Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Equipping a Company With Secure Android Phones?

timothy posted about 2 years ago | from the try-this-new-hal-9000-model dept.

Android 229

An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"

Sorry! There are no comments related to the filter you selected.

Droid Pro Can (0)

Anonymous Coward | about 2 years ago | (#40170135)

It's a crappy phone for the most part, but the motorola droid pro encrypts both internal storage and the SD card if you choose to. You need support built into the phone for whole disk encryption. Apps can't do that. Making transported data encrypted is a separate thing though.

Cell phone calls are already encrypted (0)

Anonymous Coward | about 2 years ago | (#40170141)

And blackberry messenger is too.

Re:Cell phone calls are already encrypted (5, Informative)

Anonymous Coward | about 2 years ago | (#40170177)

And blackberry messenger is too.

To clarify on the blackberry messenger encryption: It's encrypted by default with a global key (hardly useful) but pin to pin communications can be encrypted using an organizational key, if you subscribe to a S/MIME package.

hire a android Dev.... (0)

who_stole_my_kidneys (1956012) | about 2 years ago | (#40170173)

its the only way you can get some one you "trust", if the price is too high, then your security is degraded.

Re:hire a android Dev.... (-1)

Anonymous Coward | about 2 years ago | (#40170269)

Oh dear God, you are an idiot. Seriously.

Re:hire a android Dev.... (0)

Anonymous Coward | about 2 years ago | (#40170441)

That would explain why he can't locate who took his kidneys.

Re:hire a android Dev.... (-1)

Anonymous Coward | about 2 years ago | (#40170473)

Judging by the way he capitalized "Dev", he must be an Indian. That explains it.

Dear slashdot (5, Insightful)

Anonymous Coward | about 2 years ago | (#40170185)

I'd like to know how to configure a kludge of shit (using all FOSS, of course) for my enterprise environment. I want everything under the sun plus the kitchen sink.

Also, I'm going to be paranoid and reject anything you propose. After all, I can't be sure that anything I buy doesn't have a backdoor that the government or extra terrestrials could use to snoop on the uber secrets at my company.

Re:Dear slashdot (0)

Anonymous Coward | about 2 years ago | (#40171433)

I can help you get everything you need, just put this little piece of paper under your tongue for a few minutes.

we have one (1)

Anonymous Coward | about 2 years ago | (#40170187)

We have one in works. Email to me df.inbox at gmail.com for details.

Re:we have one (4, Insightful)

X0563511 (793323) | about 2 years ago | (#40170983)

Seems legit.

Make it yourself (1, Interesting)

Anonymous Coward | about 2 years ago | (#40170195)

I would recommend developing your own system. If you are dealing with highly sensitive information, you want to make sure that it is fully secure. There are plenty of independent security contractors out there to develop something for you if you do not have the skill set to make it yourself within your company. Custom ROM, kernel, and various modifications to it should do it for you.

Apple (4, Insightful)

wood_dude (1548377) | about 2 years ago | (#40170197)

Yes, use an iPhone ! Let the flames begin...

Re:Apple (5, Informative)

Anonymous Coward | about 2 years ago | (#40170355)

As much as I absolutely HATE to say this, you're absolutely right.

Blackberries suck, Android's security is left to the manufacturer (so it usually doesn't get done right), Windows Phone 7(.5) is still not ready for the Enterprise, Symbian is dead, so are Meego and Maemo...

iPhones are locked down, have enterprise support tools, come encrypted by default. Unless you're willing to inflict Blackberries on your users, AND pay for the BES, AND pay the per-handset CAL, iPhones are your best bet.

Re:Apple (1)

Anonymous Coward | about 2 years ago | (#40170445)

iOS with a complex password works well for most needs. They still don't have a great way to support a "VPN-or-GTFO" always on secure tunnel for everything though.

Re:Apple (-1)

Anonymous Coward | about 2 years ago | (#40170953)

I absolutely HATE to say this, you're absolutely wrong.
iOS is no more secure than Android.
The only iOS "advantage" is the controlled app store.

Re:Apple (1)

Anonymous Coward | about 2 years ago | (#40171037)

I absolutely HATE to say this, you're absolutely wrong. iOS is no more secure than Android. The only iOS "advantage" is the controlled app store.

And the default whole-disk-encryption on all iPhones since the 3gs. Oh, and the inability to install untrusted programs with a checkbox. Oh, and the enterprise support tools which are far better for iPhones than Android...

Re:Apple (0)

Anonymous Coward | about 2 years ago | (#40171457)

What???
Encryption on Android exists since Honeycomb, at least a year before iPhones...
Inability to install untrusted programs? WTF? What is a "trusted" program? The one looked at by people at the Apple store?
Really?
Enterprise support tools? What tools? Integration with Microsoft Exchange? How it has anything to do with the operating system? VPN? IMAP?
Do you rally have any idea what you're talking about?

Re:Apple (3, Informative)

Anonymous Coward | about 2 years ago | (#40171633)

Yes, I do. [apple.com]

Do you have any clue about what I'm talking about? Apparently not.

And yes, Encryption EXISTS, and is SUPPORTED, but is not always actually on. For that, it requires manufacturer support (I think this may have changed in ICS). And, a lot of phones you can buy right now come with... GINGERBREAD! Which can be encrypted, but it's solely left to the manufacturer.

Re:Apple (2, Informative)

Anonymous Coward | about 2 years ago | (#40171439)

The cluelessness of your post is why I'm hoping you're not in a position to set hardware standards in the enterprise.

I'll take the curated iOS "controlled" app store over the wild-west install-from-anywhere wild-west Android alternative any day.

The reason(s) that the enterprise prefers iOS (or *gasp* RIM) over Android is precisely the reason the tech-saavy iHaters lambast them for.

Until Android is able to completely lock down a phone and give the administrators full rights to manage what gets put on it, Android will always be the LAST choice - if any choice.

Re:Apple (1)

Anonymous Coward | about 2 years ago | (#40171545)

The cluelessness of your post is why I'm hoping you're not in a position to set hardware standards in the enterprise.
You really don't know Android if you making these statements.

Blackberry? (5, Informative)

twnth (575721) | about 2 years ago | (#40170199)

Why android? is there an app you need or something? or is it a latest bling thing?

Because Blackberry does the encrypted thing, and if you buy BES you can also set device policies and centrally administer the devices (remote wipe for example).

Re:Blackberry? (-1)

Anonymous Coward | about 2 years ago | (#40170237)

As can Exchange through Active Sync (on Android or iOS). Don't invest in a company that is posting a billion in hardware losses this year.

Re:Blackberry? (3, Interesting)

jeffmeden (135043) | about 2 years ago | (#40170321)

As can Exchange through Active Sync (on Android or iOS). Don't invest in a company that is posting a billion in hardware losses this year.

A billion in hardware losses for them is a billion in hardware GAINS for the consumer! Besides, you totally missed the point. With the BB platform, you can both encrypt all communication (instant messaging and email) as well as lock out any unencrypted communication (SMS and third party email) so your phones are as secure as anything else in your enterprise (as long as the users keep their passwords safe).

Re:Blackberry? (1)

eimsand (903055) | about 2 years ago | (#40170385)

I don't think there's any doubt about the security of blackberry handsets. I'm far more concerned about the security of blackberry's intermediary network that all e-mail traffic flows through.

Re:Blackberry? (4, Informative)

b0bby (201198) | about 2 years ago | (#40170491)

But if you're running BES (or the free Professional if you're small), everything is encrypted end to end with your own key. That's why they are so secure; 3rd parties don't have access to your data. In India & Saudi Arabia the government has put taps on the telco provided BES, but they still can't tap your private BES communications if your server is outside.

Re:Blackberry? (2)

Deadguy2322 (761832) | about 2 years ago | (#40170851)

But if you're running BES (or the free Professional if you're small), everything is encrypted end to end with your own key. That's why they are so secure; 3rd parties don't have access to your data. In India & Saudi Arabia the government has put taps on the telco provided BES, but they still can't tap your private BES communications if your server is outside.

And it all passes through the single point of failure that is RIM's server farm before reaching the client, and what could be more secure than an email that is never delivered, right?

Re:Blackberry? (1)

Altus (1034) | about 2 years ago | (#40171193)

I would be more concerned about having to replace the entire setup if RIM goes under. BB doesn't seem like the platform to build your business on right now.

Re:Blackberry? (2)

gstoddart (321705) | about 2 years ago | (#40170781)

A billion in hardware losses for them is a billion in hardware GAINS for the consumer!

What are you talking about?

That billion dollars is in unsold hardware. Nobody wants. Nobody is buying it. It is sitting around gathering dust and occupying space.

There were no 'gains' for the consumer. There's just boxes and boxes of phones nobody purchased.

Besides, you totally missed the point. With the BB platform, you can both encrypt all communication

I think the point you're missing is that if everybody is looking at RIM like it is about to tank or get sold, nobody wants to be the guy in the meeting saying "Hey, we should go with Blackberry".

You describe the historical reasons why people went with Blackberry/BES solutions. But in the current context, people don't necessarily believe they are a long-term viable option.

When you're hiring investment bankers to help you figure out how to split, sell, fold, spindle, or mutilate it tends to undermine customer confidence. I'm betting a lot of organizations wouldn't look at setting up a new BES right now.

Re:Blackberry? (2)

NemosomeN (670035) | about 2 years ago | (#40171675)

A billion dollar write down means BB anticipates selling the devices for a billion dollars less. This is where future consumers gain. (unless the billion represents devices that will be discarded)

Re:Blackberry? (4, Informative)

narcc (412956) | about 2 years ago | (#40170791)

Even cooler, with BlackBerry Balance, you can seamlessly separate work and personal use on the device. No worries about copying corporate data to personal accounts.

Add to that the above-par remote management features and it's not even a choice -- there is only one enterprise-ready mobile platform.

Re:Blackberry? (0)

Anonymous Coward | about 2 years ago | (#40170955)

I would stay away from Blackberry..the company is tanking

Re:Blackberry? (1)

nine-times (778537) | about 2 years ago | (#40171727)

I think the point the earlier poster was trying to make is, do you want to invest in buying BES and a bunch of Blackberries given that RIM seems to be going down the tubes?

If RIM continues to do as poorly as it has been doing, then I wouldn't expect to see worthwhile ongoing support for Blackberries or meaningful upgrades from RIM. Even if we were to stipulate that Blackberry is the best choice for a solution today, professional IT people also have to look at what kind of support and upgrade paths will be available over the next 5 years or more.

Re:Blackberry? (1, Insightful)

twnth (575721) | about 2 years ago | (#40170709)

As can Exchange through Active Sync (on Android or iOS). Don't invest in a company that is posting a billion in hardware losses this year.

Actually, its shy of a half billion Press Release PDF [rim.com]

They still shipped 14 million units in Q3, still revenue positive, still have 75 million subscribers. Is this up to iphad numbers? No. But they're still profitable and I think they'll be around for quite a while yet.

Re:Blackberry? (4, Insightful)

BagOBones (574735) | about 2 years ago | (#40170283)

Because starting from scratch on RIMs BB right now could be suicide...

- New OS devices coming in the fall with a new untested management platform
- Over stock of current gen devices they can't sell ( way under powered compared to WP, Android, iOS)
- Bleeding management
- Laying off huge amounts of staff.

Re:Blackberry? (0)

hawkbat05 (1952326) | about 2 years ago | (#40170597)

The management platform isn't really untested, it will be the same one used to manage PlayBooks now http://blogs.blackberry.com/2012/03/introducing-blackberry-device-service-for-blackberry-mobile-fusion/ [blackberry.com] . I'm also going to argue with your "under powered" claim. The specs may be lower but I have a BB 9900, a SE Xperia and a Galaxy S2, the 9900 runs just as smoothly and feels less fragmented when performing a task. Raw hardware specs are not always the same as user experience.

Unfortunately no one has stepped up to the plate to match the built in security and manageability of RIM's platforms. Leaving such features up to third party solutions/vendors leaves businesses in the same position as Timothy, wondering if they can trust them or not. If RIM falls there will be a void no other vendor is prepared to fill.

Re:Blackberry? (-1)

Anonymous Coward | about 2 years ago | (#40170741)

and feels less fragmented when performing a task.

Dude...lol...and stfu.

Re:Blackberry? (0)

Anonymous Coward | about 2 years ago | (#40170723)

untested management platform, no sorry bes has been around for almost a decade now and its proven.

Re:Blackberry? (0)

Anonymous Coward | about 2 years ago | (#40170787)

Because starting from scratch on RIMs BB right now could be suicide...

- New OS devices coming in the fall with a new untested management platform - Over stock of current gen devices they can't sell ( way under powered compared to WP, Android, iOS) - Bleeding management - Laying off huge amounts of staff.

They may be going through some significant pains, but when people ask about tried and tested platforms providing end-to-end encryption and the response is either BB or (crickets), they're likely not going anywhere, especially with Government use. Demand certainly seems intact.

Re:Blackberry? (1)

StrifeJester (1326559) | about 2 years ago | (#40170667)

BES has an express version as well that is free.

Re:Blackberry? (-1)

Anonymous Coward | about 2 years ago | (#40170713)

That would be because BLACKBERRY BLOWS

Re:Blackberry? (1)

Minion of Eris (1574569) | about 2 years ago | (#40171083)

Or BES Express - less IT Policies, but it is FREE!

Good for Enterprise (2, Informative)

jmarka (2359522) | about 2 years ago | (#40170209)

Timothy, You should take a look at Good for Enterprise www.good.com Best, jmarka

Re:Good for Enterprise (1)

BagOBones (574735) | about 2 years ago | (#40170307)

I agree, looking around Good, would be the closest off the shelf solution, it would also work with iOS devices giving you access to BOTH the most popular platforms right now..

Re:Good for Enterprise (4, Informative)

Bogtha (906264) | about 2 years ago | (#40170553)

One of my clients attempted to use Good for secure email on iOS last year. They were entirely unresponsive to even the slightest technical queries and their stuff was incompatible with other apps. Also, parent comment sounds like spam.

Re:Good for Enterprise (3, Interesting)

SomePgmr (2021234) | about 2 years ago | (#40170967)

I spent years managing Good on our mobiles and mail servers. It really was a miserable experience.

I'd probably do it again before switching to blackberries, though. I think they've changed ownership once or twice since I was using it.

Re:Good for Enterprise (0)

Anonymous Coward | about 2 years ago | (#40171179)

^^

We use it here. The promised an Android browser "in 6 months". Took 18 months. It crashes all the time. You get the point...

Re:Good for Enterprise (2)

narcc (412956) | about 2 years ago | (#40170893)

Good can't do half of what RIM's management software can do. Their new Fusion software can also manage other platforms in addition to BlackBerries -- including iOS and Android. Good is okay, but it doesn't compare to RIM's best-in-class tools.

Whisper Systems (0)

Anonymous Coward | about 2 years ago | (#40171065)

Whisper Systems [whispersys.com] is still in beta, but is free.

Re:Good for Enterprise (0)

Anonymous Coward | about 2 years ago | (#40171291)

Motorola's Good for Enterprise is the platform we used several years ago when we went through the Treo era. Then we migrated to Blackberry, which for its time, was better than Good. Now, we have a mix of Iphone\Android, and Good is the only system that can handle encryption and device management, for both. Fusion can manage the devices, but is not quite there yet for handling email flow on the other devices.

Good has developed apps for Ipad, Iphone, and Android. All seem to work great for secure mobile email. Biggest drawback is the lack of synchronization for tasks and notes that are in Outlook. And I am not sure about the encryption of phone calls.

Good luck!

Android 4.0.x ICS Can Be Encrypted (1)

Jumperalex (185007) | about 2 years ago | (#40170217)

While trolling around my Galaxy Nexus I found the ability to encrypt it (not using it though). At the least that should protect data on the phone, surely you can find more details about that feature on the intertubes.

Calls are already "secure" to a point but if you need even more security then perhaps Skype?

text ... I'll leave that to others

good luck (1)

Anonymous Coward | about 2 years ago | (#40170233)

my brief foray with android showed me that pretty much every app wants access to everything on the phone, including phone-home capability.

Re:good luck (5, Insightful)

X0563511 (793323) | about 2 years ago | (#40171043)

Blame the security "roles" not the app developers.

Want your app to detect if you're on a call, so it doesn't blow your eardrum out with an alert tone?

Well, then you need "Access to Phone State / Identity" ... just for an example.

RIM/Blackberry (5, Insightful)

alphax45 (675119) | about 2 years ago | (#40170235)

You basically described the RIM/Blackberry use case; why not use them? The Bold 9900 is actually a nice phone.

Re:RIM/Blackberry (1)

ArsonSmith (13997) | about 2 years ago | (#40170447)

I guess mostly this [google.com]

days numbered...

Re:RIM/Blackberry (2)

X0563511 (793323) | about 2 years ago | (#40171095)

Stock price or price-per-share does not indicate nor does it necessarily correlate with the health of a company.

Investing 101, man. Come on.

Re:RIM/Blackberry (0)

Anonymous Coward | about 2 years ago | (#40171513)

So, you are tagging it as a BUY?

Re:RIM/Blackberry (1)

Anonymous Coward | about 2 years ago | (#40171561)

they have more cash than a lot of companies... and enough patents to stay relevant; most everyone I know (yea I'm in canada) use BB

I've done the iToy thing and it's fun to an extent then it's just a nuissance; I don't need distractions when all I want (and need) is my email, IM, and phone (yes, people still call other people!)

Re:RIM/Blackberry (1)

kae77 (1006997) | about 2 years ago | (#40170469)

+1

Android 4 and VPN (0)

Anonymous Coward | about 2 years ago | (#40170241)

Get a Nexus phone or a contract with a vendor that guaranties security updates. Have a VPN. Pay for Google Apps (Remote wipe, forced password policies, forced full disk encryption all from a nice easy console). Even then, these are consumer phones. The manufactures aren't targeting towards you.

Also remove SMS and use some other communications tools such as Google Talk. There are secure SMS tools for android but the second one of your idiot employees installs the latest zynga game all of the text messages are able to be captured by that program.

--Sparksis.

Android isn't the platform for this (1)

Anonymous Coward | about 2 years ago | (#40170249)

Unfortunately I am of the opinion that Android is NOT the platform for this (I use Android for my personal phone). It doesn't support it and as you see you need to use third-party applications to even make it work. Even if you could trust those third-parties, now how do you push updates to your reps? The answer is you don't. There are just too many hoops to jump through for a business where security is a "major consideration." I'd recommend Blackberry but it seems RIM could be going under any day. iOS is probably a better choice because it supports FDE out of the box. Though, in all honesty, if security is a major consideration, the real answer is that your reps should ONLY be using feature phones rather than smartphones.

Re:Android isn't the platform for this (0)

Anonymous Coward | about 2 years ago | (#40170991)

You really have no idea what you're talking about, do you...

Re:Android isn't the platform for this (3, Insightful)

narcc (412956) | about 2 years ago | (#40171337)

I'm not worried about RIM going under. They've been supposedly dying for years, but they just now posted their first quarterly loss. (Even with non-competitive handsets, they were still profitable. The 9900 is amazing, but you get my meaning.) Their customer base is growing and they've got plenty of cash on hand. They've got a fantastic suite of new development tools, best-in-class new remote management software, business friendly features like Balance, and a new operating system that is, by any metric, a cut above the rest Their app library is also growing like crazy and they're doing a fantastic job of recruiting new developers with a fantastic and varied suite of development tools. The handsets out this fall running their new OS look to be exceptionally high-end, with a brilliant UI.

RIM is hardly dying. They're a popular whipping-boy, but there are other companies doing far worse than RIM that don't get the same media bashing. When is the last time you heard that Sony is dying? They're worse off than RIM, and don't appear to have a strategy moving forward.

RIM is in no danger of "going under any day". That's been the line everyone's been chanting for the past year or so, sure, but that whole time their customer base was growing at an alarming rate and they were posting profits every quarter.

bad requirements (0)

Anonymous Coward | about 2 years ago | (#40170275)

Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this.

These are contradictory requirements. If it's off-the-shelf it's not secure. You can't know that the chip factory isn't compromised, unless you inspect it.

The problem is you can't afford security. This is not a problem that has a solution. You need to just accept failure.

Re:bad requirements (1)

ThunderBird89 (1293256) | about 2 years ago | (#40170641)

If it's off-the-shelf it's not secure. You can't know that the chip factory isn't compromised, unless you inspect it

By the same logic, no product that you did not develop, including designing the CPU and any other chips, and fabricate yourself, down to the last individual resistor and diode, is secure. Which is patently absurd, since by this logic, any sort of secure device would be nigh-unaffordable, since you'd need to set up the entire fabrication chain to build just one prototype, requiring an absurd amount of capital.
A notion highlighted by the recent story on how Chinese-fabbed US military chips apparently contain a backdoor on the hardware.

Re:bad requirements (1)

the_B0fh (208483) | about 2 years ago | (#40171217)

I take it you haven't read On Trusting Trust?

Re:bad requirements (1)

hawguy (1600213) | about 2 years ago | (#40171265)

If it's off-the-shelf it's not secure. You can't know that the chip factory isn't compromised, unless you inspect it

By the same logic, no product that you did not develop, including designing the CPU and any other chips, and fabricate yourself, down to the last individual resistor and diode, is secure. Which is patently absurd, since by this logic, any sort of secure device would be nigh-unaffordable, since you'd need to set up the entire fabrication chain to build just one prototype, requiring an absurd amount of capital.
A notion highlighted by the recent story on how Chinese-fabbed US military chips apparently contain a backdoor on the hardware.

Absurd as it may be, it's true.

Well, maybe you can trust the resistors, but if you really have secret data to protect, you really can't trust even a CPU to be secure - there's no telling what's hidden in the microcode or what backdoors a software or hardware manufacturer has built in to the product "just for maintenance and testing purposes" (or at a government's request).

Sounds like a job for... (4, Informative)

a90Tj2P7 (1533853) | about 2 years ago | (#40170289)

... Blackberry. Aside from encrypting phone calls themselves, everything you're asking to do is something even a basic Curve will do out of the box - encrypting the phone storage and SD card, requiring a password to install apps. And that's without using any enterprise tools to manage the devices and security policies across the board, remotely.

Any phone with ICS (1)

Anonymous Coward | about 2 years ago | (#40170295)

Android 4.0 has full device encryption.

Nexus + ICS + F-Secure (1)

lostsoulz (1631651) | about 2 years ago | (#40170309)

Get a Nexus. However, nothing is secure once someone has their hands on it (insert obligatory XKCD encryption link.) At least F-Secure Mobile Security reduces the attack surface before it's stolen and allows you to remote-wipe after it has been stolen. I don't work for F-Secure BTW!

Rock, meet hard place. (3, Insightful)

Anonymous Coward | about 2 years ago | (#40170325)

Pretty much sounds like you need a blackberry. Only they offer what you describe.
Trouble is, blackberry phones are crap, BES is crap, the blackberry network is crap, and the blackberry company (RIM) is circling the drain.

Turns out the infrastructure you need for your idea of a "secure" phone is more trouble than it's worth. Most companies have come to the realization that security is in fact a social and policy issue and much less a technological one. Just get good quality bog standard smart phones and create a policy that minimizes risk.

That said, iphones are officially supported activesync devices and will respect activesync security policies set by an exchange server. You can remote wipe them. (Funny thing - Winphone7's activesync support is provisional and not recommended for an enterprise environment - Microsoft's words!)

Unless you're a phone manufacturer... (2)

idontgno (624372) | about 2 years ago | (#40170329)

there's nothing you can do to a phone that a savvy user can't also do (or undo).

And if you are a phone manufacturer, (A) it's easy to more-or-less do what you're saying, and (B) there will still be people to can find work-arounds to break out of the lockdown.

The only reason I mention this is that Android has an energetic modding community, in spite of platform security built into some of these. (Locked bootloaders, S-ON partitions, etc.)

Just using your "for example" as an example... if you can put flash Cyanogenmod onto the phone, your users can flash a completely different ROM and defeat a lot of the things you want to do. The tools you would use are available to anyone, and if you try to deny your users root (for instance), there are plenty of root exploits available to break that jail.

In general, I think smartphones are too much general-purpose computers to really secure in the static way you're thinking about.

As to the (perhaps more weighty) matters like all-storage encryption, I have never seen a good answer. Anything you could install as an app would probably be too shallow (i.e., not effective before booting). In fact, I don't know if the standard Android Linux kernels are amenable to that; you'd need a custom bootloader or 2nd stage, and I haven't seen those specifically tailored for storage decryption.

I dunno. Sounds like you have a challenge ahead of you.

Too expensive? (5, Insightful)

hawguy (1600213) | about 2 years ago | (#40170333)

I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us

If a secure, off the shelf phone is too expensive for you, you probably don't have the resources to build a secure phone yourself. Even the experts have trouble getting security right, an amateur will unknowingly leave big gaping holes.

That said, Android ICS will do full filesystem encryption, make sure you use a secure passphrase and not a 4 digit PIN. Use SSL to talk to your email server to keep that traffic from being snooped. Don't use SMS's.

Do you really need to encrypt your phone calls? Stick with a CDMA provider (supposedly it's trivial to hack GSM, but I believe CDMA is still relatively safe) and your calls are safe from all but the most determined (and well funded) eavesdropper. Unless you're worried about the US Government doing the eavesdropping, they'll just tap the call on the Telco side, so you need end-to-end encryption to protect against that.

Skype reportedly encrypts skype-to-skype calls.

But really, unless you're doing top-secret government work, your phone is the least of your worries. If the information is valuable, it's much easier to pay an employee to leak it than to steal your phone and hope to find the data stored on the phone. And if you are doing top-secret government work, a home-brew solution isn't going to meet the federal standards you'll be required to meet.

Re:Too expensive? (1)

wkk2 (808881) | about 2 years ago | (#40170733)

I suspect that no off the shelf product is secure from the network side. The hardware needs to have two independent blocks: a communications module and a application module. The two need to be linked with a well defined API so that the communications module can't change the application code and there is a good point for an audit. There are probably regulatory issues like GPS to emergency services, not being able to hang up an emergency call, etc. You need to be able to load the application code from a secure interface with signed code etc. A smart card slot for application module key material would be a plus. Good luck trying to find one and good luck getting approval to sell one with these features.

Re:Too expensive? (0)

Anonymous Coward | about 2 years ago | (#40170823)

Actually, the security of the wireless communication protocol (GSM or CDMA) is only relevant until the nearest base-station. From then the conversation may continue in many forms, some encrypted and some not. Trivial case: "secure" CDMA made towards trivially wiretapped POTS analogue landline.

Re:Too expensive? (2)

oldbamboo (936359) | about 2 years ago | (#40171505)

Just to add, majority of phones can be tricked into dropping down to GSM from 3G. All phones (bar the BB) should be treated as untrusted devices. Tunnel everything, encrypt everything, store nothing and you're part way there :-)

BlackBerry (1, Redundant)

trevc (1471197) | about 2 years ago | (#40170337)

Get BlackBerry. Android is the wrong choice for your requirements.

Obfuscated Texting (1)

Anonymous Coward | about 2 years ago | (#40170363)

My company just released Raptcha which converts messages into captcha images to be sent via mms, email or however, thus bypassing keyword filters and traps.

http://www.google.com/m?hl=en&gl=us&client=ms-android-huawei&source=android-browser-type&q=google+play+raptcha

Why Android? (3)

scream at the sky (989144) | about 2 years ago | (#40170379)

Just a question, but why Android?

If you indeed NEED the security (I do for work, which is why I have a BlackBerry) why not just go the tried and true route of BlackBerry? Security is built in, everything except SMS (to my knowledge) can be encrypted, and you don't have to worry about updates from a 3rd party firmware (CM) breaking your apps or security model.

Other things I LOVE about my BlackBerry...

  • Every key is a speed dial, I have about 20 of them mapped to the people I call the most. Very intuitive.
  • The keyboard is wonderful of hammering out mid to long emails. Swype helps, but I still find the keyboard faster.
  • Kick Ass Speaker Phone.
  • Full day battery life. Don't underestimate this.
  • It's easier to decipher who an email comes from, as it uses the same display info as my phone book does. On anything that uses active sync, my email is addressed in the same format as the Exchange server, which means every shows in my list as come from "Lastname, Firstname (EMPLOYEE#)" On my Berry, is shows as "Dad" or "Jeff (Regional)" instead. This is invaluable, as I can name people in my phone book in regards to my relationship with them, and I don't have to go digging through the exchange directory to find out what a persons job title is if I only correspond with them twice a year, and have forgotten who they are."
  • You can encrypt the device, as well as any memory cards.

This is a sincere question. I carry two devices (BB 9900 for work, and a CM9 rom'd SGS2 for my personal phone) and I personally cannot stand the exchange email client on Android, it just seems slow and clunky, and CM9 helped a little bit, but not much. Use the right tool for the job, instead of trying to shoehorn a tool into the job you want it to do.

Samsung as a starting point? (0)

Anonymous Coward | about 2 years ago | (#40170403)

I'm using a Samsung Galaxy Note and noticed that it offers hardware encryption AND a "Samsung Enterprise Mobility" service. So, there's definitely a company offering encryption out there.

Why not an iPhone? (1)

SuperKendall (25149) | about 2 years ago | (#40170443)

I would also say Blackberry, others have covered that angle well though...

But why are you not considering an iPhone? Storage on the device is hardware encrypted, and can be wiped remotely. You cannot have people using un-secured SD cards with it.

There's nothing you can do to secure SMS since that's a carrier level thing, but you can use any number of secured messaging applications.

But really the biggest red flag I see is - you claim to be worried about security but then are trying to base a solution on the single most vulnerable platform for malware attacks. How can you responsibly suggest that for enterprise use?

I would also recommend WP7 but I just don't know enough about the features it offers to be sure about securing the device.

Re:Why not an iPhone? (0)

Anonymous Coward | about 2 years ago | (#40170643)

Because this guy is most likely and Android enthusiast that (unfortunately) is in a position to pick what technology to use. If you want security, Android should not even be on the list of candidates to use in the enterprise where security is paramount.

But no, he'll do it anyways because he's biased and probably needs the job security of maintaining such a system. In the end, the user community will hate the phones and whatever systems it's using.

Re:Why not an iPhone? (0)

Anonymous Coward | about 2 years ago | (#40170849)

Or maybe his company has some proprietary applications that he needs to load on the phones and obviously he's on a budget which immediately knocks out iOS and windows phone. But keep trolling you and the douchebag GP. Keep trolling.

Re:Why not an iPhone? (0)

Anonymous Coward | about 2 years ago | (#40171003)

*sigh* another uninformed iPhone fanboy

But why are you not considering an iPhone? Storage on the device is hardware encrypted, and can be wiped remotely. You cannot have people using un-secured SD cards with it.

The Galaxy Nexus as well as any other Anrdoid 4.0 phone supports full encryption. Also, the Galaxy Nexus does not have an sdcard slot. Furthermore, Android can be set up to be managed from a console in google apps and managed and wiped remotely.

But really the biggest red flag I see is - you claim to be worried about security but then are trying to base a solution on the single most vulnerable platform for malware attacks. How can you responsibly suggest that for enterprise use?

And the hate spews out. Android is just as secure as anything else if not more so. The fact is that with remote management and locking the device down, he can block the install of third party applications and with it any malware. And while you are crowing against Android, iOS is regularly exploited by just going to a simple web page. When's the last time an Android 4.0 phone had that happen to it?

Re:Why not an iPhone? (1)

the_B0fh (208483) | about 2 years ago | (#40171495)

with or without locking out the Google AppStore?

Or are you saying that you are not worried about random apps your users will buy from the appstore?

And when iOS can be exploited by going to a simple web page, Apple releases an update, and you apply that update. How do you apply any update to a non-Nexus phone? Is it even available?

Re:Why not an iPhone? (0)

Anonymous Coward | about 2 years ago | (#40171609)

with or without locking out the Google AppStore?

This is a business phone owned by the company of course you would lock out the AppStore. If a user has a particular need then they can ask. A modern smartphone is a miniature PC. Would you let your PC users just install whatever they wanted?

And when iOS can be exploited by going to a simple web page, Apple releases an update, and you apply that update. How do you apply any update to a non-Nexus phone? Is it even available?

I would only consider either a Nexus device or a device specifically set up for this kind of duty like the Droid Pro from Motorola.

Re:Why not an iPhone? (0)

Anonymous Coward | about 2 years ago | (#40171685)

Do you really trust Apple guys to weed out all the the malware?
http://nakedsecurity.sophos.com/2011/11/08/apple%E2%80%99s-app-store-security-compromised/

Citrix CloudGateway (0)

Anonymous Coward | about 2 years ago | (#40170463)

Citrix CloudGateway: Access your apps(windows apps, web/saas apps, native mobile apps) and data, from any device, always secured using Citrix. It also has MAM - Mobile Application Management - built into it! Check it out at: www.citrix.com/cloudgateway

Weak spec: Secure from what while doing what? (5, Informative)

Fubari (196373) | about 2 years ago | (#40170489)

You spec could honestly be stronger.
What threats do you want to secure against? What scenarios do you want to avoid? Do you want to ensure against virus protection? Lost devices? (e.g. oh noes! our client list is on wikileaks!) Locking down data?
For bonus points, what are the top three things your "reps" need to do?
Just make calls? Or do texting? Or access web mail? Or...?
And how many "reps" are there today? How many will there be next year?
And what is your logistics model? Everybody at the same physical workplace? Distributed "virtual" office? Different countries? Different languages?
Does your phone need to integrate with any of your workflow software?

Try writing up five or six hundred words on the above to enhance your question - I'm sure you'll get some useful advice if you do that.

Codename Android + Major cleanup (0)

Anonymous Coward | about 2 years ago | (#40170497)

I have been using the codename android on nexus s phone and deleting ton of apps, kinda tricky but worth it, i could send you the package if you are interested, reply in comment

MobileIron (2)

gregthebunny (1502041) | about 2 years ago | (#40170519)

I'm surprised I'm the only one suggesting this: Android Management [mobileiron.com]

Phone calls are already encrypted. Text messages stored on the phone will be encrypted if the phone's system storage is also encrypted. Data traffic can be encrypted by forcing the use of VPN back to the company's local network (and as such, web filtering, etc. also applied).

Re:MobileIron (1)

Anonymous Coward | about 2 years ago | (#40171519)

"30-Day SmartStart /after/ attending 'Trusted Mobility' introduction"

Yeah, sure, i'm going to work to be allowed to buy their software.... The same crap with all 'them DeviceManagment Manufactors, "you can't simply buy our software, that would be too easy, you have to take an interview by a sales bitch first, then we evaluate your request to become a customer, then MAYBE, just MAYBE you're allowed to buy >500 Licenses"...

Too obvious (0)

Anonymous Coward | about 2 years ago | (#40170535)

Reading through the posted answers I see BlackBerry popping up many times.

Why do I have a nagging suspicious that the 'anonymous reader' was hoping that would be the case?

Is security NEEDED or ASSUMED? (1)

TheSkepticalOptimist (898384) | about 2 years ago | (#40170661)

This is the first question you need to answer, most likely the answer is the latter.

BB (4, Informative)

Corson (746347) | about 2 years ago | (#40170675)

There is a... um, little known company, don't know if you ever heard of it, called Research in Motion, that has been making security on their smartphones their main priority SINCE 1999.

Too much free time on your hands? (1)

93 Escort Wagon (326346) | about 2 years ago | (#40170757)

I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?

Custom-rolled solutions like this are a bad idea, and from a practical standpoint will likely result in less security going forward. Do you just have too much free time on your hands?

This is a problem that's largely been solved.

encrypted calls (1)

jbolden (176878) | about 2 years ago | (#40170879)

use encryption for texting and phone calls.

I can't recommend or not recommend but http://www.koolspan.com/ [koolspan.com] offers a product to do this. Otherwise Nokia has been doing it for 8 years though with Symbian not Android.

How do you know...how do you know (1, Insightful)

sunking2 (521698) | about 2 years ago | (#40170971)

How do you know anything?

And just a heads up, your company and it's information isn't nearly as important as you think it is and probably doesn't necessitate the need for any of this.

Enterproid Divide ? (1)

hubs99 (318852) | about 2 years ago | (#40171461)

How about Enterproid's Divide App [google.com] It basically carves out an "Enterprise" section to an individuals phone. Space is encrypted and you can enforce Exchange mobile security policy. In function, when you log into the app it looks like a whole new Android Launcher with secure apps for phone, calendar, email, sms, etc. Give it shot. J

Blackberry is the right choice (3, Informative)

juniorkindergarten (662101) | about 2 years ago | (#40171543)

The combination of Blackberry and BES is the correct choice if you want a secure enterprise solution. With a BES server you have complete control over the phones. Policies allow logging of everything that the phone does, including if you want all incoming and outgoing text messages, push and pull apps and calling restrictions.
The difference between consumer and enterprise blackberry is that the BES server has a secure key that you create and is unknown to blackberry, bis is controlled by blackberry and is snoopable by governments.
I've found that the battery life is better on a blackberry, but the browser isnt the greatest, but has improved in the newest models. Another thing to keep in mind is the battery is field swappable, so if the battery wears out, YOU can switch it out, or carry a spare.
Blackberry made the mistake of getting into consumer phones, but for enterprise situations, blackberry is the best way to go.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?