Containers Spell Security Threats For Mobile
Containers are gaining popularity, but for mobile usage introduce security vulnerabilities.
August 14, 2015
Containers are all the rage across IT. In the realm of mobility, this is leading businesses into a false and dangerous sense of security. IT departments seem to believe that business apps are safe as long as they're in a "container," an encrypted section of a smartphone that separates corporate apps from consumer apps. Samsung, Good, AirWatch (VMware) and many other vendors have come out with versions of containerization technology.
I hate to be the bearer of bad news, but no, containers cannot protect your data from cyber criminals.
"Containerized" apps are vulnerable because they rely on the same operating system (OS) services used by apps outside the container. Thus, a malicious app located outside the container can intercept data passed back and forth between the containerized apps and the smartphone's screen and keyboard.
While containers may encrypt data, they are merely logical sections of the device. Within one OS instance, all apps rely on the same display, keyboard, microphone, speaker, camera, etc. as well as the operations associated with those hardware elements. If any one of these services is compromised, containerized data and applications can be compromised too.
To illustrate, imagine receiving an email from a friend with a link to download a popular game. This is a friend you trust -- the email address seems legitimate -- so you click the link and install the game on your device, outside the container where all your personal apps belong. The game works perfectly.
However, this seemingly innocent game contains malware code that was inserted by a hacker in order to gain access to data on your device. Unknowingly, when you launch the game, the malware starts taking a screenshot every few seconds and sends it to a remote server.
You play a few rounds of the game and then log into your "secure" container. Apps in the container rely on the same OS services used by apps outside of the container. In this case, the malware exploits a vulnerability in the OS services code that allows it to capture all the data that is sent from an app to the display. From this point on, the malware grabs whatever is displayed on screen. Confidential emails, credit card numbers, prepaid QR codes or any other sensitive data could be recorded and siphoned to the hacker's server.
The screenshot malware is just one possibility. Other malicious apps could record key strikes, hijack the microphone or track your location via GPS. Researchers have even exploited smartphone accelerometers to capture gesture-based passwords, and they have used the gyroscope as a crude microphone to spy on face-to-face conversations. No container technology is able to protect user data from these types of attacks.
Considering that McAfee Labs discovered over 700,000 new mobile malware instances per quarter in 2014, it's safe to assume that these threats are not going away any time soon. Rather than settle with a façade of security, companies must embrace technologies that truly address the threat.
Containers are simply too risky to be used in corporate and government environments where data security is of paramount importance. Consumers, likewise, can't rely on containers and different application wrappers to preserve their privacy and protect what really matters. The promise of containers is empty.
About the Author
You May Also Like