VPN Encryption Vulnerability On Android 77
An anonymous reader writes "Cyber security labs at Ben Gurion University have uncovered a network vulnerability on Android devices which has serious implications for users of VPNs. This vulnerability enables malicious apps to bypass active VPN configuration (no root permissions required) and redirect secure data communications to a different network address. These communications are captured in clear text (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure."
Re: black listing all androids in 5..4..3..2..1 (Score:1, Informative)
Re:Not a vulnerability (Score:4, Informative)
If an app is malicious and running on a machine, of course it can reroute, or look at data in RAM pre-encryption, or a number of other things.
If you want to be more secure, then only do secure comms on a trusted network, where any VPN routing is done outside of your potentially compromised device, and other routes are blocked.
Re:Not a vulnerability (Score:4, Informative)
Re:black listing all androids in 5..4..3..2..1 (Score:5, Informative)
If you are competent enough to use MDM on your mobile devices then your end users wouldn't be installing non-approved apps anyway
Bullshit Apple at least has gone out of their way to make this nearly impossible. Anything you can do to remove access to the App store with any of the MDMs while the device is on the carrier network is either trivially by passed by end users, or also make doing things like installing updates for approved apps completely broken.
At best you can deny micro VPN connections and sandboxed services when unapproved apps are detected, while possibly acceptable from a security standpoint its kind of closing the barn door after the horses are out for a user perspective. They just paid $5 for their app because they "forgot company policy about not installing other apps," and now your telling them they can't use it? Does not fly well.
Then there is the little matter of the fact you can't micro VPN just anything on IOS, unless its an in house app or the app vendor is willing to make ipks available, you are SOL. Which leaves you going back to things like AnyConnect or the builtin IPSec VPN; followed shortly by the users crying about how hard it is to type their password when they need to connect, so you say will okay we can use certificate only authentication but now we need a strong password on the device, and reasonable lock screen timeout, so we know its you and not the guy who grabbed it after you left in on the seat of the bus. When you do that they really pitch a fit.
IOS devices are a disaster in terms of DLP and asset management.
Things are a tad bit better on the Android side of the house with regard to MDM, yes. I am not so sure its much better on the over all security. There seems to be lots more malware in the wild.
As far as I know from a little testing with MDM demos provided by vendors and my contacts most of them fail utterly to actually detect rooted devices. They typically look for pirate ( as in radio, not warez) app stores and root tools. They often can't tell the kernel has been modified, boot loader is unlocked, etc if minor efforts to conceal the usual tools are under taken. As Corporate MDM becomes more common the rooting community is going to start making kits that are evasive and is almost sure to succeed given the current state of MDM. To say nothing of the true malware authors out there are probably already doing.