When employees use their personal smartphones, IT often worries that the data on an individual device will be compromised if it’s lost or stolen or gets infected with a virus. But BYOD security threats could be an even bigger issue than many companies realize, as one security researcher recently showed.
At the recent Def Con security conference in Las Vegas, Craig Young, a security researcher with Tripwire, demonstrated a way to hack into an entire organization via its Google Apps domain using a single compromised Android device.
Many companies use Google Apps for corporate email, or for document creation and collaboration. Android makes it easy to connect to Google Apps using a smartphone or a tablet. And that’s where the vulnerability lies.
It’s convenient for users, but there’s a big problem: If a device is logged into a Google Apps admin account, the phone or tablet contains the token needed to access the domain control panel. That means hackers just need to compromise that one device — either by getting physical access or infecting it with malware — to get into the control panel.
Once they have access to that, hackers can access the organization’s control panel and reset passwords, download documents and wreak other havoc.
The token is especially vulnerable because it’s shared by so many apps. For example, Young said, a malicious app may ask for the credentials from YouTube but then use it to log into Gmail.
Protect corporate accounts
That’s a big problem, Young said, because there are a lot of Android viruses out there, and Google hasn’t done much to keep them out of the official Android app store.
The best way to keep corporate Google accounts from being compromised: Make sure IT admins don’t use their Android devices to log into administrative accounts for Google services.
Of course, users’ own accounts can be compromised, too. That’s another reason it may be a good idea to train Android users to avoid downloading suspicious apps.