Educause Security Discussion mailing list archives
Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks.
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Thu, 29 Mar 2012 17:24:25 +0000
Absolutely. Just as a laptop with a poor Administrator password is a liability, a JB device with the default/poor password would be as well. I don't recall if the SSH service is installed as a part of the JB process or not. But you do have far easier control of the services (from a user standpoint) than stock. This discussion is tangential to the BYOD discussion. Do you let those devices access your secure network or not? I can tell you, in some ways my JB devices are more secure than when they weren't -- because I can lock applications individually and change files to read-only. Getting back to the question in focus though, if you are VPN'ing in on a jailbroken device, vulnerable services shouldn't be accessible anyway. Where I could see the potential for a problem would be if a key logger were to be installed and then that information transmitted elsewhere once the VPN connection was dropped. Again, this is nothing that couldn't happen on a Windows or Mac though (not making excuses, just pointing out that we'd have conflicting standards depending on the device). And honestly, I strongly believe a jbroken iOS device is still more secure than a stock Android device, as long as you only use the stock Cydia repos. There are definitely some questionable repos out there that would rival the Google app store. -Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ejike, Emechete C. Sent: Thursday, March 29, 2012 12:28 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Brian, Thanks for the response. You're initial question actually allows me to point out that the focus is more on "Should jaibroken devices be allowed to connect on internal secure network?" Interestingly, you did highlight the most common vulnerability of having a default ssh password. Wouldn't you agree that such issues might pose a security risk that might expose access to a secure resource via the device.? -- Eme On Mar 29, 2012, at 11:54 AM, Brian Helman <bhelman () SALEMSTATE EDU> wrote:
I'm curious what brought this topic up? From a security standpoint, I see no reason why rooted/JB devices shouldn't be supported. Granted, the "sandboxing" has been defeated, but we're seeing that your device doesn't need to be JB for apps to access data outside of their normal control anyway. And, other than the possibility of an SSH server running by default (with the default password unchanged), there's been no proof that JB devices are less secure than stock items. In fact, I'd argue the opposite -- JB devices are often more secure, because they can be patched in a more targeted fashion. This issue with Apple devices broadcasting past wireless network information will probably get patched on the JB side before Apple does it officially. As far as policy, we do support JB devices. In Fact, we use them. Apple forced us to do this when they removed most of the network tools (e.g wififofum and WiFiAnalyzer) from the App Store. -Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eme Ejike Sent: Thursday, March 29, 2012 11:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Where do you stand? --- University policy on Jail broken mobile device access to secure networks. This is certainly interesting. I believe we all have some wonderful opinions....... BYOD is here with all the intricacies involved in generating an apt SLA model for such devices on campus. As part of the MDM service push for these devices, policies, standards and guidelines need to be defined to build a solid foundation on our foray into this arena. What do our members believe an official stance on jail-broken devices should be? Bearing in mind that our objectives are to provide security conscious access when on campus (i.e connected to an elevated access SSID with a purview into secure segments of the network --Network shares, ERP applications.. etc). A reference on some industry SME view would help in supporting your response. Sincerely, Eme Ejike OCCS, ITSO Supervisor Old Dominion University <CANIT-VOTING-LINKS-635062934-f832d3c555df.txt>
Current thread:
- Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Eme Ejike (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Brian Helman (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Ejike, Emechete C. (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Brian Helman (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. John Ives (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Brian Helman (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Eme Ejike (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Ejike, Emechete C. (Mar 29)
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Brian Helman (Mar 29)
- <Possible follow-ups>
- Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks. Ejike, Emechete C. (Mar 30)