Securing Walled Gardens
Setting up walled gardens around fancy mobile devices (and probably other computers) is very fashionable among vendors. In theory there is a controlled environment where malicious software is virtually unknown. The vendor can implement a strict quality assurance and can tether any aberrant developers to policies. Since a wall is a fundamental security device the vendor gets the psychological bonus of users feeling protected. So with all security issues solved there is no need to break out of the walled garden, right? How do you explain this tweet about the newly released Absinthe jailbreak then?
@chronicdevteam: Some stats since release of #Absinthe – 211,401 jailbroken iPad3’s and 973,086 devices newly jailbroken!
If walled gardens are so perfect, why do millions of users want to break out? Paul Ducklin has explored this phenomenon in an article at the Naked Security blog. Anti-virus software vendors can tell war stories about their battle with Apple. Kaspersky is frustrated, and quoting Mr Ducklin’s article shows where the focus of a particular walled garden seems to be:
So, although you can buy The World’s Most Popular Digital Fart Machine directly from Apple’s website, you can’t even build, let alone distribute, a proper, preventative anti-virus solution for your Phone or your iPad.
Anti-virus software is just an example for a whole variety of security code that could be useful for iOS devices. Some vendors argue that a jailbroken device is less secure than a walled one. In the case of iOS this is not exactly true since the developers of the jailbreaks provide security patches that Apple does not provide any more. It doesn’t stop at the iOS construct. Android has the same walled garden properties, although you have the option to install software from outside Google’s „Play Store“ (mind the name of the shop). Android has even been ported to C#, so there are ways to customise it. There are still constraints from the hardware vendors and mobile network providers who compile a set of applications that are pre-installed on your device. Some of these applications cannot be removed, no matter if you use them or not. Again jailbreaking is the only way around this constraint.
Let’s get back to the BYOD issue we already explored with articles in this blog. We think that the capability of jailbreaking a device is an important feature for BYOD. When it comes to desktop computers or laptops few companies run the operating system pre-installed by the hardware vendor. You always install customised application sets and have to add the in-house configurations. You add security software, VPN configurations (ever tried to add VPN configs to entertainment devices?) and all the things you need to add this device to your infrastructure. Why should you be unable to do this on the BYOD systems? There is no compelling reason to be stopped by a vendor wall. Keep in mind that a Walled Garden will be always outside your influence and thus outside your infrastructure. Your devices must obey your security policy and not vice versa.
Of course, you can always implement your security policy by installing fart apps or your favourite social networking app. We recommend against it.
Cracked a Walled Garden lately? Planning to assault the beaches of vendor devices? If so, think about submitting a presentation or even a jailbreaking workshop for DeepSec 2012!