How Safe Are Mobile Operating Systems? Not Very!

Enterprise data hack

Just when one thought that mobile devices were safer than the old-fashioned desktops and laptops, the world is telling us that it is actually as unsafe, if not more. Hackers are constantly trying to find that chink in the security armor through which they can break in and compromise data. And, with the bring-your-own device (BYOD) culture fast catching up at the enterprise levels, data security challenges can only go one way – north of where it is now.

When everyone was taking about security threats to the Android OS, Apple users were feeling relaxed in the belief that their iPhones were safe. Now, it is claimed that this frontier can also be breached. Imagine a software such as iOS, which was created with the expertise of developers within a single enterprise like Apple that has security checks in place.

According to VUSec Lab at Vrije Universitiet Amsterdam, just recently discovered a method by which, millions of Android could again be left vulnerable to cyber attacks, whereby flaw in the mobile memory could be exploited. Needlessly to say, all users, including enterprise users are on the defensive, and need to implement policies to tackle the issue.

The attack in question is the Drammer exploit which is based on Rowhammer class of attacks, and specifically targeted at memory chips like DRAM, and has the ability to reach the ‘Root’ of most Android devices, even ones with ARM chips. This new access attack is based on the memory hardware vulnerability, which gives undesired access to the root system of Android devices, using just a simple app, without having to need special permissions to do the hacking.

In fact the research team in Amsterdam claim to have hacked and rooted completely,some high end brands like Nexus 4, Nexus 5, Moto G (2013 & 2014), Samsung Galaxy S5, LG G4, Galaxy S4, and the Oneplus One as well. Victor van der Veen, one of the researchers at Vrije Universitiet, spoke about the biggest challenge, saying “Until recently, we never even thought about hardware bugs [and] software was never written to deal with them. Now, we are using them to break your phone or tablet in a fully reliable way and without relying on any software vulnerability or esoteric feature. And there is no quick software update to patch the problem and go back to business as usual.”

Windows and iOS vulnerabilities

In a recent case, Trident and Pegasus, were 2 major viruses which the Apple team sealed off.But before it actually happened, it could have left significant number of devices exposed to these attacks, even thought eh OS is considered to be the safest pick of the lot from Android and Windows. Brad Anderson, the Microsoft Vice-President for Enterprise and Client Mobility, said,

“This has been a pretty startling wake-up call and a huge reminder that we are all under constant persistent attack, and that any and all platforms and apps have vulnerabilities,” lending testimony to the fact that nearly all of the OS on mobile platform are actually vulnerable. There was a question if he targeted the other rivals OS, but his words signify that it is something which applies to the other OS as well. He added, “I’m not attempting to throw stones at Android or iOS – but there is a dilemma with this perspective.

To be perfectly clear, the dilemma is this:  I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can deliver the most secure operating system possible – but this fact also exists in our modern era of digital threats that produce consistent successful attacks despite the incredible efforts of the organizations building these platforms.”


The situation is such, that enterprises and businesses have to stand up to the challenge, but really how? According to Brad Anderson, he suggested 3 basic steps to be undertaken to decrease the level of vulnerability of devices:

1) Companies ought to assume that they have already been hacked, and work accordingly. With the pace at which attacks are coming through, instead of waiting for an actual attack to take place, the operations and technology departments ought to be pre-emptive in their approach, so that they themselves know the vulnerabilities before the hacker enemy does.

2) Use multi-factor authentication wherever possible. This makes the users go through more than a single level of authentication when collaborating with the enterprise systems, thus making vulnerability lower from external attacks, while assuring legitimate entrants, the security of the data, especially that of the cloud.

3) Keeping devices updated is most essential. Hopefully Android, to the annoyance of some, and even iOS and Windows, have been sending across regular patches of software to counter the possible and the existing hacks and data breaches. Even if the hack hasn’t taken place, updating software will ensure that a future possibility in most probability, will be thwarted.