Australia updates its security advice for iOS and Samsung mobile devices

Apple’s iOS provides the greatest security for sensitive and classified information, but business-class Samsung Android devices can be configured for secure use as well.

mobile security / unlocked data connections
Thinkstock

The Australian Cyber Security Centre (ACSC) has issued updated guidance for securing iPhones, iPads, and iPod Touches running iOS 14 and for securing Samsung’s business-class Galaxy S10, S20, and Note 20 Android smartphones.

The guidance is meant to ensure the security of sensitive and classified (“Protected” class, in ACSC parlance) information, as defined by the government, but the advice applies broadly to all mobile devices in use by businesses.

Recommendations for iOS 14 devices

The ACSC notes that iOS’s default encryption meets its most stringent Class A requirements, and that iOS is fully compliant (Maturity Level 3) with seven of its Essential Eight security requirements. iOS 14 is only partly compatible (Maturity Level 1) with the daily backup requirement; iOS supports automatic remote backup of just some data via iCloud, and its full backup approach via iTunes requires user action.

iOS had already supported the key areas of security concern identified by the ACSC, with iOS 13 adding one missing component in 2019: use of a secure DNS proxy or of an encrypted DNS connection to resolve domain names.

iOS 14 bolsters several security aspects that the ACSC took note of:

  • iOS 14 supports MAC address randomization, which can be turned off via a management tool when the device connects to a corporate network.
  • Siri now runs locally for user requests, so query data is not sent via the internet to Apple’s voice-recognition servers.
  • Single sign-on extensions now support per-application VPN connections, to allow domain inclusion and exclusion lists at a per-app level.

Ongoing recommendations for iOS devices include:

  • Testing the beta version of iOS as it is released each year on test devices, then upgrading your user base to that new version shortly after its initial release (after confirming your business apps are compatible), to ensure Apple’s latest security technologies are implemented in your organisation.
  • Implementing device supervision via a mobile device management (MDM), enterprise mobility management (EMM), or unified endpoint management (UEM) system. To comply with ACSC standards for handling sensitive and classified information, organisations must register with the Apple Business Manager Accounts program as part of that mobile management.

Specific details are available in the ACSC’s iOS 14 security guidance.

Recommendations for Samsung S10, S20, and Note 20

The ACSC notes that the business-class Samsung devices’ default encryption meets its most stringent Class A requirements.

However, the Samsung devices and their Android operating system are fully compliant (Maturity Level 3) with just four of the Essential Eight security requirements: application patching, configuration of Microsoft Office macro settings, ability to restrict administrative privileges, and multifactor authentication.

One requirement, operating system patching, is mostly aligned with the requirements’ intent (Maturity Level 2). And another, user application hardening, is partly aligned (Maturity Level 1) through the ability to disable website pop-ups and disable Java execution in the browser, though users can override those prohibitions. Two requirements are not met by the Samsung devices and Android: application control and daily backup. The very limited application-control capabilities led the ACSC to recommend that access to rich applications via an app store or sideloading be disabled if classified information is to be accessed.

Ongoing recommendations for Samsung devices include:

  • Upgrading your user base to each new Samsung-specific Android version shortly after its initial release (after confirming your business apps are compatible), to ensure Google’s and Samsung’s latest security technologies are implemented in your organisation.
  • Implementing device supervision via a mobile device management (MDM), enterprise mobility management (EMM), or unified endpoint management (UEM) system. To comply with ACSC standards for handling sensitive and classified information, organisations must use Samsung’s Knox Professional for Enterprise (KPE) as part of that mobile management, and classified data must be stored using KPE’s Knox Sensitive Data option for the Android Enterprise work profile. The ACSC notes that the S20 and Note 20 devices have a built-in Secure Element chip, like those found in iOS devices, to provide hardware verification and secure data storage; the S10 does not.

Specific details are available in the ACSC’s Samsung S10, S20, and Note 20 security guidance.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline