If you’re a smartphone user and you live on planet Earth you’ve probably heard about the Android Stagefright vulnerability. And most likely you’ve read some facts about that make it sound so pandemic they could easily be used in a trailer for an upcoming Hollywood scare flick. Here’s a quick scan of some of the headlines:
“It Only Takes One Text To Hack 950 Million Android Phones”
“Android Stagefright Vulnerability Puts Millions at Risk”
“There’s (Almost) Nothing You Can Do About Stagefright”
“Nearly 1 billion phones can be hacked with 1 text”
“Stagefright: Android’s Heart of Darkness”
That will make you hair stand up won’t it? And these statements aren’t hyperbole; they’re all true facts about the threat the Stagefright vulnerability poses to Android smartphone users. The vulnerability exploits a security gap within Android’s Stagefright media library. Because this playback engine processes videos files before a user opens them, attackers can send a simple SMS or MMS file to a device and can already commence stealing data from your device and hijacking your camera or microphone whether you’ve opened the message or not.
But the plot gets thicker still. Google was actually warned about Stagefright in April and applied the necessary patches to their internal code branches with 48 hours. They also relayed the source code patches to the various device manufacturers (Nexus phones were not originally included but have begun receiving the patch this week) and smartphone carriers so they can deliver the update within new firmware. The fix is in then, no? Apparently not. Four months later and counting, not one original equipment manufacturer (OEM) has delivered this patch to it user base. While this vast network of OEMs and carriers sort out their process gaps users remain vulnerable… but not just consumers. What about the all the work apps and data sitting on their devices?
How scared should enterprises be of Stagefright?
Every day BYOD employees are opening work apps delivered to them by employers from their personal Android phones. Stagefright’s ability to attack 95 percent of all unpatched phones introduces a new mobile security threat, one that will test the resilience of MDM and EMM device security features. It certainly won’t be the last flaw to surface within consumer devices that can breach sensitive and often lucrative corporate data – these threats are constantly evolving.
So then, how can enterprises be best prepared to prevent these threats and take back control of their apps and data?
Don’t depend on personal devices for your enterprise security
The enterprise mobility community has already begun recognizing the need to augment strategic focus from purely device security to a data-first perspective, and Stagefright is another example that reinforces the need for this change.
It’s this philosophy that helped spawn Virtual Mobile Infrastructure (VMI), which remotes a virtual Android device onto smartphones from the data center using a remote display protocol. Users simply download a thin client app, which reflects a mirror image of the actual mobile applications running in the server. The remote display protocol swiftly relays all draw and mobile sensor commands made by the user to the Android platform which executes them and sends back the image to the device. The speed, response time and image quality of this set up is already at a level on par with native mobile apps.
Essentially this means you can continue to allow your employees the flexibility of using their own BYOD devices, rather than introduce stringent policies that are by no means bulletproof. In the case of Stagefright there’s very little users could have done to keep it at bay, nor should enterprises continue to put the onus of device security on their employees.
You can do that because your entire corporate environment is remote and completely separate from that of the personal device. When a clever vulnerability like Stagefright strikes, your corporate data won’t be there to attack. Security management for mobile apps becomes much simpler as it’s now handled behind within your corporate datacenter.
VMI gives enterprises control over Patch Management
This time around, Stagefright exposed a Patch Management gap for Android device manufacturers and Google. And it’s one of the fallouts of the way our consumer and enterprise technology has collided as enterprises become more mobile. With VMI, your security team can make sure it is applying the latest patches on the virtual device in the server. Even if your users’ personal smartphones are not protected, you are.