Video Screencast Help
Mobility Community Blog

Trust the app not the platform

Created: 21 Mar 2014 • Updated: 21 Mar 2014
Dishwishy's picture
+2 2 Votes
Login to vote

"R2D2, you know better than to trust a strange computer!"
-C3PO

I think most folks, myself included, assume platforms are pretty safe. Yes we have "patch tuesdays" for Windows, and the last time I checked synaptic had like 340 updates for my laptop, but there's always been a decent level of trust around the devices I use to go about my daily business. In recent history however, there seem to be a growing number of examples where the platforms vendors themselves have accidentally exposed their users to non-trivial vulnerabilities. 
This sort of upside-down problem of protecting the platform against itself, or rather the apps against the broken parts of the platform, help to frame much of what Symantec has been doing for the last nearly 2 years via our "App Wrapping" technology (Symantec App Center).

The two examples I'll use as reference points are the recently patched iOS 7 "SSL GOTO fail" and a Samsung Android "back-door". I don't think there's any argument against Android (specifically Samsung's flavors) and Apple iOS being the dominant mobile platforms today, and so these examples are particularly germane.

In the case of the iOS 7 SSL issue, my colleague Adam did a nice writeup here:
http://www.symantec.com/connect/blogs/protect-agai...

and the original article is here:
http://corte.si/posts/security/cve-2014-1266.html

To make a long story short, all devices (and their apps/associated app data) prior to iOS 7.0.6 were vulnerable to a number of network based attacks. The app developers didn't do anything wrong per-se, other than leverage the platform that Apple provides to everyone equally. Apple did right by their customers and sent out a patch to fix the vulnerability, but per Adam's article we (Symantec) were able to protect those apps through a number of means (SSL Cipher restrictions, URL guard-rails, etc), no code changes, no change in developer habits or behaviors, we were able to protect the app and its associated data from the inherently trusted (but flawed) platform.

Now on to Android, and specifically Samsung. Per the article here:
http://redmine.replicant.us/projects/replicant/wik...

While only a subset of devices are affected, the actual bug (feature?) itself is pretty interesting. In the most general set of cases, the SD card and it's data is the most vulnerable component. Even here, wrapping comes to the rescue where the platform itself proved to be the achilles heel. Part of the Symantec wrap policy can provide two options to mitigate this particular issue:
1. Encrypt any app generated data
2. Disallow SD card storage for that app

Either standalone or combined, those two policies will help prevent that wrapped app from having its data groked by the modem and whatever is sending it commands, mitigating the severity of the vulnerability.

So what's the takeaway then? I personally think that Google (and it's OEMs) and Apple have done a fine job of building robust and developer friendly platforms, but like all software it's got bugs and those bugs have very serious implications for how Enterprises plan to mobilize their data. Wrap helps us solve for that, forget about the device, forget about the app's provenance and potential platform problems and go about your business.

Also, for more philosophical (and practical) ideas on "wrap" in general I suggest Jeff Enderwick's Medium posts:
https://medium.com/p/5a355cee4b16
https://medium.com/p/b8edef6ccdb6