ANN ARBOR — The Ann Arbor-based two-factor access authentication developer Duo Security has released a new study of its installed base of more than 1 million mobile devices. The results aren’t pretty for the Android operating system, and aren’t that much better for Apple’s iOS.
Duo says its study discovered that more than 90 percent of Android devices are running out-of-date versions of the Android operating system. Duo’s research showed that 32 percnet of Android devices in use in workplaces today are running 4.0 or older of the operating system. That means, Duo says, that they’re vulnerable to attacks such as Stagefright, which allows an attacker to compromise an Android device through a multimedia message such as a video or photo.
An additional finding shows that one out of 20 Android devices used in corporate networks are rooted, which means their users have obtained root-level access to the operating system, meaning they can circumvent any security architecture.
A similar analysis of iOS devices revealed that only 20 percent of iPhones run the latest Apple operating system version, iOS 9.2, compared to just 6 percent of Android devices that are running the latest version, 6.0, known as Marshmallow. Outdated iOS devices have well-known vulnerabilities such as Ins0mnia and Quicksand that make these devices susceptible to attacks.
Duo estimates that more than 20 million mobile devices connected to enterprise networks are no longer supported by their manufacturers, and thus cannot be upgraded to the latest versions of software, which would fix their vulnerabilities. In fact, Duo says many devices still on the market cannot receive updates, meaning that even a brand-new device may be a security concern.
“IT administrators need to gain visibility into the health of all devices accessing their critical applications so that they can better protect these apps and at the same time improve the overall hygiene of all the devices,” said Ash Devata, vice president of product at Duo Security.
Duo recommends that IT professionals implement the following measures to reduce the risk of compromised mobile endpoints:
* Establish basic mobile device security policies for the company and get buy-in from business managers
* Enable all employees to use passcodes and fingerprint screen locks to prevent access to sensitive data on mobile phones
* Consider excluding phones that are jailbroken or rooted from access to corporate data and systems
* Provide helpful tips and reminders to users to check for updates on personal devices accessing company data.
* Update or replace outdated hardware in use in the enterprise that may no longer be supported with security updates by the manufacturer.
* Recommend that employees using Android devices consider Nexus handsets with more frequent and direct platform update support
* Address common update issues up front with guidance on problems related to updating mobile devices, such as providing tips on freeing space for updates
* Encourage users to update during downtimes such as at dinner or before bed
* Use free tools such as Duo’s X-Rayapp for Android users to detect devices with particularly concerning vulnerabilities
A free trial of Duo’s security system is available at http://www.duo.com.