People typing on phones, tablets

Tech Refresh as Part of an Effective Vulnerability Management Program: Part Two

In Cyber Security Strategy by Keith Melancon

Mobile Device Vulnerability Management

In part two of our blog series on why it’s important to keep technology and operating systems updated as part of your vulnerability management program, I'll focus on mobile device vulnerability management. This includes mobile computing, with a focus on mobile devices. The popularity of mobile devices, along with how easily they can be lost or stolen, makes mobile device management a critical component to your security plan.

Increased Risk for Business Users

More people are using their mobile devices for business every day, whether they’re sending email, making phone calls, or using business applications like Salesforce.com or Slack. As such, mobile devices are now much more of a target for malicious hackers. There are a substantial number of vulnerabilities exposed with mobile handsets, so regular operating system updates and patches are crucial. With more people using personal phones for work email, they’re accessing organizational data from devices that aren’t controlled by the organization, so you need a mobile device strategy and policy to address these specific risks.

1. Android Products

Google’s Android mobile operating system can be found on most non-Apple mobile devices. Android has the same market share as Windows, demonstrating the shift from desktop computing to mobile computing.

In the US, these statistics are based on the Linux kernel. The popularity of this operating system, coupled with the specific cell phone manufacturer and/or carrier modifications, make this a complicated issue. There’s at least an 18-month support window from official release of a major revision, with security support extending further out. The security support information is vague, but it’s related to Google’s support criteria for the Pixel phones. Their website states, “Pixel phones get security updates for at least 3 years from when the device first became available on the Google Store, or at least 18 months from when the Google Store last sold the device, whichever is longer. After that, we can't guarantee more updates.”

The information on the Android Wikipedia page shows the current version and release dates, as well as the currently supported version based on the 18-month support window.

The table below is an approximate guide to the end-of-life support date for Android systems. Dates are based on the last version release date. As of November 2018, approximately 50 percent of Android devices tracked by GlobalStats were either at or past their support end date. This could be an issue for organizations that allow users to check work email on personal devices and should be considered as part of your mobile device management policy and plan.

Google releases security bulletins for Android here.

Operating System

Release Date

Approximate Support End Date

Android 5.0.2 Lollipop

December 19, 2014

July 2016

Android 5.1.1 Lollipop

April 21, 2015

November 2016

Android 6.0.1 Marshmallow

December 7, 2015

July 2017

Android 7.0 Nougat

August 22, 2016

March 2018

Android 7.1.2 Nougat

April 5, 2017

November 2018

Android 8.0 Oreo

August 21, 2017

March 2019

Android 8.1 Oreo

December 5, 2017

July 2019

Android 9.0 Pie

August 6, 2018

March 2020

2. Apple Products

Apple’s iOS runs their family of iPhones, iPads, and iPods built around mobility. The major versions are rolled out annually in September after they’re announced at the Apple Worldwide Developers Conference (WWDC). Like the Apple macOS, security patches are pushed out and are expected to be accepted. The latest version is iOS 12.1, which supports Apple’s mobile products going back as far as the iPhone 5s and the iPad fifth generation.

The support for these devices appears to follow a five-year cycle, with older hardware not being supported with updates. The hardware is the driving factor for what is supported, and Apple expects  users on supported devices to install the latest updates to unlock new features, from both an operational and security perspective. Each update lists what security concerns are being addressed, with most of the vulnerabilities described with their Common Vulnerabilities and Exposures (CVE) designation.

Another issue to consider is the battery and device throttling issue. Batterygate came to light in 2017 with the release of iOS 10.2.1 and prompted Apple to allow $29 battery replacements for their devices through the end of 2018. This inexpensive option to replace the battery may cause price-conscious users to use their Apple devices longer than they normally would have, which could lead to more unsupported devices.

The table below looks at the current supported versions, as well as the last version that became obsolete, iOS 7, and the platforms they’re designed to support. I’ll only be looking at the major releases for iOS until we get to the current version, iOS 12.

While not covered in this post, the mobile operating system for the Apple Watch, watchOS, follows a similar path. This should also be taken into consideration as part of your security posture.

Operating System

Release Date

Associated Hardware

iOS 7.0

September 18, 2013

iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 7.1

March 10, 2014

iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

iOS 8.0

September 17, 2014

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 8.1

October 20, 2014

iPhone 4s and later, iPad 2 and later, iPod touch (5th generation) and later

iOS 8.2

March 9, 2015

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 8.3

April 8, 2015

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 8.4

June 30, 2015

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 9.0

September 16, 2015

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 9.1

October 21, 2015

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 9.2

December 8, 2015

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 9.3

March 21, 2016

iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

iOS 10.0

September 13, 2016

iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

iOS 10.1

October 24, 2016

iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

iOS 10.2

December 12, 2016

iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and late

iOS 10.3

March 27, 2017

iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and late

iOS 11.0

September 19, 2017

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 11.1

October 31, 2017

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 11.2

December 2, 2017

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 11.3

March 29, 2018

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 11.4

May 29, 2018

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 12.0

September 17, 2018

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 12.1

October 30, 2018

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 12.1.1

December 5, 2018

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 12.1.2

December 12, 2018

iPhone 5s and later

iOS 12.1.3

January 22, 2019

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

iOS 12.1.4

February 7, 2019

iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Summary

Mobile device management is a key component to your security and vulnerability management plan. As more people are using mobile platforms for personal and business purposes, those devices are more susceptible to vulnerabilities, which makes regular updating and patching even more important. Also, remember those specific risks can be addressed with a mobile device strategy and policy.

Our next post in this series will cover servers, so stay tuned.

Does your organization need a vulnerability assessment or help defining a mobile device strategy? Check out our services page here or contact us here.