While Apple caters to those who want absolute security and are willing to sacrifice some functionality, Android caters to those who embrace the freedom of a more open eco-system and the choice of multiple hardware and service providers. Basically, they are willing to work within Android's risk model.
As enterprise IT teams focus more attention on mobile, it'll be most important to ensure that users themselves are concerned and motivated enough to individually secure data at their workplace. A recent Mobile Privacy IQ study conducted by Lookout surveyed smartphone owners in the U.S. to determine user perceptions toward privacy and data on mobile devices. While 76 percent of respondents claimed they would take extra steps to secure their personal data, only 5 percent felt the same about securing data for their workplace.
However, despite increased security threats, the mobile world is maturing and so is the thinking around layered security. Furthermore, the cooperation between OS vendors, third-party app developers, and security "bug hunters" is evolving. There is significant value to being an attacker, either as a White Hat like Joshua Drake and so many others who diligently work through vulnerabilities and report on them for the benefit of the ecosystem, or as a Black Hat warrior who will steal your data, crash your services, or highjack your application for blackmail money. It is therefore critical to enumerate the superset of possible threats to your solution, create models for each of them, design counter-measures to mitigate the risk, and continuously monitor both your solution and the changes in the outside threat landscape. Without doing this, you could be a feature presentation at BlackHat2016.
There was a wide spectrum of experts – from hackers to security communities – at the annual Black Hat conference in Las Vegas, concluding last week. The conference always provides a great perspective on the state of security today through technical briefings and hacking workshops, led by the premier minds in the field.
While Apple and Android's models are working fairly well for the user communities they are targeting, it's clear that there continue to be significant vulnerabilities in enterprise mobile app development. Developing secure mobile apps that protect companies from external threats and ensure that data privacy, security and regulatory demands are met is not an easy task.
The plane of vulnerability across corporate data extends significantly as soon as you include mobile in your portfolio. One of the most critical threats to enterprises comes from within – the mishandling and misappropriation of sensitive corporate data by employees. While Apple and Android continue to provide valuable tools and processes to help with security, it is ultimately up to the designers and developers of the apps and supporting infrastructure to understand, appreciate and code to the security and compliance standards set forth by the community at large.
In this slideshow, Robert McCarthy, technical advisor at Mobiquity, outlines five takeaways from this year's Black Hat 2015, particularly focusing on the differences in Apple and Android's security models – and how you should address them.