Ask Slashdot: Equipping a Company With Secure Android Phones? 229
An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"
hire a android Dev.... (Score:1)
Dear slashdot (Score:5, Insightful)
I'd like to know how to configure a kludge of shit (using all FOSS, of course) for my enterprise environment. I want everything under the sun plus the kitchen sink.
Also, I'm going to be paranoid and reject anything you propose. After all, I can't be sure that anything I buy doesn't have a backdoor that the government or extra terrestrials could use to snoop on the uber secrets at my company.
we have one (Score:1)
We have one in works. Email to me df.inbox at gmail.com for details.
Re:we have one (Score:5, Insightful)
Seems legit.
Re: (Score:3)
I'm sure it's legit. And secure. Legitimately & securely transmits your info to China....
Make it yourself (Score:1, Interesting)
I would recommend developing your own system. If you are dealing with highly sensitive information, you want to make sure that it is fully secure. There are plenty of independent security contractors out there to develop something for you if you do not have the skill set to make it yourself within your company. Custom ROM, kernel, and various modifications to it should do it for you.
Apple (Score:4, Insightful)
Re:Apple (Score:5, Informative)
Blackberries suck, Android's security is left to the manufacturer (so it usually doesn't get done right), Windows Phone 7(.5) is still not ready for the Enterprise, Symbian is dead, so are Meego and Maemo...
iPhones are locked down, have enterprise support tools, come encrypted by default. Unless you're willing to inflict Blackberries on your users, AND pay for the BES, AND pay the per-handset CAL, iPhones are your best bet.
Re: (Score:2)
Re: (Score:2, Informative)
The cluelessness of your post is why I'm hoping you're not in a position to set hardware standards in the enterprise.
I'll take the curated iOS "controlled" app store over the wild-west install-from-anywhere wild-west Android alternative any day.
The reason(s) that the enterprise prefers iOS (or *gasp* RIM) over Android is precisely the reason the tech-saavy iHaters lambast them for.
Until Android is able to completely lock down a phone and give the administrators full rights to manage what gets put on it, And
Re: (Score:3, Informative)
Do you have any clue about what I'm talking about? Apparently not.
And yes, Encryption EXISTS, and is SUPPORTED, but is not always actually on. For that, it requires manufacturer support (I think this may have changed in ICS). And, a lot of phones you can buy right now come with... GINGERBREAD! Which can be encrypted, but it's solely left to the manufacturer.
Re: (Score:2)
Define malware.
From an Apple point of view apps with hidden features are malware, esp. if those features are locked down in iOS on telco request:
http://www.wired.com/gadgetlab/2010/07/apple-approves-pulls-flashlight-app-with-hidden-tethering-mode/ [wired.com]
So here you have a piece of software posing as A but having hidden feature B. Somehow the reviewer missed a flashlight app creating a server socket to receive connections, something a piece of malware might do (though opening a connection to a botnet is easier and
Re: (Score:2)
Not true. The APNS push certificate, while solid from a chain of authorities perspective, has as a competitor, ActiveSync API (yes, you can get it for Android) that is also the crux of control for Windows Mobile 7/7.5 phones.
The APNS MDM certs are good yet Apple also now supports ActiveSync. It's up to MDM software, yours, cloud, or carrier-based, to do the job.
If you need to limit user download access, do it. Be brave. But eventually, you'll need to clamp down more tightly than users like. If you supply th
Re: (Score:2)
Blackberry? (Score:5, Informative)
Why android? is there an app you need or something? or is it a latest bling thing?
Because Blackberry does the encrypted thing, and if you buy BES you can also set device policies and centrally administer the devices (remote wipe for example).
Re:Blackberry? (Score:5, Insightful)
Because starting from scratch on RIMs BB right now could be suicide...
- New OS devices coming in the fall with a new untested management platform
- Over stock of current gen devices they can't sell ( way under powered compared to WP, Android, iOS)
- Bleeding management
- Laying off huge amounts of staff.
Re: (Score:2)
Once Microsoft gets its Windows CE successor through a few iterations, BB is doomed. In fact, Microsoft has a trump card which few people realize: They control the horizontal and vertical when it comes to the Exchange/Activesync universe. Even Apple knows this because they licensed it from MS.
First will come the Windows phone that has full Office support for viewing and editing files. Both iOS and Android have gone through a lot of versions, but MS is catching up.
The next shoe that will drop is Microsof
Re: (Score:2)
Of course not, but Google and RIM could have a very uphill battle, especially if MS has some patents they can use on the ActiveSync replacement.
MS isn't dealing with a hostile DoJ these days. In fact, if MS actively blocked devices from using the AS replacement, there is nothing Google or RIM could do. Antitrust? MS's lawyers would happily show that POP and IMAP are open protocols and can still be used, so there is no "monopoly", just people wanting to use their protocol.
Of course, I'm doing pure devil's
Re: (Score:2)
in any Blackberry I've ever owned or seen in smoothness, intuitiveness, app switching, ecosystem, and whatever else you can think of.
There is a key qualified there, that you've "owned or seen". The new BB7 devices really don't get the credit they should have and very few people know them. Everyone seems to have missed that RIM changed their UI over to 60fps hardware accelerated rendering. The result is an experience far smoother than the vast majority of Android devices. Things like pinch zoom in the browser are as smooth as iOS.
I'm not going to tell you that BlackBerry has a ton of apps, I'd be deluding myself. But the IM, email and
Re: (Score:2)
Playbooks and BB OS X devices will REQUIRE mobile fusion on top of BES. Mobile fusion is barely out of beta. If you manage blackberries and don't know this you might also want to go check out the License cost for this upgrade, you might be shocked.
Re: (Score:2)
Also if you check the news for the ONLY platform with centralization to the point of causing National/ North America wide device outages, and being forced to hand over some control to other governments by building in centralization in a specific way, you have RIM..
On the plus side we haven't had a nation wide outage on RIM in over a year, must be all the surplus capacity. We started to see a surge in iOS device uptake during the last one.
Re: (Score:2)
Fair enough, BB OS 10 adopts active-sync removing much of the dependance.
What about Siri? Or MobileMe/iCloud? Even Gmail has unexpected outages. Those are consumer features or services.
For Enterprise Email, calendaring and directory a current gen BB device simply has more points of failure to hop through before you get the message.
ActiveSync is Exchange->Internet->Device
BES BB7 and below is Exchange->BES->RIM->Internet->Device two additional points of failure.
Only OSS can be secure (Score:2)
There isn't much real security provided by closed source encryption products. If they've no intentional backdoors, you still face the company concealing their mistakes to save face, which costs you security.
Re:Blackberry? (Score:4, Interesting)
As can Exchange through Active Sync (on Android or iOS). Don't invest in a company that is posting a billion in hardware losses this year.
A billion in hardware losses for them is a billion in hardware GAINS for the consumer! Besides, you totally missed the point. With the BB platform, you can both encrypt all communication (instant messaging and email) as well as lock out any unencrypted communication (SMS and third party email) so your phones are as secure as anything else in your enterprise (as long as the users keep their passwords safe).
Re: (Score:3)
What are you talking about?
That billion dollars is in unsold hardware. Nobody wants. Nobody is buying it. It is sitting around gathering dust and occupying space.
There were no 'gains' for the consumer. There's just boxes and boxes of phones nobody purchased.
I think the point you're missing is that if everybody is looking
Re: (Score:3)
Re: (Score:2)
I read that as "hopes". There's nothing to guarantee people will actually buy them.
At which point, they may well get stuck with these phones.
Re:Blackberry? (Score:5, Informative)
Even cooler, with BlackBerry Balance, you can seamlessly separate work and personal use on the device. No worries about copying corporate data to personal accounts.
Add to that the above-par remote management features and it's not even a choice -- there is only one enterprise-ready mobile platform.
Re: (Score:2)
I think the point the earlier poster was trying to make is, do you want to invest in buying BES and a bunch of Blackberries given that RIM seems to be going down the tubes?
If RIM continues to do as poorly as it has been doing, then I wouldn't expect to see worthwhile ongoing support for Blackberries or meaningful upgrades from RIM. Even if we were to stipulate that Blackberry is the best choice for a solution today, professional IT people also have to look at what kind of support and upgrade paths will be
Re: (Score:2)
The market is not a zero sum game. A billion in losses is not a billion in someone else's gains. If it were so, who gains the value of something depreciating?
Re: (Score:2)
The market is not a zero sum game. A billion in losses is not a billion in someone else's gains. If it were so, who gains the value of something depreciating?
Entropy does. At this point, they are sitting on a lot of revenue.
Re:Blackberry? (Score:5, Informative)
But if you're running BES (or the free Professional if you're small), everything is encrypted end to end with your own key. That's why they are so secure; 3rd parties don't have access to your data. In India & Saudi Arabia the government has put taps on the telco provided BES, but they still can't tap your private BES communications if your server is outside.
Re: (Score:2)
Plus, if you go with RIM today, you'll get to do all this again in a year or two after they're done imploding! [rim.com] Maybe you can volunteer [domain-b.com] to run their NOC!
Re: (Score:3)
And it all passes through the single point of failure that is RIM's server farm before reaching the client, and what could be more secure than an email that is never delivered, right?
The BES "single point of failure" is often over hyped. Most people that I personally know that complain about this single point of failure are also running a single mail server, single core switch, single Internet router, single ISP, etc. There are many single points of failure.
Don't get me wrong, you should always try to limit the number of single points of failure.
And to point out RIM's excellent uptime I will point out that RIM has had fewer hours of downtime in the last 10 years than Apple's iCloud se
Re: (Score:2)
I would be more concerned about having to replace the entire setup if RIM goes under. BB doesn't seem like the platform to build your business on right now.
Good for Enterprise (Score:2, Informative)
Re: (Score:2)
I agree, looking around Good, would be the closest off the shelf solution, it would also work with iOS devices giving you access to BOTH the most popular platforms right now..
Re:Good for Enterprise (Score:5, Informative)
One of my clients attempted to use Good for secure email on iOS last year. They were entirely unresponsive to even the slightest technical queries and their stuff was incompatible with other apps. Also, parent comment sounds like spam.
Re:Good for Enterprise (Score:4, Interesting)
I spent years managing Good on our mobiles and mail servers. It really was a miserable experience.
I'd probably do it again before switching to blackberries, though. I think they've changed ownership once or twice since I was using it.
Re: (Score:3)
Good can't do half of what RIM's management software can do. Their new Fusion software can also manage other platforms in addition to BlackBerries -- including iOS and Android. Good is okay, but it doesn't compare to RIM's best-in-class tools.
Re: (Score:2)
Unavailable and has been for months. Pure vaporware at this point.
Android 4.0.x ICS Can Be Encrypted (Score:2)
While trolling around my Galaxy Nexus I found the ability to encrypt it (not using it though). At the least that should protect data on the phone, surely you can find more details about that feature on the intertubes.
Calls are already "secure" to a point but if you need even more security then perhaps Skype?
text ... I'll leave that to others
good luck (Score:1)
my brief foray with android showed me that pretty much every app wants access to everything on the phone, including phone-home capability.
Re:good luck (Score:5, Insightful)
Blame the security "roles" not the app developers.
Want your app to detect if you're on a call, so it doesn't blow your eardrum out with an alert tone?
Well, then you need "Access to Phone State / Identity" ... just for an example.
Re: (Score:2)
The OS can - mods like cyannogen frequently allow the user to deny apps given permissions.
The problem is the "locked down" distribution the carriers force on users don't let you do so. Yea, they "know better than you" and remove that kind of control.
RIM/Blackberry (Score:5, Insightful)
Re: (Score:2)
I guess mostly this [google.com]
days numbered...
Re: (Score:3)
Stock price or price-per-share does not indicate nor does it necessarily correlate with the health of a company.
Investing 101, man. Come on.
Re: (Score:2)
I didn't say that' I'm saying that saying a company is on it's death bed solely on market performance is stupid and wrong.
Re: (Score:2)
The security of a BES/BB [blackberry.com] combination cannot be equaled by any current handset/OS (Unless the NSA/CIA/etc. have a secret one nobody knows about). If you must use Android then RIM has a solution [blackberry.com] for that as well.
Android isn't the platform for this (Score:1)
Unfortunately I am of the opinion that Android is NOT the platform for this (I use Android for my personal phone). It doesn't support it and as you see you need to use third-party applications to even make it work. Even if you could trust those third-parties, now how do you push updates to your reps? The answer is you don't. There are just too many hoops to jump through for a business where security is a "major consideration." I'd recommend Blackberry but it seems RIM could be going under any day. iOS is pr
Re:Android isn't the platform for this (Score:4, Insightful)
I'm not worried about RIM going under. They've been supposedly dying for years, but they just now posted their first quarterly loss. (Even with non-competitive handsets, they were still profitable. The 9900 is amazing, but you get my meaning.) Their customer base is growing and they've got plenty of cash on hand. They've got a fantastic suite of new development tools, best-in-class new remote management software, business friendly features like Balance, and a new operating system that is, by any metric, a cut above the rest Their app library is also growing like crazy and they're doing a fantastic job of recruiting new developers with a fantastic and varied suite of development tools. The handsets out this fall running their new OS look to be exceptionally high-end, with a brilliant UI.
RIM is hardly dying. They're a popular whipping-boy, but there are other companies doing far worse than RIM that don't get the same media bashing. When is the last time you heard that Sony is dying? They're worse off than RIM, and don't appear to have a strategy moving forward.
RIM is in no danger of "going under any day". That's been the line everyone's been chanting for the past year or so, sure, but that whole time their customer base was growing at an alarming rate and they were posting profits every quarter.
Re: (Score:2)
RIM has made radical changes from top to bottom. Their new UI is a generation ahead of iOS and Android as is their OS -- Multitasking, notifications, messaging in the mobile space are redefined in their new revolutionary platform.
Try to keep up. You're embarrassing AC's everywhere!
Sounds like a job for... (Score:5, Informative)
Rock, meet hard place. (Score:3, Insightful)
Pretty much sounds like you need a blackberry. Only they offer what you describe.
Trouble is, blackberry phones are crap, BES is crap, the blackberry network is crap, and the blackberry company (RIM) is circling the drain.
Turns out the infrastructure you need for your idea of a "secure" phone is more trouble than it's worth. Most companies have come to the realization that security is in fact a social and policy issue and much less a technological one. Just get good quality bog standard smart phones and create a policy that minimizes risk.
That said, iphones are officially supported activesync devices and will respect activesync security policies set by an exchange server. You can remote wipe them. (Funny thing - Winphone7's activesync support is provisional and not recommended for an enterprise environment - Microsoft's words!)
Unless you're a phone manufacturer... (Score:3)
there's nothing you can do to a phone that a savvy user can't also do (or undo).
And if you are a phone manufacturer, (A) it's easy to more-or-less do what you're saying, and (B) there will still be people to can find work-arounds to break out of the lockdown.
The only reason I mention this is that Android has an energetic modding community, in spite of platform security built into some of these. (Locked bootloaders, S-ON partitions, etc.)
Just using your "for example" as an example... if you can put flash Cyanogenmod onto the phone, your users can flash a completely different ROM and defeat a lot of the things you want to do. The tools you would use are available to anyone, and if you try to deny your users root (for instance), there are plenty of root exploits available to break that jail.
In general, I think smartphones are too much general-purpose computers to really secure in the static way you're thinking about.
As to the (perhaps more weighty) matters like all-storage encryption, I have never seen a good answer. Anything you could install as an app would probably be too shallow (i.e., not effective before booting). In fact, I don't know if the standard Android Linux kernels are amenable to that; you'd need a custom bootloader or 2nd stage, and I haven't seen those specifically tailored for storage decryption.
I dunno. Sounds like you have a challenge ahead of you.
Too expensive? (Score:5, Insightful)
I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us
If a secure, off the shelf phone is too expensive for you, you probably don't have the resources to build a secure phone yourself. Even the experts have trouble getting security right, an amateur will unknowingly leave big gaping holes.
That said, Android ICS will do full filesystem encryption, make sure you use a secure passphrase and not a 4 digit PIN. Use SSL to talk to your email server to keep that traffic from being snooped. Don't use SMS's.
Do you really need to encrypt your phone calls? Stick with a CDMA provider (supposedly it's trivial to hack GSM, but I believe CDMA is still relatively safe) and your calls are safe from all but the most determined (and well funded) eavesdropper. Unless you're worried about the US Government doing the eavesdropping, they'll just tap the call on the Telco side, so you need end-to-end encryption to protect against that.
Skype reportedly encrypts skype-to-skype calls.
But really, unless you're doing top-secret government work, your phone is the least of your worries. If the information is valuable, it's much easier to pay an employee to leak it than to steal your phone and hope to find the data stored on the phone. And if you are doing top-secret government work, a home-brew solution isn't going to meet the federal standards you'll be required to meet.
Re: (Score:2)
I suspect that no off the shelf product is secure from the network side. The hardware needs to have two independent blocks: a communications module and a application module. The two need to be linked with a well defined API so that the communications module can't change the application code and there is a good point for an audit. There are probably regulatory issues like GPS to emergency services, not being able to hang up an emergency call, etc. You need to be able to load the application code from a s
Re: (Score:2)
Even the experts have trouble getting security right, an amateur will unknowingly leave big gaping holes...But really, unless you're doing top-secret government work, your phone is the least of your worries.
Something about the OP's question bothered me, and this helped me put my finger on it. I think one of the big rules of security should be: don't trust your security. There's something about the question that sniffs of "How do I make my phones so full-proof secure that I don't need to worry about them anymore?" The first part of the answer has to be, if it were that easy, then we'd all have perfectly secure phones and you wouldn't be asking the question.
Encrypting calls and network traffic are probably n
Re: (Score:2)
That's why BB has an optional policy that will cause a phone to wipe itself if it can't contact the server for a set amount of time. Once contact is lost a timer starts on the phone itself so no server contact is required for a wipe to occur. This is of course a double edged sword that could get triggered if a user goes on vacation but simple planning can prevent that from being an issue.
I wasn't aware of that policy, and there are a few others (from http://docs.blackberry.com/en/admin/deliverables/4222/Secure_Wipe_Delay_After_IT_Policy_Received_204226_11.jsp [blackberry.com])
Re: (Score:2)
Why Android? (Score:3)
Just a question, but why Android?
If you indeed NEED the security (I do for work, which is why I have a BlackBerry) why not just go the tried and true route of BlackBerry? Security is built in, everything except SMS (to my knowledge) can be encrypted, and you don't have to worry about updates from a 3rd party firmware (CM) breaking your apps or security model.
Other things I LOVE about my BlackBerry...
This is a sincere question. I carry two devices (BB 9900 for work, and a CM9 rom'd SGS2 for my personal phone) and I personally cannot stand the exchange email client on Android, it just seems slow and clunky, and CM9 helped a little bit, but not much. Use the right tool for the job, instead of trying to shoehorn a tool into the job you want it to do.
Pre-QNX maybe (Score:2)
Why not an iPhone? (Score:2)
I would also say Blackberry, others have covered that angle well though...
But why are you not considering an iPhone? Storage on the device is hardware encrypted, and can be wiped remotely. You cannot have people using un-secured SD cards with it.
There's nothing you can do to secure SMS since that's a carrier level thing, but you can use any number of secured messaging applications.
But really the biggest red flag I see is - you claim to be worried about security but then are trying to base a solution on th
Re: (Score:2)
with or without locking out the Google AppStore?
Or are you saying that you are not worried about random apps your users will buy from the appstore?
And when iOS can be exploited by going to a simple web page, Apple releases an update, and you apply that update. How do you apply any update to a non-Nexus phone? Is it even available?
Weak spec: Secure from what while doing what? (Score:5, Informative)
What threats do you want to secure against? What scenarios do you want to avoid? Do you want to ensure against virus protection? Lost devices? (e.g. oh noes! our client list is on wikileaks!) Locking down data?
For bonus points, what are the top three things your "reps" need to do?
Just make calls? Or do texting? Or access web mail? Or...?
And how many "reps" are there today? How many will there be next year?
And what is your logistics model? Everybody at the same physical workplace? Distributed "virtual" office? Different countries? Different languages?
Does your phone need to integrate with any of your workflow software?
Try writing up five or six hundred words on the above to enhance your question - I'm sure you'll get some useful advice if you do that.
Re: (Score:2)
key is - are you going to allow non-default apps. If you allow appstore, what policies will you have in place? Can they install Girls Around Me for example? porn? etc
Re: (Score:2)
No, because then we'll say he's incompetent for asking slashdot to do his job for him, rather than our telling him he's incompetent because his spec is incomplete.
MobileIron (Score:3)
I'm surprised I'm the only one suggesting this: Android Management [mobileiron.com]
Phone calls are already encrypted. Text messages stored on the phone will be encrypted if the phone's system storage is also encrypted. Data traffic can be encrypted by forcing the use of VPN back to the company's local network (and as such, web filtering, etc. also applied).
Is security NEEDED or ASSUMED? (Score:2)
This is the first question you need to answer, most likely the answer is the latter.
BB (Score:5, Informative)
Re: (Score:3)
They have ... umm... a little problem... um... no one likes their shitty products and they are bleeding money. . .
And yet there are no better products that offer equivalent features. Perhaps their troubles are related to the fact while people want security, its not so easy to deliver it along with the other features that end-users demand.
Re: (Score:2)
Too much free time on your hands? (Score:2)
I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?
Custom-rolled solutions like this are a bad idea, and from a practical standpoint will likely result in less security going forward. Do you just have too much free time on your hands?
This is a problem that's largely been solved.
encrypted calls (Score:2)
use encryption for texting and phone calls.
I can't recommend or not recommend but http://www.koolspan.com/ [koolspan.com] offers a product to do this. Otherwise Nokia has been doing it for 8 years though with Symbian not Android.
How do you know...how do you know (Score:2, Insightful)
And just a heads up, your company and it's information isn't nearly as important as you think it is and probably doesn't necessitate the need for any of this.
Blackberry is the right choice (Score:3, Informative)
The difference between consumer and enterprise blackberry is that the BES server has a secure key that you create and is unknown to blackberry, bis is controlled by blackberry and is snoopable by governments.
I've found that the battery life is better on a blackberry, but the browser isnt the greatest, but has improved in the newest models. Another thing to keep in mind is the battery is field swappable, so if the battery wears out, YOU can switch it out, or carry a spare.
Blackberry made the mistake of getting into consumer phones, but for enterprise situations, blackberry is the best way to go.
Android + BlackBerry Universal Device Service? (Score:2, Informative)
Your use case and focus on security really suggests that BlackBerry would be the best bet, but if you are focused on finding a way to securely deploy Android devices, but still maintain some security, take a look at the BlackBerry Universal Device Service product as an MDM solution:
Feature Checklist: http://ca.blackberry.com/content/dam/blackBerry/pdf/brochure/northAmerica/english/BlackBerryMobileFusion,UniversalDeviceServiceFeatureChecklist-1.pdf
Details: http://us.blackberry.com/business/software/mobilef
Don't Root it (Score:2, Insightful)
A sidebar re common criteria (Score:2)
The way the "common criteria" are defined, you need to be an accountant or a logician to figure out just what feature set they claim a high security on. I usually wasl "would it meet B2?" If they can't answer, it won't (;-))
--dave (and yes, on good days I am a logician) c-b
B2, from the Orange Book, is an old military standard, approximately what SELinux meets. C means crappy, and there were a very few people who got an A
Impossible (Score:2)
Without full disclosure on the OS, the source, and hardware you can't guarantee its secure.
I am guessing here, but it seems to me cell phones are designed from the ground up to be insecure.
Apple is no more secure (Score:2)
Buying into the "Walled garden == Security" philosophy doesn't cut it because you have no way to VERIFY things haven't been tampered with. You just "believe" they haven't been. Unless you jail break/root you can't be sure because you have no access. That makes it just as un-trustworthy as a trac-fone you found in the gutter. You might as well just use cyanogen, root it, get an sha1sum of everything on the device and have a way to track changes. Feeding Apple all your $$ while drinking all their "walled gar
Enterproid Divide MDM (Score:2)
Enterproid http://www.divide.com/ [divide.com] mobile device management is a service that costs $60/device/year that creates a secured remotely wipe-able sandbox on Android. They also submitted their app to the Apple store so it should be appearing soon for iPhone's.
FYI, they are working with Fixmo to be Common Access Card compliant for NSA standards...
I thought 'Whisper Systems' when I saw this post (Score:2)
http://www.whispersys.com/ [whispersys.com]
This may or may not be what you're looking for... not all of their offerings appear to be open source.
System level and Security developer's perspective (Score:2)
1) So far as I know, the only "smart phone" OS which has been "properly audited" was the specific versions of BlackBerry OS which is used by Obama. This does not include all versions of Bla
Good, secure, and cheap. (Score:2)
Pick two.
Re:Cell phone calls are already encrypted (Score:5, Informative)
And blackberry messenger is too.
To clarify on the blackberry messenger encryption: It's encrypted by default with a global key (hardly useful) but pin to pin communications can be encrypted using an organizational key, if you subscribe to a S/MIME package.
Re: (Score:2, Informative)
To clarify on the blackberry messenger encryption: It's encrypted by default with a global key (hardly useful) but pin to pin communications can be encrypted using an organizational key, if you subscribe to a S/MIME package.
Not quite. Blackberry messenger by default does use a global key (and the key is known by many in the security community), but blackberry messenger is also encrypted with 3DES, which is a bit weak. With a million dollars of computers, 3DES can be brute-forced reasonably quickly.
By compar
Re: (Score:3)
You should check out GOOD for mobile devices. It will create an encrypted sandbox for any corporate data/applications and works on a variety of phones. It also comes with some decent enterprise tools. The drawback is it requires changes to some 'user' plans and that creates headaches if you allow personal devices on corporate networks.
Re: (Score:2)
If it's off-the-shelf it's not secure. You can't know that the chip factory isn't compromised, unless you inspect it
By the same logic, no product that you did not develop, including designing the CPU and any other chips, and fabricate yourself, down to the last individual resistor and diode, is secure. Which is patently absurd, since by this logic, any sort of secure device would be nigh-unaffordable, since you'd need to set up the entire fabrication chain to build just one prototype, requiring an absurd amount of capital.
A notion highlighted by the recent story on how Chinese-fabbed US military chips apparently contain
Re: (Score:2)
I take it you haven't read On Trusting Trust?
Re: (Score:2)
If that's the one about the possible compromise of the GCC compiler, I did. And it mirrors my point perfectly: you can't be sure there's no backdoor, unless you make it yourself from the ground up, and if that's not possible, just trust the chain.
Re: (Score:2)
If it's off-the-shelf it's not secure. You can't know that the chip factory isn't compromised, unless you inspect it
By the same logic, no product that you did not develop, including designing the CPU and any other chips, and fabricate yourself, down to the last individual resistor and diode, is secure. Which is patently absurd, since by this logic, any sort of secure device would be nigh-unaffordable, since you'd need to set up the entire fabrication chain to build just one prototype, requiring an absurd amount of capital.
A notion highlighted by the recent story on how Chinese-fabbed US military chips apparently contain a backdoor on the hardware.
Absurd as it may be, it's true.
Well, maybe you can trust the resistors, but if you really have secret data to protect, you really can't trust even a CPU to be secure - there's no telling what's hidden in the microcode or what backdoors a software or hardware manufacturer has built in to the product "just for maintenance and testing purposes" (or at a government's request).
Re: (Score:2)
Screwey thinking altogether (Score:2)
First of all... while implementing security code in VHDL or Verilog is possible and has been done, the CPU is just not a big risk in this case. You can use a CPU from a company you're sure is fishy and so long as the software above it is written properly, it should make no difference. It's not really even a matter of cost. Encryption is a software feature... security in general is software oriented. In a system such as Android where the pr
Re: (Score:2)
2) Who reviewed it (no one)?
3) Who audited it (no one)?
4) Is the OS signed and locked to the phone (nope)?
5) Can an OEM slipstream device drivers or system level code onto the device (yes)?
6) Can app developers slipstream drivers or system level code onto the device (usually)?
Unless you can be 100% sure that the guy who compiled release of the OS was actually aware of what they were doing with regards to security (less
umm... BB is not really tested (Score:2)
Also please keep in mind that QNX develops their own TCP/IP stack which I personally have used for about 20 years. And after having access to the
What's better is... (Score:2)
Blackberry on QNX is a thoroughly untested system based on a nearly full rewrite of the operating system which we all know suffered from severe rush to market syndrome. Meaning that there is no possible way a product which is almost certainly a million lines of code or more has been thoroughly tested for security. I mention in previous comments that QNX runs an in-house TCP/IP stack
Re: (Score:2)
Re: (Score:2)
Android 4 (for example on Galaxy Nexus) has encryption built-in.
http://support.google.com/ics/nexus/bin/answer.py?hl=en&answer=1663755 [google.com]