Nope I am not talking about any virtual iOS that runs on your android phone to look and feel like an iPhone (& no, I have not officially heard anything like that yet J). I am talking about a more serious issue of security on how people fool iOS-only-allowed-networks to get their android into the system!!
Android phones/tablets are not allowed in many enterprises to enter the corporate network either be it to download emails or to access files or network, as they consider android as very vulnerable and highly malware infected. It is not untrue either as statistics shows a growth of 600% in malwares specific to androids and with the android fragmentation issue, many old and highly vulnerable versions are still plying.
But employees are smart not to be restricted that way that easily. Just a simple Google search throws up many such instances on how to fool your portal based (user-agent based) way of securing the entry (of course there are far many different ways but I just wanted to highlight one of the ways so that IT in charge of security get a hang of how technology moves faster that one can catch it).
Here is one, which I tried on my android phone to get into the system:
Go to your native browser on your android phone (or any browser for that matter but the instructions might slightly differ)
- Type “about:debug” in the address bar without quotes and then press “go” button which is next to it (and not return in the keypad)
- Go to Menu and click “settings”
- Click “debug”
- Click “UA string”
- Click whichever device you want to pretend to
I get these choices on my HTC one x
I chose iPhone and I now not only got into the network but also when I browse any websites, they all think I am doing it from an iPhone and show ads which are specific to iOS like this one: I went to wsj.com (Wall Street Journal) and they were displaying WSJ iOS apps that I can download etc. Guess you got the point: you can easily fool user-agent based fingerprinting and security setups (which most use today in the market) and can get into the network and can do whatever your device was originally not allowed to do so and without leaving a clue to the IT. This is what happens if you use user-agent to determine and fingerprint the device, which most tools do today in the market.
To those who want to understand the 101 of the device identification using user-agent, below gives a basic explanation.
When a device connects to a network and tries to browse something, the browser sends out a packet of information identifying itself and the device, in which it sends out mostly the browser name, OS name and versions and sometimes device name (iPhone, iPad or a blackberry etc) and based on this signature most solutions detect the device. Unfortunately the information is incomplete, inconsistent, and sent in no standard format for fields and depends many a times by the kind of the browser to the development tool kit used for the browser etc., and worse of all as I showed, can be easily faked & spoofed – not a foolproof secure way of identifying the device and anyone with basic knowledge of handling a smart phone can fool the system.
This is where *i7’s PeregrineGuard distinguishes itself. It uses advanced sophisticated US patent-pending triangulated finger printing algorithm to determine precisely what device it is, what class it is, type, OS, version and lot more information of the device in an enterprise environment.
The point is, it is going to be very tough to manage security w.r.t BYOD and you really need a specialized tool and any tweaking of the existing tools & solutions to the new BYOD era (irrespective of whether you allow or not the BYODs in your system) is going it make it more vulnerable!!