+ Reply to Thread
Results 1 to 4 of 4

Thread: Rooted Android - security risks on MS Exchange activesync

  1. #1
    asshat Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White's Avatar
    Join Date
    Feb 2008
    Location
    Austin
    Posts
    10,633

    Rooted Android - security risks on MS Exchange activesync

    My employer is about to implement an MDM (Mobile Data Manager) on our exchange server. One of the recommended policies is to prohibit "rooted" Androids and "jailbroke" iPhones. The standard line is that "it's a security risk". However, not one single person, even the MDM vendor can verbalize a single security "risk" associated. They just keep saying that "it is a huge risk".

    Mind you, my personal feeling is that me getting work email on my phone is a benefit to my employers and definitely NOT to me. I will gladly return my $75/month stipend to never receive another work email as long as I live. But, we need to establish how many people will fall into this category and how important it is to deal with it and how to proceed.

    I've been searching google for about 30 minutes and I only came across a single article that discusses this issue and virtually none of the risks apply to us because we are only offering MS Exchange email sync to the device and we will be enforcing a user password screen unlock. And we will be able to wipe the corporate email application and data from the device if the the user loses it.

    So, can anyone here give me real, verifiable security risks of allowing rooted android phones or jailbroke iPhones to connect to our exchange server?

    To be honest, since I carry an Android, that is all I've really looked at. If iPhones are vastly different, I haven't run across it yet.

  2. #2
    asshat sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid's Avatar
    Join Date
    Feb 2008
    Location
    San Francisco, CA
    Posts
    4,522
    Rooting your Android is basically gaining low level operating system access and breaking down the security measures that Google built into Android. Now most rooting programs and firmware mods aren't malicious, but how is your employer supposed to know if you got a dangerous one? I doubt your employer is qualified to keep track of which root mods are safe, and even if they had the ability I'd doubt they want to take the cost and effort for no benefit to them.

    If you've rooted your phone with malware kit, then everything is potentially exposed and compromised, including the ability to remote wipe.

  3. #3
    asshat Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White Shaggy Gold Club Orange&White's Avatar
    Join Date
    Feb 2008
    Location
    Austin
    Posts
    10,633
    Quote Originally Posted by sessamoid View Post
    Rooting your Android is basically gaining low level operating system access and breaking down the security measures that Google built into Android. Now most rooting programs and firmware mods aren't malicious, but how is your employer supposed to know if you got a dangerous one? I doubt your employer is qualified to keep track of which root mods are safe, and even if they had the ability I'd doubt they want to take the cost and effort for no benefit to them.

    If you've rooted your phone with malware kit, then everything is potentially exposed and compromised, including the ability to remote wipe.
    Thanks for the response.

    What is actually exposed? Compromised? (I'm asking legitimately and not as an $#@!) As I mentioned, we are only offering access into our exchange environment. None of that data is stored locally on the phone, so all we would be wiping anyway is the application. And, as I mentioned, we will be enforcing a password protected lock on the device which will provide a (albeit small) layer of protection.

    I just find it very odd that there is next to nothing available on the web that can actually give a real world explanation/example of a security risk. And not even an expert or the actual vendor of the MDM can quantify it in any way.

    The only reason I am asking about this is because, me specifically, and probably many others in the workplace will just assume not get emails on their phone and will not unroot their personal phones in order to comply. But there will be questions from their directors/supervisors that will want a "real" explanation as to why those people will no longer be accessible.

    As I mentioned, me getting work emails on my personal phone is a benefit to the boss, not me. So when a bunch of bosses can no longer email their employees, they are going to get pissed, but at the same time, they are not going to want to shell out cash to buy a separate phone for those employees (who won't want to carry a second device). And I cannot see a policy being implemented that will "force" a person to unroot their personal device in order to comply. The only incentive offered is a small stipend to cover the monthly bill. But many, like me, will gladly give that up. But what I won't give up is the ability to wirelessly tether my from my phone, my backup software on my phone and the endless amounts of additional modifications that I enjoy on MY phone.
    Last edited by Orange&White; 03-15-2012 at 01:05 AM.

  4. #4
    asshat sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid grows his own roses sessamoid's Avatar
    Join Date
    Feb 2008
    Location
    San Francisco, CA
    Posts
    4,522
    The risk is the same as if you had allowed somebody to install something as admin on your Windows box or as root on your Linux/UNIX computer. They can install key loggers, password detectors, sniff your email, your contacts, phone numbers. It doesn't have to be stored on your phone. A smart malware can download them all from your exchange server. I don't know of any such exploit on Android, so this is theoretical, but possible. The risk is small but real. Whether your company decides that risk is worth it or will just buy you another phone is the question.
    Last edited by sessamoid; 03-15-2012 at 02:11 AM.

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Home .. Advertise .. ShaggyShop .. PanchoChat
Football .. Basketball .. Baseball .. Other Sports .. RC Didn't Offer .. Gamboool
Varsity .. Hole in the Wall .. PCL .. Einstein's .. Nasty's .. GM Steakhouse .. NSAA
Bada Bing .. Can you help me with this? .. Shagslist .. Cloak Room .. Classics .. Bellmont