Home page logo

funsec logo funsec mailing list archives

TIGTA: Android may be too risky for BYOD [IRS BYOD Pilot Program]
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 29 Nov 2013 00:47:25 -0500

This is kind of scary... BYOD at the IRS (and not just Android).

I hope they don't allow access to taxpayer information. Or only allow
access to top administration official's records so they can suffer the


Android devices should not be part of the bring-your-own-device
program for Internal Revenue Service employees until the agency
reviews Android's security vulnerabilities, says the Treasury
Inspector General for Tax Administration.

The IRS rolled out a BYOD pilot program in September 2012 to let
employees access the agency's network through their personal mobile
devices. Initially, the program was limited to Apple devices. In May
2013--with hundreds of IRS employees participating through their
iPhones and iPads--the IRS expanded the program to allow Android

But in a newly released report, dated Sept. 24, TIGTA says the IRS did
not adequately consider the security weaknesses of the Android
operating system.

The report recommends that the IRS stop allowing Android devices into
the BYOD program until it completes a security review that "thoroughly
addresses" the risks associated with Android.

Android is vulnerable due to "an open source operating system, a more
lenient approval process for inclusion in the regulated app store,
multiple third-party unregulated app stores, and lack of timely
updates to correct operating system weaknesses," the report says.

The IRS disagreed with the recommendation, saying management did
consider security concerns. It also notes that the program is just a
pilot and is under evaluation in a secured environment.

Still, the report says TIGTA is "not convinced that the IRS executive"
who authorized the program "had enough information to make an informed
decision about the risks involved in bringing Android devices into the
BYOD pilot."

The report does note the importance of Android if the program advances
past the pilot phase, saying it might not be worthwhile to have an
agencywide BYOD program that is limited to Apple devices.
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
  • TIGTA: Android may be too risky for BYOD [IRS BYOD Pilot Program] Jeffrey Walton (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]