Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/5/2012
11:32 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

iPad, Samsung Galaxy Tab, And BlackBerry PlayBook Under Security Spotlight

Context found that while all three tablets have reasonably good support for Exchange ActiveSync

5 October 2012: Context Information Security has identified security failings in three of the most popular tablets, raising concerns for organisations looking to introduce BYOD (Bring Your Own Device). In research published today, the Samsung Galaxy Tab was found to have serious weaknesses that make it difficult to recommend for use in the enterprise, according to Context. And while the iPad and Blackberry PlayBook performed better, both still have security problems including desktop software that does not encrypt backups by default. The BlackBerry was the only device found to have a workable solution to BYOD and provide good separation between personal and work data.

The full Context report "Tablets - A Hard Pill to Swallow" can be downloaded at: http://www.contextis.co.uk/research/white-papers/tablets/

Context found that while all three tablets have reasonably good support for Exchange ActiveSync, which means that the core security configurations can be managed from a central Exchange server, there are significant differences in security levels between the Galaxy tablet and the iPad and PlayBook. Context investigated a number of security controls to determine whether they were suitable for enterprise use. These included data protection, software integrity and updates, access control, security configuration profiles and connectivity, along with backup and synchronisation.

Despite its popularity as a consumer device, the iPad was shown to have robust data protection and damage limitation facilities. However, vulnerabilities still include the regularity of new jailbreak attacks and ineffective disk encryption, unless a strong passcode policy is applied. And although the iPad's disk encryption scheme is well designed, the default behaviour for iTunes backups is to store the files in clear text; the same approach adopted for the BlackBerry. The Samsung Tablet does not ship with a locked bootloader and the disk encryption provides weaker support, which is more intrusive to use. Even when encryption is enabled on the Galaxy, it allows badly-written apps to store sensitive information on the unencrypted SD card.

A lack of enterprise-level management tools beyond ActiveSync also means that it is very difficult to manage more than a small number of Galaxy Tabs in an enterprise environment, a problem shared with the iPad using Apple tools available. Context found that the Blackberry is far more advanced in its level of readiness for BYOD than either of the other two tablets. Its Balance architecture in combination with the Bridge application, provide excellent logical and data separation between work and personal modes.

"It is difficult to ignore the growing presence of tablet computers in the home and workplace offering a blend of productivity, connectivity and physical freedom which has never been achieved before," says Jonathan Roach, Principal Consultant at Context and author of the report. "The device format is perfect for social networking and creating and sharing documents, presentations and other content on-the-fly, but the same characteristics also present tough security challenges for organisations. Our research suggests that most tablet manufacturers still have a way to go before their products can deliver the high levels of security required for use in most corporate enterprises."

About Context

Context was launched in 1998 and has a client base that includes some of the world's most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. The company's strong track record is based above all, on the technical skills, professionalism, independence and integrity of its consultants.

Many of the world's most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants are frequently invited to present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services t and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...