It's hardly the kind of thing any company wants attached to its name, but HTC's rapid acknowledgment of confessed "serious" security exploit, discovered and published this week by security researchers, may ultimately help deflect criticisms and will, regardless, serve as a valuable reminder to CSOs that mobile devices represent a new and still-evolving security threat within the enterprise.
That's the consensus after the bug was published by researchers Trevor Eckhart, Justin Case and Artem Russakovskii, who contacted HTC with news of the vulnerability they had discovered and waited five days without a response before pantsing the company in front of the security and mobile worlds.
The resulting admission involved the kind of PR contrition that no company wants to have to face, but the fast-growing Taiwanese mobile maker has subsequently rushed to patch its Sense user interface to prevent exploitation of the bug, which allows malicious apps to obtain information including user details, calling history, SMS logs, and more.
HTC Australia declined to speak about the bug, offering only its standard statement that
"in our ongoing investigation into this claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application….potentially acting in violation of civil and criminal laws….As always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."
The fact that the bug was exposed before HTC had time to fix it left some security commentators incensed and more than a little concerned, but CSOs may find temporary consolation in the relatively low penetration of Android handsets in Australian businesses.
While IDC Australia's latest Mobile Device Tracker research suggested Android phones were our second most-popular smartphones with 30 percent market share behind the nearly 40% market share of Apple's iPhone, surveys indicate that the iPhone has a much larger presence within businesses.
A recent survey by Intermedia, whose ActiveSync hosted mail service supports a range of devices, suggested the iPhone accounted for 61% of smartphones in businesses and Android, just 17% (for the record, Apple's iPad outranked Android-based competitors by 99.8% to 0.1%. These figures aren't likely to be helped by the ongoing discovery of vulnerabilities in Android smartphones, which have suffered a flood of security breaches as a 400% year-on-year surge in the volume of Android malware keeps Google – and businesses in the field – on their toes.
Could the ongoing spate of vulnerabilities damage Android's credibility with enterprise security executives? Yee-Kuan Lau, market analyst with IDC Australia, isn't entirely convinced.
"It would be too precipitous to say Android-based smartphones are not appropriate for business usage as a result of this one incident," she explains.
"Every platform has inherent security risks and this will be no different for Android as for other mobile OSes. Organisations should be utilising a range of security solutions to ensure secure access to apps and data regardless of the kind of device that is chosen. The question of appropriateness for business comes down to the organisations' goals and ICT imperatives."
It could take a while for the industry to catch up, however. Although new solutions such as Symantec's Data Loss Prevention for Tablet are designed to let security staff restrict the flow of information from iPads, which have emerged as another of the significant mobile data holes, like USB memory sticks.
Symantec debuted its iPad version of the software this week, but it will be next year before an Android equivalent debuts; in the meantime, CSOs contemplating management of Android will have to rely on more conventional techniques such as careful patching, user education – and, of course, the regular crossing of fingers.