitimate customers, then sent phishing emails to customer support agents with attached "screenshots" that contained a link to download a"viewer" containing a payload.

The attack relies on the fact that a professional CS team wants to go above and beyond the call of duty to take care of customers. Their hope is that the desire to take care of a customer will lead them to make a mistake. The best social engineering attacks exploit good people trying to do their jobs, not "idiots" surfing dangerous websites.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[Invictus0]

Any yet you hype the security of BB10 based on it lack of marketshare.... My view is at one time heads of the G6 and some governments once used it.... thinking no one every bothered is more like sticking your head in the sand and hoping for the best.

Does BB10 give apps direct access to files? I thought it was like iOS where you need to "share" a file for an app to get proper access to it.

Approving apps for corporate use is nothing new. Nor is it an unusual expense.

Since the corporate data is segregated, it doesn't matter what people install on their personal side.

Yes, a fully-functioning, proper EMM solution is required, but again, that is not a big ask.

Data segregation wouldn't provide any protection against an attack like this because it gains access to the camera, microphone, and GPS data.

BYOD prompted Chen's recent comments about devices so I think it's clearly an attack vector that enterprise is starting to pay more attention to. Employees would probably prefer a second device from corporate than to have their personal device locked down even further outside of work.

[conite]

Data segregation wouldn't provide any protection against an attack like this because it gains access to the camera, microphone, and GPS data.

BYOD prompted Chen's recent comments about devices so I think it's clearly an attack vector that enterprise is starting to pay more attention to. Employees would probably prefer a second device from corporate than to have their personal device locked down even further outside of work.

Installing a rogue app on your personal side is no different from carrying around a personal device in addition to a company-issued device.

99% of company security issues would be solved by implementing a proper EMM solution.

[Bla1ze]

Data segregation wouldn't provide any protection against an attack like this because it gains access to the camera, microphone, and GPS data.

Plus there's the factor of a pre-loaded app being part of the entry point. Kinda creates an argument for OEM's making their own apps, though they can be pretty terrible too lol.

[bb10adopter111]

Installing a rogue app on your personal side is no different from carrying around a personal device in addition to a company-issued device.

99% of company security issues would be solved by implementing a proper EMM solution.

EMM protects network resources from being accessed by mobile apps very well, but that is absolutely not 99% of company security issues. It's probably close to 1%.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[conite]

EMM protects network resources from being accessed by mobile apps very well, but that is absolutely not 99% of company security issues. It's probably close to 1%.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

I'm speaking in terms of mobile endpoint security management.

[bb10adopter111]

I'm speaking in terms of mobile endpoint security management.

I understand. I'm speaking terms of mobile phones as a security threat in general, due to an overly permissive security model that makes it comically easily to escalate privileges without a users' permission.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[bb10adopter111]

I wrote that it doesn't matter what people do on their personal side on a properly managed device.

Corporate data is inaccessible.

What is your definition of corporate data? Would a confidential conference call qualify? What about a network admin's password? What about the geo-location of an executive when they are visiting a potential acquirer? These are the types of "data" at risk in this case.

I think you are constraining the definition of information security way too much. In the real world, hackers use social engineering and other tactics to defeat simple controls like EMM. This is an example of how Android makes it easy.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[conite]

I understand. I'm speaking terms of mobile phones as a security threat in general, due to an overly permissive security model that makes it comically easily to escalate privileges without a users' permission.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

You are seriously underestimating the difficulty in obtaining escalated privileges. It happens once in a while, but gets patched almost immediately.

[conite]

What is your definition of corporate data? Would a confidential conference call qualify? What about a network admin's password? What about the geo-location of an executive when they are visiting a potential acquirer? These are the types of "data" at risk in this case.

I think you are constraining the definition of information security way too much. In the real world, hackers use social engineering and other tactics to defeat simple controls like EMM. This is an example of how Android makes it easy.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

And I think your are taking several theoretical or rarely seen vulnerabilities and putting them all together to form a threat model that doesn't exist.

[bb10adopter111]

And I think your are taking several theoretical or rarely seen vulnerabilities and putting them all together to form a threat model that doesn't exist.

My point was and is that this particular set of vulnerabilities should have been rendered impossible when Android supposedly gave users control over individual permissions several versions ago. It's now likely that granular control of permissions is not very robust.

The reason that this is a big deal is that, unlike harder to exploit vulnerabilities, this one was easy and has not been patched on hundreds of millions of phones. There are huge state-sponsored and organized crime groups with hundreds of thousands of hackers targeting individuals and companies every day. It doesn't make the news because in many cases, the attacks go undetected for months or years, and, unless personal information is stolen that requires public disclosure, the information is never made public.

China, Russia, Iran and North Korea alone are expected to cost the world trillions of dollars over the next few years. And that's in the absence of a major conflict. There's a reason that many experts believe cyber insecurity to be more of a threat to human civilization than nuclear war.

It might not be pleasant to think that these neat gadgets that we enjoy are poorly designed and dangerous. Hopefully we'll stay ahead of the bad guys and fix the defective to before they cost us too much. But treating huge screw ups like this as "normal" is part of the problem.


From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[bb10adopter111]

You are seriously underestimating the difficulty in obtaining escalated privileges. It happens once in a while, but gets patched almost immediately.

Did you read the report or watch the video? There was nothing difficult about exploiting this vulnerability. The researchers did it very, very quickly.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[conite]

My point was and is that this particular set of vulnerabilities should have been rendered impossible when Android supposedly gave users control over individual permissions several versions ago. It's now likely that granular control of permissions is not very robust.

The reason that this is a big deal is that, unlike harder to exploit vulnerabilities, this one was easy and has not been patched on hundreds of millions of phones. There are huge state-sponsored and organized crime groups with hundreds of thousands of hackers targeting individuals and companies every day. It doesn't make the news because in many cases, the attacks go undetected for months or years, and, unless personal information is stolen that requires public disclosure, the information is never made public.

China, Russia, Iran and North Korea alone are expected to cost the world trillions of dollars over the next few years. And that's in the absence of a major conflict. There's a reason that many experts believe cyber insecurity to be more of a threat to human civilization than nuclear war.

It might not be pleasant to think that these neat gadgets that we enjoy are poorly designed and dangerous. Hopefully we'll stay ahead of the bad guys and fix the defective to before they cost us too much. But treating huge screw ups like this as "normal" is part of the problem.


From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

This really comes down to a buggy camera app, that was fixed back in July.

Just part of the continuous cat and mouse game.

[conite]

Did you read the report or watch the video? There was nothing difficult about exploiting this vulnerability. The researchers did it very, very quickly.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

But it required a broken camera app to work - which Google fixed immediately back in July. The app allowed itself to be controlled via the SD storage permission.

There was no escalation of privileges.

[bb10adopter111]

But it required a broken camera app to work - which Google fixed immediately back in July. The app allowed itself to be controlled via the SD storage permission.

There was no escalation of privileges.

Of course. There's always got to be a bad app or some other vector for malware. In this case, the bad app came from Google and Samsung. That pretty much demonstrates that the security model for building apps is broken. The security architecture itself should not have allowed such a mistake to be made.

We live in a world of millions of bad apps developed by bad developers using bad security models. That's the design flaw. And pretty much any Android phone not made by Google or Pixel may still be vulnerable, including the KEY phones. Checkmarx gave OEMs time to respond, and only Google and Samsung bothered to do so.

[bb10adopter111]

Here's the ars technica article from today: https://arstechnica.com/information-...be-vulnerable/

[conite]

Of course. There's always got to be a bad app or some other vector for malware. In this case, the bad app came from Google and Samsung. That pretty much demonstrates that the security model for building apps is broken. The security architecture itself should not have allowed such a mistake to be made.

We live in a world of millions of bad apps developed by bad developers using bad security models. That's the design flaw. And pretty much any Android phone not made by Google or Pixel may still be vulnerable, including the KEY phones. Checkmarx gave OEMs time to respond, and only Google and Samsung bothered to do so.

At the very least, Android oversight (from within and without) is monumental, and the vast majority of vulnerabilities are caught long before they are ever exploited in the real world.

I'd be wary of any other model that touts they are better, but don't have that kind of scrutiny.

[bb10adopter111]

At the very least, Android oversight (from within and without) is monumental, and the vast majority of vulnerabilities are caught long before they are ever exploited in the real world.

I'd be wary of any other model that touts they are better, but don't have that kind of scrutiny.

First, I'd like to thank you for engaging in this important discussion. We don't have to (and likely won't) agree on everything.

Second, I agree with you that scrutiny is good.

My main point here is that, in the race to win the OS market share war, Android has prioritized flexibility and features, with security added on later. The underlying architecture is simply not optimized for security.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[Invictus0]

Installing a rogue app on your personal side is no different from carrying around a personal device in addition to a company-issued device.

99% of company security issues would be solved by implementing a proper EMM solution.

Sure but that's assuming corporate will allow you to carry a personal device everywhere. With a corporate/BYOD odds are there's an expectation that you'd have it with you everywhere you go at work.

Plus there's the factor of a pre-loaded app being part of the entry point. Kinda creates an argument for OEM's making their own apps, though they can be pretty terrible too lol.

Absolutely, and in this case it was a Google app. Those who sideloaded Gcam might have opened up an attack vector that their non Google OEM may never patch.

[gebco]

From the website originally shared by OP:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

As vulnerabilities are exposed they are patched. Is the overarching argument in this thread that Android is generally full of holes like this one that have yet to be discovered? VS BB10 vs iOS?

[TgeekB]

From the website originally shared by OP:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

As vulnerabilities are exposed they are patched. Is the overarching argument in this thread that Android is generally full of holes like this one that have yet to be discovered? VS BB10 vs iOS?

I believe that is the argument by the OP.

This is always a cat and mouse game, as someone else mentioned. Someone can always find a way to break into your house even if you have a security system. It comes down to being smart and not making it too easy on the perpetrators.