Re: Where do you stand? --- University policy on Jail broken mobile device access to secure networks.

[John Ives <jives () SECURITY BERKELEY EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 3/29/2012 10:24 AM, Brian Helman wrote:
> Absolutely.  Just as a laptop with a poor Administrator password is
> a liability, a JB device with the default/poor password would be as
> well.  I don't recall if the SSH service is installed as a part of
> the JB process or not.  But you do have far easier control of the
> services (from a user standpoint) than stock.

It would probably depend upon the jailbreak method, but I can tell you
that usually it is. In fact I have a jailbroke ipad on my desk now
running ssh and waiting to get compromised because I want to see what
happens (think of it as a portable honeypot).

> This discussion is tangential to the BYOD discussion.  Do you let
> those devices access your secure network or not?  I can tell you,
> in some ways my JB devices are more secure than when they weren't
> -- because I can lock applications individually and change files to
> read-only.

But the ones that are more secure is a very small portion of the
jailbroken population. We see jailbroken iOS devices regularly getting
hacked and being used to attack others. In contrast I have only seen a
couple androids attack others.

> And honestly, I strongly believe a jbroken iOS device is still more
> secure than a stock Android device, as long as you only use the
> stock Cydia repos.  There are definitely some questionable repos
> out there that would rival the Google app store.

Not to start a religious war, but I disagree with this.  I have spent
a bit of time working with androids (both rooted and stock) and feel
their security is, just like other devices, an issue of how they are
used.  Yes, there have been instances of malware getting into the
google market, but its not really that common and again it is based
upon decisions made by the user.  I personally, on my androids, get
most of my apps from Amazon who has a testing policy to ensure
security.  The only ones I don't get from Amazon are either by major
vendors (adobe for instance), or are specific to computer security in
which case they go on devices intended for such work.

My household has 4 android devices (2 rooted) and 3 iOS (1
jailbroken), so I have some experience comparing them. For me the
breakdown is that out of the box and for normal work, iOS is more
secure than android (how much more secure is an issue of the user).
Once rooted/jailbroken, that model is reversed with the androids
(depending upon the method used) becoming more secure and the iOS
less. The difference is that a rooted android, if you replace the ROM,
tends to remove superfluous software and doesn't start new services,
while the jailbroken iOS adds new network services and doesn't warn a
user to secure them so when we see compromised devices they are almost
always iOS, and generally attacking others.

Ultimately, what has made the iOS (stock) more secure is Apple's
decision to be the arbiter of what can be installed.

Yours,

John

- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPdKWZAAoJEJkidK6qbywsjlgIAI8OxrI9Dmbl4SN4jAKwz9VF
WDWUiIv01ig/mDbWD+xbyflY/vt6IQ/PezB7076YWHER+S4Yir+5fkK814ZpE/Wh
OAYuJwyRxXJEB2+DREzEOX9rIIYetm+qWxUbpfcJH6DYLXvqVw8CqJjJfs42Q3zN
Kr5kVU8Kozy2rltUikh9JdUO4C2xfx4uCyBInlSQK0CIlkksSktNxfETzMMs1LjE
ObO44Djz/bGfj9x/1SqHPrmD2QN9RmE2bNRjqZjOc/16wTR68jlq73w5PvQuS3Zx
zT+z33QUrEN5AcesXlQX9NZHhcLqTXwSFIyRTGLIvyEburShBIE0yyZw5fcvoJ4=
=NIm+
-----END PGP SIGNATURE-----