Sunday, March 23, 2014

The Mobile Security Failure

Mobile has substantially changed the security update landscape, driven in part by evolving consumer expectations that champion frequent, minor enhancements over stability and security. I first discussed the defect acceptance trend in 2012 as a way to explain how software companies have been able distribute flawed software while also handing responsibility for maintaining that software to the consumer. In the two years since, accelerated use of mobile, and by extension cloud, applications has worsened the trend by limiting end-user control and forcing the consumer to accept unwanted feature changes to receive security updates. Not only must consumers accept flawed software, they must now also trade flexibility for some semblance of protection.

I’ve recently had three operating system software updates that each provide new perspective on how software maintenance has changed over the last decade. I’ll take a look at how those changes reflect new cost to consumers.

Microsoft Windows XP

I am a loyal XP user. There I go, I’ve said it. How could I, as a security professional and admitted Apple Macintosh enthusiast, continue to use such an antiquated operating system? In the 13 years since it was first released, XP has been replaced by three subsequent Windows versions. By computing terms, XP deserves to be a museum. From a security perspective, XP unlocked many of the doors to modern hacking euphoria. In a word, XP is simply insecure.

So, why do I still continue to use it? For one, XP, when properly constrained, is actually a good operating system. I first built my computer nearly 11 years ago. Since then, I’ve upgraded many of the system components, changing old system fans, swapping in a new power supply, upgrading the memory, and reinstalling the operating system a couple of times as a matter of cleaning it up. After buying my first MacBook Pro, I added a RAID array and converted the XP machine into a network file server and dedicated household finance machine. Basically, it now only exists to backup our files and for banking. In this utilitarian role, XP has been a reliable partner.

I’m also stuck with XP until I get around to building a new machine. The motherboard, processor, and memory support are too dated to support more modern versions of Windows. I could install Linux and gain a bit more control while also extending the hardware life, but that would require relearning Linux (and asking my wife to relearn Linux), and may have an adverse impact on our ability to conduct our financial work, so that’s a no go.

Until now, Microsoft has rewarded my XP loyalty with longevity of support. While new flaws constantly appear, Microsoft eventually fixes them. Since the system is protected in a variety of other ways and serves in a very specific, low-use role, as long as Microsoft has continued to provide security updates, I’ve been comfortable keeping the old guy around. 

That support is now ending. For once, I don’t blame Microsoft. But, it’s approach to XP is an example of legacy thinking that while the consumer may have to accept a defective software product, Microsoft would continue to support it without forcing the consumer to constantly upgrade and accept unwanted features. Times are changing, and not for the better.

Apple OS X and iOS

Apple has changed the rules of the operating system game. It could get away with locking the consumer into a very constrained computing ecosystem because it’s systems “just worked.” Unlike Microsoft implementations, Apple traditionally bucked the defect acceptance trend by emphasizing superior design and quality. Consumers pay a premium for that superiority, but in my experience, the premium is more than warranted.

That Apple luster is fading. Now in a much more prominent industry position, software quality is suffering from the voracious consumer appetite for rapid and frequent feature enhancement. Unlike the past where software updates would largely focus on security enhancements, updates now also include feature additions and enhancements, likely distracting development activities. Rather than address security concerns across multiple operating systems, Apple has moved to a business model where it provides free software version updates to encourage adoption. Unfortunately, Apple uses this approach to rapidly relinquish its responsibility to secure past software versions, thereby forcing consumers to more frequently update system hardware to support the most recent software.

The recent “Goto Fail” vulnerability demonstrates how this new approach is adversely affecting consumers. iOS, the operating system that powers iPhones and iPads, rapidly received the necessary security patch as part of a broad software update that Apple had already completed work on. OS X, the operating system that powers Macintosh computer and is subject to much longer release cycles, didn’t receive an update until several days after the iOS update.

When Apple fixed the iOS vulnerability, it generally only fixed it for devices running the most recent version of iOS, version 7. There were some exceptions for devices that cannot support iOS 7, but my iPad2 wasn’t one of them. To protect my 2.5 year old device, I had to upgrade it from iOS version 6 to iOS version 7, an upgrade I was hesitant to apply due to performance concerns on my older device. I was faced with a hard choice, accept the potential performance degradation and protect my Internet communications, or accept the flaw to retain my preferred operating system. By patching iOS 6 for only those devices that didn’t support the most recent version, Apple announced to consumers that the company, not the consumer, controls software maintenance. Its support program will instead focus on the devices themselves, allowing Apple to dictate the terms of their assured usage.

Note: There is some confusion as to whether Apple would have allowed me to keep iOS version 6. According to some notes, Apple did provide a patch for my iPad2 without upgrading to version 7. But, when Apple pushed the fix to my device, the only option I received was to upgrade it to version 7, not retain version 6.

Being a security professional, I decided that I had to upgrade. Essentially, Apple forced my hand into accepting an entirely new feature set to correct a defective software product. Apple has evolved the operating system model to provide major version updates at no monetary charge to the consumer, but we are paying for it through a new requirement to upgrade whenever we’re told to. Following this forced update, my iPad2 performance has certainly dropped, with slow transition between apps and sluggish app performance. I’ve also lost many features in the transition, including my favorite, the lock screen photo frame that I used in the office to cycle through family photos.

The message here is that software companies have no intention of supporting even slightly dated software. Agile and other incremental software development models have changed our consumer expectations, emphasizing constant and persistent “newness” over quality. We as consumers will forgive defect as long as we continue to receive greater value in added features. But companies like Apple (and just about any mobile app developer) are taking advantage of our forgiveness by requiring that we accept whatever they give us to stay protected. Mobile software is not “patched” like legacy software. Rather, mobile operating systems and apps are “released” incrementally, and never really completely.

Android Devices

Google follows Apple’s lead in terms of mobile software. Android security patches come through new operating system and app releases rather than security patches. The difference lies in mobile carrier control that undermines consumer protection.

I first wrote about mobile carrier control nearly two years ago, and now realize that the damage extends beyond the scope I discussed then. From a security perspective, Google frequently updates the Android operating system as it discovers and corrects vulnerabilities. However, consumers rarely receive those updates for many months after Google releases the code, if they receive the updates at all. Carriers refuse to support end user protection against known vulnerabilities until they have “certified” the software to not damage the carrier network. While I can see some rational justification for the carrier position, holding consumer device protection hostage for so long should be criminal.

After recently receiving one of very few software updates to my corporate Samsung Galaxy S3 phone, I realize now that the carrier purpose in delaying releases is even more insidious. One of the advantages of Android over iOS is that Google supports a widely open software ecosystem. In contrast to Apple’s strict control over operating system features and usability, Google allows consumers a broad ability to tune and configure how the Android system works and grants app developers much greater flexibility in modifying how Android functions.

This software flexibility comes with many consumer advantages. While carriers are granted the opportunity to install their own apps and configurations on Android devices (often called bloatware because most of the apps are useless), consumers can install software that sometimes uses the Android openness to defeat carrier restrictions. I had several apps that unlocked desirable Android features that my mobile carrier had disabled and regularly used to support my daily workflow. Then, the Android update pushed by my carrier disabled those features in new ways to favor carrier preference, rendering useless the associated apps. After holding my device hostage and delaying the protection against active attacks, I could only receive the enhanced protection if I accepted that the carrier would reconfigure my device to satisfy its desire to restrict its capabilities.

Consumer Options

I’m at a bit of a loss as to how consumers can respond to software developers, device manufacturers, and mobile carriers that are demanding greater control at the expense of security. In modern computing, our ability to “own” our systems is devolving in favor of a “license-to-use” agreement where we accept the systems as merely containers of corporate will. Until some major disruptive influence steers the market more in our favor, I would suggest a few actions that consumers and businesses could take to improve their security outlook.
  1. Give up XP. It’s a fact that XP is at its end-of-life. If you can purchase new hardware, do so. I’m still a big fan of Apple systems because they require so little end-user maintenance to stay reasonably secure, but systems based on Microsoft Windows are fine if there are other restrictions that require it. If you’re unable (or unwilling) to purchase new hardware, consider migrating to a Linux distribution such as Ubuntu. It will require a bit more self-education on configuration, but you would gain a lot more control over the system than you ever had before.
  2. Ditch the carrier subsidized device. When you purchase a device from the carrier, it grants far too much control to carrier whims. Unsubsidized devices are much more expensive in the short term, but it’s well worth your investment to regain control over your system. This applies most to Android devices as Apple devices are not subject to much carrier control.
  3. Jailbreak your device. Everyone will strike fear into your heart for “jailbreaking” or “rooting” your device to gain complete control over it, threatening your warranty and opening the potential of “bricking” or completely killing your device. I would caution that you should only do it if you’re completely comfortable with the risks, but don’t let fear factor into the equation. Taking control of your device through a jailbreak could give you confidence that you can configure and protect it better than the developer or carrier would. However, you would be accepting much more responsibility over keeping it current.
Beyond those suggestions, I think that the market is approaching a point where it is ripe for disruption. It will be interesting to see what form that disruption comes in.