I continue to be frustrated by the use of the “99.7% of Android phones vulnerable” line of reasoning about the Android session token thing. Today, it’s on the ThreatPost – from the article entitled, “Researchers: Android App Authentication Bug Affecting 99% of Users” (emphasis mine):

Researchers from ULM University have found a security flaw similar to sidejacking in Google’s Android operating system affecting some 99.7% of the platform’s users.

Now, I want to be clear that my issue isn’t with ThreatPost or their coverage.  It’s good to get eyes on this issue; right now, there are Android users who need to know about this issue so they don’t get put at risk.  It’s important to report on it, and useful to have it covered in the press.  So that’s all good.  My issue isn’t with the research either.  That’s also “all good.”  However, all that being said, I do have to confess that I have an issue that occurs somewhere in the translation between researcher to press to audience.  I’m not sure where or how it’s happening, but it is.  Let me describe to you what I mean:

Posit with me for a minute that there could exist somewhere in the universe a (completely hypothetical) zombie plague that infects humans.  Now, by virtue of humans being human, they are susceptible to that plague.  In other words, they have the capacity to become infected even though they are not currently in that state.  Have that in your mind?  Right.  Given those parameters, would it be accurate for me to release a headline along the lines of “Civilization affected by zombie plague?”

No, right?  Why?

After all, humans are vulnerable to the hypothetical zombie plague… they have the capacity to become infected….  Doesn’t that mean they are “affected”?    From a certain point of view, that could be technically true.   But it’s off the mark because to most people “affected” means something else:  like that they are currently actively being affected rather than that they are tangentially or indirectly affected.

I could say for example that I’m “affected” [little 'a'] by diabetes… because my uncle had it. So it affects me as in “influenced in a harmful way“.  That’s technically true, but you’d probably think/infer that I had the disease if I said it that way, right?  What I probably might say… to convey tangential impact (while still being clear that I remain uninfected) is that I’m ‘impacted’ by diabetes (because my uncle had it)… or maybe I could say I’m ‘vulnerable’ (or potentially ‘susceptible’) to diabetes (by virtue of being someone who can potentially get it).  But “affected” at it’s core implies direct impact.

So, while it’s technically accurate to say that 99.7 of android phones are “affected” by the authentication weakness issue (in that they are – by virtue of being platforms vulnerable to the issue when used in a certain way), it’s deceptive – though unintentionally so.  Because not every android phone will operate under a use case where this issue compromises security.  Thought of another way: the number of Android phones for whom “security is reduced” (replacing “affected”) is not 99.7%.  99.7% is the theoretical upper bound of all devices for which security could potentially be reduced.  The real number… the actual number… would be the subset of users that operate in a use case where protection of the token is at issue given the current bug… unprotected WiFi.  What percentage of users use unprotected WiFi?  I don’t know, but I guarantee you that it’s not the theoretical maximum of all devices that support it (I can prove it because I don’t use it – and even if I’m the only one not doing so, that means n < the theoretical ceiling.)

Why do I care about this at all, you ask?  Because I think the original research is valuable and I think the message is really important to the actually-impacted subset.  Skewing this number influences reader response in a way that dilutes the severity of the message for those that are impacted.  For example:

• “99.7% of Android users impacted by authentication bug.” Reader response:  “Geez, I guess that’s everybody.  They should really fix that.  Nothing I can do… guess I’ll go check my email using the Starbucks free WiFi”
• If you’re one of the (10/15/20 percent) of unprotected WiFi users on Android, you’re already owned. Reader response: “Oh jeez.  I do that.  I really need  to take some action right now.  Like maybe I should stop using the free WiFi”

See what I mean?  Implying that something applies to everyone makes it less likely that any individual someone in that group will take direct action.  Conveying that there is a small, high-risk group within the broader population makes it more likely that any single individual will take action.

Didn’t catch this in my Google alerts when it was published (which is why I’m only posting about it now!) – but I did an overview of smartphone security options for EnterpriseMobile in June.

Smartphones in use by company employees have changed a lot over the years — from phones with simple repositories of contact and calendar information to 32GB multi-function devices that can connect to the corporate cloud and download huge quantities of information. The traditional gold-standard of protection for these mobile devices is lock and wipe. Locking renders the device unusable and wiping removes all data on the device and resets it to the default (out of box) configuration.

But just as mobile devices have evolved, so has mobile device security to include additional features and management options. In this piece we take a look at whether or not mobile IT staff are using lock and wipe for company phones and how the available solutions have evolved over the years.

To prioritize what matters most, Eric Maiwald, research vice president of Gartner, says the majority of companies are looking for three key capabilities on phones: “Authentication, encryption of stored data and the ability to kill it remotely.” There are a few basic ways to implement these capabilities:

Natively — using management tools that come with the phone or from the phone provider;

Third Party Messaging — using management from the e-mail service, such as Exchange or GAPE;

Third Party Management — management tools purchased for security and policy control of mobile devices.

Many thanks to Eric Maiwald at Burton Group/Gartner for his insight and time. For the full article please click here.

Have you heard about Smishing? Apparently, that’s what you call it when you get a phish SMS on your cell phone. The scenario is the following: you get a suspicious SMS with a link in it, you follow the link which downloads a file, you are asked if you want to install the file, you agree and install it, and finally you get some trojan that hoses you. Totally a raw deal for the phone user. Although sometimes you have to draw a line in the sand, and I’m *not* going to call it smishing. Really, it sounds too dumb. So I’m just not gonna do it.

Ancillary to that, I’m less concerned about the phone-phish (see, not calling it smishing) that installs a trojan and more concerned about the phishing that asks you for information like your profile password, PIN, or other information. A few weeks ago, I probably would have discounted this as something serious to worry about, but then I got signed up for DateSite and now I fully understand the power of the nagging, insistent, and unstoppable SMS. Seriously, if my phone lights into “This Corrosion” or whatever at 2AM, I think I’d be ready to give away just about any information they want if that’ll get the texting to stop.

In other, totally unrelated, news – AT&T Loses all our data.

Computer Associates slapped F-Secure the other day for hyping up phone-borne malware when no real threat exists. Check it out; CA’s Simon Perry had this to say:

“While F-Secure’s bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market. Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice.

And he’s right. Despite what McAfee told us about 2006 being the “year of mobile malware”, we still have yet to see any significant traction from phone-borne malware. F-Secure’s retort acknowledged this:

It’s not a global epidemic, but there are real people who have got it. There have been several tens of different viruses