Mobile Device Vulnerability Management
In part two of our blog series on why it’s important to keep technology and operating systems updated as part of your vulnerability management program, I’ll focus on mobile device vulnerability management. This includes mobile computing, with a focus on mobile devices. The popularity of mobile devices, along with how easily they can be lost or stolen, makes mobile device management a critical component to your security plan.
Increased Risk for Business Users
More people are using their mobile devices for business every day, whether they’re sending email, making phone calls, or using business applications like Salesforce.com or Slack. As such, mobile devices are now much more of a target for malicious hackers. There are a substantial number of vulnerabilities exposed with mobile handsets, so regular operating system updates and patches are crucial. With more people using personal phones for work email, they’re accessing organizational data from devices that aren’t controlled by the organization, so you need a mobile device strategy and policy to address these specific risks.
1. Android Products
Google’s Android mobile operating system can be found on most non-Apple mobile devices. Android has the same market share as Windows, demonstrating the shift from desktop computing to mobile computing.
In the US, these statistics are based on the Linux kernel. The popularity of this operating system, coupled with the specific cell phone manufacturer and/or carrier modifications, make this a complicated issue. There’s at least an 18-month support window from official release of a major revision, with security support extending further out. The security support information is vague, but it’s related to Google’s support criteria for the Pixel phones. Their website states, “Pixel phones get security updates for at least 3 years from when the device first became available on the Google Store, or at least 18 months from when the Google Store last sold the device, whichever is longer. After that, we can’t guarantee more updates.”
The information on the Android Wikipedia page shows the current version and release dates, as well as the currently supported version based on the 18-month support window.
The table below is an approximate guide to the end-of-life support date for Android systems. Dates are based on the last version release date. As of November 2018, approximately 50 percent of Android devices tracked by GlobalStats were either at or past their support end date. This could be an issue for organizations that allow users to check work email on personal devices and should be considered as part of your mobile device management policy and plan.
Google releases security bulletins for Android here.
| Operating System | Release Date | Approximate Support End Date |
| Android 5.0.2 Lollipop | December 19, 2014 | July 2016 |
| Android 5.1.1 Lollipop | April 21, 2015 | November 2016 |
| Android 6.0.1 Marshmallow | December 7, 2015 | July 2017 |
| Android 7.0 Nougat | August 22, 2016 | March 2018 |
| Android 7.1.2 Nougat | April 5, 2017 | November 2018 |
| Android 8.0 Oreo | August 21, 2017 | March 2019 |
| Android 8.1 Oreo | December 5, 2017 | July 2019 |
| Android 9.0 Pie | August 6, 2018 | March 2020 |
2. Apple Products
Apple’s iOS runs their family of iPhones, iPads, and iPods built around mobility. The major versions are rolled out annually in September after they’re announced at the Apple Worldwide Developers Conference (WWDC). Like the Apple macOS, security patches are pushed out and are expected to be accepted. The latest version is iOS 12.1, which supports Apple’s mobile products going back as far as the iPhone 5s and the iPad fifth generation.
The support for these devices appears to follow a five-year cycle, with older hardware not being supported with updates. The hardware is the driving factor for what is supported, and Apple expects users on supported devices to install the latest updates to unlock new features, from both an operational and security perspective. Each update lists what security concerns are being addressed, with most of the vulnerabilities described with their Common Vulnerabilities and Exposures (CVE) designation.
Another issue to consider is the battery and device throttling issue. Batterygate came to light in 2017 with the release of iOS 10.2.1 and prompted Apple to allow $29 battery replacements for their devices through the end of 2018. This inexpensive option to replace the battery may cause price-conscious users to use their Apple devices longer than they normally would have, which could lead to more unsupported devices.
The table below looks at the current supported versions, as well as the last version that became obsolete, iOS 7, and the platforms they’re designed to support. I’ll only be looking at the major releases for iOS until we get to the current version, iOS 12.
While not covered in this post, the mobile operating system for the Apple Watch, watchOS, follows a similar path. This should also be taken into consideration as part of your security posture.
| Operating System | Release Date | Associated Hardware |
| iOS 7.0 | September 18, 2013 | iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 7.1 | March 10, 2014 | iPhone 4 and later, iPod touch (5th generation), iPad 2 and later |
| iOS 8.0 | September 17, 2014 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 8.1 | October 20, 2014 | iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later |
| iOS 8.2 | March 9, 2015 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 8.3 | April 8, 2015 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 8.4 | June 30, 2015 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 9.0 | September 16, 2015 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 9.1 | October 21, 2015 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 9.2 | December 8, 2015 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 9.3 | March 21, 2016 | iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later |
| iOS 10.0 | September 13, 2016 | iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later |
| iOS 10.1 | October 24, 2016 | iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later |
| iOS 10.2 | December 12, 2016 | iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and late |
| iOS 10.3 | March 27, 2017 | iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and late |
| iOS 11.0 | September 19, 2017 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 11.1 | October 31, 2017 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 11.2 | December 2, 2017 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 11.3 | March 29, 2018 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 11.4 | May 29, 2018 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 12.0 | September 17, 2018 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 12.1 | October 30, 2018 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 12.1.1 | December 5, 2018 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 12.1.2 | December 12, 2018 | iPhone 5s and later |
| iOS 12.1.3 | January 22, 2019 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
| iOS 12.1.4 | February 7, 2019 | iPhone 5s and later, iPad Air and later, and iPod touch 6th generation |
Summary
Mobile device management is a key component to your security and vulnerability management plan. As more people are using mobile platforms for personal and business purposes, those devices are more susceptible to vulnerabilities, which makes regular updating and patching even more important. Also, remember those specific risks can be addressed with a mobile device strategy and policy.
Our next post in this series will cover servers, so stay tuned.
Does your organization need a vulnerability assessment or help defining a mobile device strategy? Check out our services page here or contact us here.