Ask Slashdot: Equipping a Company With Secure Android Phones?

An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"

Dear slashdot

[Anonymous Coward]

I'd like to know how to configure a kludge of shit (using all FOSS, of course) for my enterprise environment. I want everything under the sun plus the kitchen sink.

Also, I'm going to be paranoid and reject anything you propose. After all, I can't be sure that anything I buy doesn't have a backdoor that the government or extra terrestrials could use to snoop on the uber secrets at my company.

Apple

[wood_dude]

Yes, use an iPhone ! Let the flames begin...

RIM/Blackberry

[alphax45]

You basically described the RIM/Blackberry use case; why not use them? The Bold 9900 is actually a nice phone.

Re:Blackberry?

[BagOBones]

Because starting from scratch on RIMs BB right now could be suicide...

- New OS devices coming in the fall with a new untested management platform
- Over stock of current gen devices they can't sell ( way under powered compared to WP, Android, iOS)
- Bleeding management
- Laying off huge amounts of staff.

Rock, meet hard place.

[Anonymous Coward]

Pretty much sounds like you need a blackberry. Only they offer what you describe.
Trouble is, blackberry phones are crap, BES is crap, the blackberry network is crap, and the blackberry company (RIM) is circling the drain.

Turns out the infrastructure you need for your idea of a "secure" phone is more trouble than it's worth. Most companies have come to the realization that security is in fact a social and policy issue and much less a technological one. Just get good quality bog standard smart phones and create a policy that minimizes risk.

That said, iphones are officially supported activesync devices and will respect activesync security policies set by an exchange server. You can remote wipe them. (Funny thing - Winphone7's activesync support is provisional and not recommended for an enterprise environment - Microsoft's words!)

Too expensive?

[hawguy]

I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us

If a secure, off the shelf phone is too expensive for you, you probably don't have the resources to build a secure phone yourself. Even the experts have trouble getting security right, an amateur will unknowingly leave big gaping holes.

That said, Android ICS will do full filesystem encryption, make sure you use a secure passphrase and not a 4 digit PIN. Use SSL to talk to your email server to keep that traffic from being snooped. Don't use SMS's.

Do you really need to encrypt your phone calls? Stick with a CDMA provider (supposedly it's trivial to hack GSM, but I believe CDMA is still relatively safe) and your calls are safe from all but the most determined (and well funded) eavesdropper. Unless you're worried about the US Government doing the eavesdropping, they'll just tap the call on the Telco side, so you need end-to-end encryption to protect against that.

Skype reportedly encrypts skype-to-skype calls.

But really, unless you're doing top-secret government work, your phone is the least of your worries. If the information is valuable, it's much easier to pay an employee to leak it than to steal your phone and hope to find the data stored on the phone. And if you are doing top-secret government work, a home-brew solution isn't going to meet the federal standards you'll be required to meet.

Re:Blackberry?

[twnth]

As can Exchange through Active Sync (on Android or iOS). Don't invest in a company that is posting a billion in hardware losses this year.

Actually, its shy of a half billion Press Release PDF [rim.com]

They still shipped 14 million units in Q3, still revenue positive, still have 75 million subscribers. Is this up to iphad numbers? No. But they're still profitable and I think they'll be around for quite a while yet.

How do you know...how do you know

[sunking2]

How do you know anything?

And just a heads up, your company and it's information isn't nearly as important as you think it is and probably doesn't necessitate the need for any of this.

Re:we have one

[X0563511]

Seems legit.

Re:good luck

[X0563511]

Blame the security "roles" not the app developers.

Want your app to detect if you're on a call, so it doesn't blow your eardrum out with an alert tone?

Well, then you need "Access to Phone State / Identity" ... just for an example.

Re:Android isn't the platform for this

[narcc]

I'm not worried about RIM going under. They've been supposedly dying for years, but they just now posted their first quarterly loss. (Even with non-competitive handsets, they were still profitable. The 9900 is amazing, but you get my meaning.) Their customer base is growing and they've got plenty of cash on hand. They've got a fantastic suite of new development tools, best-in-class new remote management software, business friendly features like Balance, and a new operating system that is, by any metric, a cut above the rest Their app library is also growing like crazy and they're doing a fantastic job of recruiting new developers with a fantastic and varied suite of development tools. The handsets out this fall running their new OS look to be exceptionally high-end, with a brilliant UI.

RIM is hardly dying. They're a popular whipping-boy, but there are other companies doing far worse than RIM that don't get the same media bashing. When is the last time you heard that Sony is dying? They're worse off than RIM, and don't appear to have a strategy moving forward.

RIM is in no danger of "going under any day". That's been the line everyone's been chanting for the past year or so, sure, but that whole time their customer base was growing at an alarming rate and they were posting profits every quarter.

Don't Root it

[CapitalOrange]

Virtually all the malware (and there is some drive by stuff happening) attacks people with rooted phones, so installing even a secure "ROM" is probably the worst thing you can do for security. By looking for software that has gone through the common criteria (assuming that still exists or another similar certification process) you will have some reassurances that it was designed in a secure manner. I would also look for something using other government standards, like FIPS 140-2.