Slashdot Mirror
Nexus One vs. Top 10 Phone Security Requirements
hiouridah writes "Consumer Grade or Enterprise Ready? The Nexus One is entering a smart phone market that is taking increasing heat from enterprises for their lack of robust security features. So how does the Nexus One stack up?"
I will personally be waiting for the next gen to come around. It will most likely be like the iPhone was. First model was ok but the later were much better...
521MB RAM vs 256MB RAM
800x480 vs 480x320
1Ghz vs 600Mhz
5MP vs 3MP
AMOLED vs TFT
To top it off the nexus one is a slimmer device.
Need I say anymore? The iPhone is no longer king! Hoorah!
Pretty sure that the iPhone was never king among the geeks that care about hardware specs. The iPhone is king among the people who care about the number of apps, user experience, and style. The kind of people who base their decision on what they see on TV, or what their friends like, and not what they read on Slashdot.
You know, the vast majority of the population.
This "feature" is a prime reason I didn't buy an iPhone. I guess as a Security Guy he has to be willing to give up all his freedoms in his quest for security...
If you think imaginary property and real property are the same, when does your house become public domain?
After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.
Beg the question much? Your conclusion is just as vague as the one in the article. I don't have any actual data either, but I would venture that accidental bugs are a much much much greater security risk than malicious ones, open source or not. Of course, it's pretty darn hard to spot a cleverly hidden bit of malicious code (and be able to distinguish it from a bug), so we may never know anyway.
Yes, I find this point annoying. But the article is from Network World, by the "Cisco Security Expert." But the Nexus One gets 4 of the 9 phone security requirements, including screen lock, VPN, wireless security, and application sandboxing. The ones missed, besides the OS being open source, include application signing, corporate enforcement of security settings, hardware data encryption, and remote wiping capability. I would hope that the data encryption would be added at some point, and be better than the USB thumb drives from the story yesterday. I'm sure the others can be added later, although one of the nice things about this is not requiring the blessing of Google to run an app.
There's nothing inherently secure or insecure about open source software. It's not like all open source software is built with different tools or in safer languages.
One could assert that open source programmers (at least those working for free) don't need to care about reliability or security since they aren't getting paid. One could also assert that anyone can create / contribute to an open source project, including those who don't know what they are doing.
However I don't think there's evidence for your assertion or my assertions.
They're going to put Flash on the Nexus.
Unless Adobe/Google's programmers have done the impossible and magically
secured Flash, most of their security isn't going to be worth a damn.
[Fuck Beta]
o0t!
Also I'd question what the article means by Android being "in its infancy". Android is based on a well-tested OS that's been around for a while (Linux), the first phone running Android came out about a year ago, and the OS is past v2 (though version numbers don't necessarily tell you anything). I wouldn't call Android a long-running or well-established OS, but it's not like it was slapped together from scratch 6 months ago.
On my iPhone I can set a password. If it's entered incorrectly 10 times, the device automatically wipes itself.
I take it you have no small children or friends with an impish sense of humor, do you?
coding is life
While the default Exchange integration on Android 2.0 doesn't support all of the Exchange security features, Touchdown ( http://www.nitrodesk.com/dk_touchdownFeatures.aspx ) DOES. I used it initially on my DROID and am currently testing the native stuff now that Motorola released a corporate directory app on the app store. Remote wipe *IS* supported by the native android ActiveSync implementation but not PIN security IIRC.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I doubt its because of security soley. Its the BES management features that really sell it. Centralized policies, remote wipes, etc. Security is only part of that. The BB system relies on your pumping your mail to Ontario and BB's getting it from Ontario. Its not a direct connection to the BES server in your enterprise. So any outtage in Ontario means an outtage for you. Not sure how good of an idea that is, especially since Android and other Activesync phones connect straight to your mail server just like any email client, and not through BB's proxies, which can be compromised. Sure they use end to end security but how feasible are MITM attacks?
I could see Google or Microsoft reproducing some of these features for corporate customers. That would pretty much kill the BB. For every thing the BB does well it does 5 other things badly.
Yeah, a good user experience and plenty of useful applications that just work. What sort of damned fool would ever want that?
I don't disagree with what you are saying but you are referencing things that have only been viable in the last year or so. Android is in its infancy and Microsoft just recently got their Mobile guys and Exchange guys to talk to each other. Given it takes a large company 3 years to DECIDE on what to implement and another 2 years to actually implement it you begin to understand why those options haven't been introduced into many large scale operations. I still don't know of any other mobile communication device (outside of the NSA) that implements hardware encryption like Blackberries do. Apple introduced encryption on the 3Gs but it was cracked about fifteen minutes after it was announced if memory serves. I fully expect RIM to lose market share this year but I would not count them out just yet.
I doubt this is Google's business offering. They know it will take much more to crack that nut. In the meantime they can sell this to the masses to increase interest in a business class device.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
and google probably has an email system where everything is stored in Gmail in the cloud. for the rest of us, we have exchange and people store a lot of data on phones
The problem I have with the article is that he completely blows his credibility with that one simple statement about it being insecure by the virtue of it being open source. Everything else he's pretty much spot on.
I am Homer of Borg, resistance is - Ooo Donuts!
The iPhone 3Gs came out last June. That's roughly six months ago. That's not that long ago. Sure, if you want to place an arbitrary divider into the discussion (2009 vs 2010) to make it sound like its been longer, feel free, but it doesn't change the fact that the iPhone 3Gs hasn't been out long and Apple is working hard to chase Android. Android's impact was already observed with the release of the iPhone 3Gs. There's not an iPhone 3Gs user that doesn't owe a thanks to Android. That's the nature of true competition. Everyone wins.
Why is parent modded flamebait? Nothing stated is false. Hell, he even provided a link to a video showing Flash on the N1 and raises a legitimate, topical point of contention.
The ONLY android permissions that flash needs are media related and MAYBE MAYBE MAYBE geolocation information.
Not likely to be true. Internet access is likely a given. Also, camera and mic access may also be within the realm of reason. Factually, the Internet access permission is all someone needs to make nasty with your device. Who cares if a spam bot is running at the flash user id - its still ripe for abuse.