Lookout Endpoint Security
Endpoint Security

July 14, 2020

min read

Vulnerability Management is Complicated Without a Data-Driven Approach

As smartphone and tablet usage increased recently with everyone working from home, it got me thinking about how app and device vulnerabilities are currently managed. One of the most important actions you can take to keep your smartphones and tablets secure is to make sure their apps and operating systems are up to date. The problem is the traditional tools make this task extremely complicated and error-prone.

In the case of the iOS Mail app exploits discovered back in April, an organization had to check whether each of their devices are ready to update to the latest iOS version, 13.5.1. This process would be even more difficult for Android devices, where the fractured way the operating system is updated makes it almost impossible to keep up with which device can update and which has no update available yet. In addition, on Android you need to consider both the Android OS version and the Android Security Patch version of a device to determine whether it is vulnerable or not.

On the app side, most companies are doing almost nothing to manage vulnerabilities that are present in third party apps. With the recent trend of app vulnerabilities leading to remote compromise of entire mobile devices, keeping apps updated is more critical than ever. A vulnerability in an app should now be thought of as a device-wide vulnerability – organizations need to keep both in mind to make sure their data is secure.

It’s hard to manage with the tools you have now

The current way for any security-conscious organization to implement mobile vulnerability management (MVM) is through their mobile device management (MDM) solution. Unlike Windows, MacOS or Linux in the desktop world, there’s no one source of truth that can tell you which iOS or Android device can upgrade to which OS version or Android security patch.

The only way to implement policy on an MDM is to conduct research and manually set policies for each individual device type that need to be updated weekly. This laborious process becomes almost impossible when it comes to Android, where updates are released by carriers, in addition to the phone brand’s compatibility with the latest Security Patch. In addition, the consequences of configuring your policies incorrectly can have a huge impact on productivity as well. For example, requiring too new of an Android OS version or Security Patch level might accidentally mark half your devices as out-of-compliance with no patches available to bring them back into compliance.

App vulnerabilities can lead to device compromise

While many are aware of the risks created by running an out-of-date operating system, few understand the risks of having out-of-date apps on devices. Historically, app vulnerabilities were self-contained, meaning that an exploitation in a particular app stays within that  app – such as a malicious actor decrypting a message that’s supposed to be encrypted on a messaging app. However, a rapidly increasing trend we started seeing in 2019 is app vulnerabilities  that expose the entire mobile device to exploitation.

In mid-2019, The Financial Times reported on a WhatsApp vulnerability that was able to deliver spyware onto iOS and Android devices without any user interaction at all. For example, you could receive a WhatsApp VoIP call from an attacker, not answer the call, and your device could become compromised if you were running a vulnerable version of WhatsApp. Around the same time, an iMessage exploit was discovered where attackers can read files from the device remotely.

This is how the WhatsApp vulnerability was able to exploit the entire mobile device. (Source: Lookout)

This is not that foreign of a concept for non-mobile vulnerability management. You have already been worrying about whether your browser, Adobe Acrobat Reader and Adobe Flash Player are up to date. You need to extend this same thinking to the apps on the mobile devices that access corporate data. Yet, most companies are doing nothing regarding mobile app vulnerabilities today.

But, again, like mobile vulnerability management, app updates are not as simple as they seem. To protect a device, you need to know what apps are on it and which ones are vulnerable and require updating.

Vulnerability databases rarely assign vulnerabilities against mobile applications directly. Oftentimes, vulnerabilities are assigned to specific SDK or libraries included inside numerous applications. Unfortunately, that’s where the information typically stops. It’s very difficult to find out which apps have used the compromised library. A popular library could be part of hundreds of apps.

Vulnerability management with data

Vulnerabilities like the iOS Mail exploits will come and go, but mobile vulnerability management is not going anywhere. MAM and MDM might help you set certain policies, but without the vulnerability information required, it’s nearly impossible to keep up.

Here’s a screenshot of how the Lookout console helps with vulnerability management. We’re able to tell you whether a device is is running the latest operating system or security patch available for it, and what vulnerabilities are unpatched. (Source: Lookout)

At Lookout, we’re able to overcome the lack of information on OS and app updates because we collect telemetry data from nearly 200 million mobile devices and over 100 million applications used around the world. As a result, we are able to provide real-world data to our customers about the updates available for their devices and apps. This information is based on the most reliable source of data available - actual real-world evidence that an OS update, security patch or app update is available for this device.

My parting thoughts for you to ponder when planning to implement a mobile vulnerability management process:

  • Remember that modern app vulnerabilities in third party apps can lead to device compromise. A vulnerable personal app like WhatsApp can lead to device compromise and theft of enterprise data.
  • Write out your ideal policies, regardless of whether your current technology supports such a solution.
  • Your ideal policies might look something like:
  • If there is a critical or high risk vulnerability, require the device to update within 14 days of the patch being available
  • Require devices be running on the latest 2 OS versions it can update to.
  • Identify the gaps in the tools you have today.
  • Consider whether a data-driven approach, based on the real-world presence of patches on similar devices, can help close those gaps.

To learn more about our mobile security platform, including vulnerability management, check out our platform page.