Recently there’s been a wave of mobile device hacks and attacks exploiting vulnerabilities associated with SMS messages. This is scary because increasingly many companies are implementing a BYOD program and most mobile users are doing A LOT of texting and messaging on these devices.

Hackers who are typically known for sneaking in the back door can come right in the front door with SMS attacks.

First there was “Stagefright.”  The “Stagefright” vulnerability was specific to Android and provided a way for a hacker to steal device data by executing code on the device through an infected SMS message.

More recently, a major vendor in the mobility management space may be leaving thousands of customers at risk because of an SMS (text messaging) vulnerability. The vulnerability occurs when a signed SMS is sent from the management server to the device during the enrollment process and/or the general day to day management of the device including locking, unlocking and wiping. In this scenario, the signature is not secure, leaving the door open for impersonation and “man in the middle” attacks. It may sound hard to attack a device in this manner, but it’s really not. All a hacker would need to do is obtain a transmitter ID by attempting to connect to the management server (the transmitter ID is automatically returned) and the phone number of the targeted device.  I’ve oversimplified the explanation but it’s quite easy to do.

Lets look at an enterprise mobility management (EMM) solution that has enterprise grade security and encryption and one that reduces the risk of an SMS vulnerability:

Citrix XenMobile does not use SMS mechanisms from the management server to remotely wipe the phone data or manage the device. This prevents the risk of the vulnerability described above.

Recently, XenMobile introduced a new certificate pinning feature to further prevent Man In The Middle (MITM) attacks. The software on the client side is pinned with  the public key of the server during enrollment and will reject server connection requests if the server’s public key is different from the pinned one on the local client.  See the diagram below.

The graphic on the left illustrates the benefit of using certificate pinning for device enrollment. The image on the right depicts a Man in the Middle (MITM) attack.

In addition to certificate pinning, Citrix employs strong security standards that are considered best practices in the industry.  For example:

  • End-to-End FIPS-compliant solution for data at rest and in motion
  • Regular cadence of internal penetration testing for each of the Citrix XenMobile EMM releases.
  • Successful external penetration test validations from industry leading firms including Gotham and Veracode.
  • HIPAA compliant solution including XenMobile, ShareFile and NetScaler.

The Citrix XenMobile EMM solution always receives high marks from industry analysts and experts when reviewed for security attributes.  A recent study, Critical Capabilities for High-Security Mobility Management, conducted by Gartner shows Citrix XenMobile EMM Solution strength and leadership in the area of secure mobility.  A copy of the report can be found here.