An Update on Mobile OS Updates
When should I update my mobile device?
Many of the customers I meet with most often ask for a recommendation or guidelines on the application of mobile OS updates (Android, iOS, etc.). For corporate customers, this can be difficult as there is no way to leverage device management technology to centrally manage or control the distribution or application of OS updates. Consumers, on the other hand, have a different challenge with understanding the technical reasons and knowing when to patch their devices to protect against known security flaws and exploits.
News about an SSL vulnerability has made the rounds recently. A new exploit, which affects users of iOS 6.1.x, 7.0.4-7.0.6, allows the attacker to capture screen touches, home button presses and TouchID presses using a “monitoring” app.
As you can imagine, this presents a very serious and critical security flaw that has the potential to put your personal and corporate - for those using your device to connect to corporate resources- information at risk. It is important to note the scenario described above is very specific and was conducted in a controlled environment. I used the exploit above, which is a Proof of Concept, to illustrate what is possible and the associated risks faced when a device is exploited.
So, when should you update your device? Let’s face it. The reality is most of us, corporate and consumer users alike see an update notification come in, and we simply hit the button to download and install without fully understanding the ramifications. We place our trust blindly in the device maker to ensure the update package contains only good things to protect our information and keep our trusty sidekicks running smoothly. That sounds like a good idea, right? Unfortunately, the device makers’ track record is far less than perfect. I am sure we all know someone or have heard stories about someone who has lost their data or had to restore their device to factory defaults as a result of a failed update.
The good news is there are a couple of things you can do to determine if and when you should apply an update. Apple includes a link, just beneath the update button, to a webpage that will provide details on the update. Android users, due to the sheer amount of devices and OS versions available, will have to wait patiently as the carriers (i.e. Verizon, AT&T, Sprint, etc.) administrate and distribute the updates. Additionally, there are third party websites as well as a team of Mobile Security experts at FishNet Security that can provide first-hand reviews of the updates for all platforms. These reviews will often be accompanied with an impact analysis that will assist in determining whether or not you should apply the patch.
What should you do going forward? As you can probably guess, there really isn’t a “silver bullet” type of response to be offered. Each update needs to be evaluated to determine if it will have a positive impact. Some updates will repair minor flaws and/or offer minor feature enhancements that you may or may not care about. Conversely, some updates will be major in scope and patch security holes and/or repair critical functions that you should apply immediately. Educating yourself on the differences will go a long way in determining the impact provided by the device maker.
It is recommended as best practice to:
- Backup your mobile device(s) on a regular basis.
- Prior to an OS upgrade, update your apps.
- Research issues by leveraging resources that have a mobility focus.
- Educate yourself before a decision is made on applying an update.