Nexus One vs. Top 10 Phone Security Requirements

hiouridah writes "Consumer Grade or Enterprise Ready? The Nexus One is entering a smart phone market that is taking increasing heat from enterprises for their lack of robust security features. So how does the Nexus One stack up?"

Im going to wait.....

I will personally be waiting for the next gen to come around. It will most likely be like the iPhone was. First model was ok but the later were much better...

Re:Im going to wait.....

[stiggle]

I'm going to wait for the 6th version to come along.
I was to see the video footage it takes of "Attack Ships on fire off the shoulder of Orion" :-)

Re:Im going to wait.....

[norminator]

I will personally be waiting for the next gen to come around. It will most likely be like the iPhone was. First model was ok but the later were much better...

This is only the first gen for the hardware of the device, which already includes 3G (T-Mobile only, though), which wasn't available on the iPhone until the 2nd gen. The 3rd Gen iPhone added performance improvements, hardware-wise, but it wasn't fixing any design flaws in the device. Also, as far as hardware goes, it's built by HTC, and isn't a huge departure from the general design of HTC's other handsets, so there's not likely to be many hardware snags.

As far as software goes though, the Android platform is already on its second generation, and out of that, this is the second Android phone to use Android 2.x.

So basically, this (along with the Droid) is the next gen Android phone.

hmmm...

It stacks fairly well but will topple if you stack too many

Re:hmmm...

[Anonymous+Monkey]

Yes, Lego still stacks up better than anything else. Therefore Lego should produce all our computer and communications hardware.

I for one welcome our new Mindstorm(tm) overlords having a grammar war over Lego/Legos.

N1 vs Iphone

[Karganeth]

521MB RAM vs 256MB RAM
800x480 vs 480x320
1Ghz vs 600Mhz
5MP vs 3MP
AMOLED vs TFT

To top it off the nexus one is a slimmer device. Need I say anymore? The iPhone is no longer king! Hoorah!

Re:N1 vs Iphone

[GooberToo]

The iPhone 3Gs came out last June. That's roughly six months ago. That's not that long ago. Sure, if you want to place an arbitrary divider into the discussion (2009 vs 2010) to make it sound like its been longer, feel free, but it doesn't change the fact that the iPhone 3Gs hasn't been out long and Apple is working hard to chase Android. Android's impact was already observed with the release of the iPhone 3Gs. There's not an iPhone 3Gs user that doesn't owe a thanks to Android. That's the nature of true competition. Everyone wins.

Re:N1 vs Iphone

[CyberNigma]

The Nexus One will not run apps from external storage (flash card) unless you root it. By default, it will not allow it since they are trying to prevent pirating of paid apps. They are working on a solution such as encrypting paid apps so they can be downloaded to a flash card and run from there. Currently, however you have to root the device, which is easy, but necessary and may violate your operator's terms of service.

By default, Nexus One only has about 256MB (internal memory storage) of space for apps and can't be upgraded.
If you root the Nexus One then you have as much space as you can afford in the form of storage cards.

If you download a lot of apps and choose not to root your phone, you will run out of space very quick and will have to pick which apps you really want.

Obvious article is obvious

[nitefallz]

I don't think the N1 is targeted at the corporate world. Google seems to have larger mobile plans than this, so I would expect some corporate type product in the future.

Re:Obvious article is obvious

[toastar]

Wait Wait Wait.... Are you saying the Iphone is targeted at the business world?

I'm not sure the article fully understands androids capabilities, I have a remote wipe app on my g1.
The only real security feature the iphone has is the lack of a SD card.

From the article

[Albanach]

-Operating system: The Android operating system is in its infancy and like any new piece of software is likely to be full of security bugs. Android is also open source, so it is highly susceptible to developers with malicious intent finding those bugs quicker than if the OS was closed like the iPhone or blackberry OS. However, the open source nature of the OS should also become a benefit for its security longer term as coders with good intent scrub Android and find the security holes and patch them. Without the source code this job becomes much harder and takes considerably longer. Bottom line is it’s a mixed bag, less secure in the short term but able to become more secure faster than a close OS can.

Is there any evidence that an open source program is less secure in the short term than a closed source one?

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

Re:From the article

[jeffmeden]

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

Beg the question much? Your conclusion is just as vague as the one in the article. I don't have any actual data either, but I would venture that accidental bugs are a much much much greater security risk than malicious ones, open source or not. Of course, it's pretty darn hard to spot a cleverly hidden bit of malicious code (and be able to distinguish it from a bug), so we may never know anyway.

Re:From the article

[jimbobborg]

Yes, I find this point annoying. But the article is from Network World, by the "Cisco Security Expert." But the Nexus One gets 4 of the 9 phone security requirements, including screen lock, VPN, wireless security, and application sandboxing. The ones missed, besides the OS being open source, include application signing, corporate enforcement of security settings, hardware data encryption, and remote wiping capability. I would hope that the data encryption would be added at some point, and be better than the USB thumb drives from the story yesterday. I'm sure the others can be added later, although one of the nice things about this is not requiring the blessing of Google to run an app.

Re:From the article

[nxtw]

Is there any evidence that an open source program is less secure in the short term than a closed source one?

There's nothing inherently secure or insecure about open source software. It's not like all open source software is built with different tools or in safer languages.

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

One could assert that open source programmers (at least those working for free) don't need to care about reliability or security since they aren't getting paid. One could also assert that anyone can create / contribute to an open source project, including those who don't know what they are doing.
However I don't think there's evidence for your assertion or my assertions.

Re:From the article

[TubeSteak]

They're going to put Flash on the Nexus.
Unless Adobe/Google's programmers have done the impossible and magically
secured Flash, most of their security isn't going to be worth a damn.

Re:From the article

[nine-times]

Also I'd question what the article means by Android being "in its infancy". Android is based on a well-tested OS that's been around for a while (Linux), the first phone running Android came out about a year ago, and the OS is past v2 (though version numbers don't necessarily tell you anything). I wouldn't call Android a long-running or well-established OS, but it's not like it was slapped together from scratch 6 months ago.

Re:From the article

[benro03]

The problem I have with the article is that he completely blows his credibility with that one simple statement about it being insecure by the virtue of it being open source. Everything else he's pretty much spot on.

Re:From the article

[GooberToo]

Also I'd question what the article means by Android being "in its infancy".

Android right now means Linux + Framework. Sure the framework can be made to run on other OSs, but for now they use Linux.

No bones about it, the Android framework is definitely in its infancy. Google breaks applications left and right with just about every release. In some cases they even deprecate interfaces without providing an alternative interface; leaving developers and users boned.

And because of Android's infancy, Verizon's Droid has known Android incompatibilities between the emulator and the GSM variant (Milestone). In fact, that's what was behind Droid's update from 2.0 to 2.01; even requiring an SDK update and new SDK version (5 to 6) for developer's to support. Despite the 2.01 update, Droid still has some broken interfaces because Verizon was forced to write their own Android-CDMA framework hooks - as Android's native CDMA interface wasn't ready at the time.

While I think Android is excellent and I even own an Android phone, to be absolutely clear, both users and developers are very much feeling both the pains and absolute indifference Google has for them. For example, the Android market application and interfaces available to developers is still third world crap and a far cry from acceptable. Right now developers have to support Android 1.1 (large deprecated now), 1.5, 1.6, 2.0 (obsoleted), 2.01, and soon 2.1. Each has their own quirks, incompatibilities, broken interfaces, new and improved interfaces, screen sizes, etc. Contrary to the recent stream of FUD being spread, with the possible exception of Verizon's breakages, none of this means Android is fracturing and/or forking, but it does make for a huge headache for users and especially developers.

As for the market, Google can't even properly count the number of actively installed applications for developers. The numbers provided are known to be completely useless and inaccurate. They still don't provide tools to developers. You still can't browse the market from your computer. Application descriptions are laughably terse. The user comment system exists solely to abuse developers and harm sells. Developers can't event reply to criticism - only the most recent. About the only positive thing the Android market has going now is that its easy to remove spam and abusive comments - but that makes one wonder how often legitimate comments are now removed as anyone can mark comments as spam.

In short, Google still has a very long way to make Android grown up. Sure its continuously getting better, and more stable with each release, but anyone who believes Android is stable and full grown simply doesn't have their ear to the ground to hear the real state of things.

Re:From the article

[GooberToo]

Why is parent modded flamebait? Nothing stated is false. Hell, he even provided a link to a video showing Flash on the N1 and raises a legitimate, topical point of contention.

Re:From the article

[GooberToo]

The ONLY android permissions that flash needs are media related and MAYBE MAYBE MAYBE geolocation information.

Not likely to be true. Internet access is likely a given. Also, camera and mic access may also be within the realm of reason. Factually, the Internet access permission is all someone needs to make nasty with your device. Who cares if a spam bot is running at the flash user id - its still ripe for abuse.

Specs don't matter

[ThrowAwaySociety]

521MB RAM vs 256MB RAM

800x480 vs 480x320

1Ghz vs 600Mhz

5MP vs 3MP

AMOLED vs TFT

To top it off the nexus one is a slimmer device.

Need I say anymore? The iPhone is no longer king! Hoorah!

Pretty sure that the iPhone was never king among the geeks that care about hardware specs. The iPhone is king among the people who care about the number of apps, user experience, and style. The kind of people who base their decision on what they see on TV, or what their friends like, and not what they read on Slashdot.

You know, the vast majority of the population.

Re:Specs don't matter

[b0bby]

Pretty sure that the iPhone was never king among the geeks that care about hardware specs.

I'm not so sure, the biggest phone geek I know has switched to an iphone. "User experience" is important for geeks too, and I have to say the iphone seems to deliver a great one (at a price).

Re:Specs don't matter

[ThrowAwaySociety]

Could you be any more smug and arrogant?

I don't think so. I managed to insult both the Slashdot-nerd crowd, and the regular-Joe-Shmoe crowd. I think that makes me the smuggest, most arrogant bastard going.

Thanks for acknowledging that achievement, though!

Re:Specs don't matter

[Karganeth]

Why do slashdot users insist on perpetuating the myth that the general population is completely clueless about anything hardware? If someone's going to invest $2,580 for a nexus one (or $3780 for an iPhone) chance are they're going to know a decent amount about it. Even if they don't know the particular processor chip inside or what AMOLED means, they'll know that it feels fast and they'll see that the screen is nothing but amazing.

Re:Specs don't matter

[FlyingBishop]

I can't bring myself to purchase a computer that lacks an interpreter I can use to write scripts.

Re:Specs don't matter

[EvilNTUser]

I care about hardware specs, and I would probably choose any Android device over iPhone OS. BUT, and this is a big but, staring at raw hardware specs is even more stupid with phones than with computers. They're not even running the same OS.

Just to make a point:

521MB RAM vs 256MB RAM - How much of this is actually free after the OS is loaded? What proportion of apps are statically linked (if the OS has poor libraries)?

1GHz vs 600MHz - a) Is the theoretically faster speed achieved with a pipeline that's too long (see Netburst)? b) Even if it's faster, is it actually noticeable or are most operations I/O-bound? c) What operations are hardware accelerated in each OS?

5MP vs 3MP - And lens quality?

AMOLED vs TFT - Whatever, show me photos with daylight and I'll see what I think.

Revoke Applications

[dwandy]

From TFA: Apple iPhone requires application signing and it issues and revokes the certificates making it a powerful security feature.

This "feature" is a prime reason I didn't buy an iPhone. I guess as a Security Guy he has to be willing to give up all his freedoms in his quest for security...

4 real issues

[Enderandrew]

We're talking enterprise here, right?

Who cares about touch screens and resolution. I do as a geek, but these are the real issues:

Do you need a separate server to properly sync with Exchange?
How well does it sync with Exchange?
How secure is it, and can it handle encryption? (The iPhone can't be used in many organizations for this very reason)
Is the email app any good? The iPhone mail app for instance is very much lacking in comparison to the Blackberry email app.

Suits care about covering their asses, and checking email. If it can't do that, it won't be used in the enterprise.

Re:4 real issues

[Enderandrew]

If I recall (and I can be mistaken) the big issue is that the iPhone can only do encryption one-way when syncing. Apple was literally bidding on a government contract for iPhone usage in the military, and the bid got thrown out when that was uncovered.

Oddly enough, Apple has still yet to fix the issue.

RIM's bread and butter

[ArhcAngel]

I increasingly hear this question from both my IT peers and users alike "Why does our company stick with Blackberry when phone XYZ is so much better?" The long and the short of it is SECURITY. I mean when India insisted RIM provide them with a back door so they could spy on BB users RIM's response was "We don't even have a back door". I would love to see a smartphone come out with all of the security features RIM has had for years so I could offer it to the Executive VP instead of telling him "I'm sorry but since you receive strictly private emails you are not allowed to use anything but a Blackberry" and having him start making calls and ultimately buying it on his expense account connecting it to the network in rogue fashion.

Re:RIM's bread and butter

I was going to Google "India RIM backdoor", but quickly thought against that idea.

Re:RIM's bread and butter

[gad_zuki!]

I doubt its because of security soley. Its the BES management features that really sell it. Centralized policies, remote wipes, etc. Security is only part of that. The BB system relies on your pumping your mail to Ontario and BB's getting it from Ontario. Its not a direct connection to the BES server in your enterprise. So any outtage in Ontario means an outtage for you. Not sure how good of an idea that is, especially since Android and other Activesync phones connect straight to your mail server just like any email client, and not through BB's proxies, which can be compromised. Sure they use end to end security but how feasible are MITM attacks?

I could see Google or Microsoft reproducing some of these features for corporate customers. That would pretty much kill the BB. For every thing the BB does well it does 5 other things badly.

Re:RIM's bread and butter

[ArhcAngel]

I don't disagree with what you are saying but you are referencing things that have only been viable in the last year or so. Android is in its infancy and Microsoft just recently got their Mobile guys and Exchange guys to talk to each other. Given it takes a large company 3 years to DECIDE on what to implement and another 2 years to actually implement it you begin to understand why those options haven't been introduced into many large scale operations. I still don't know of any other mobile communication device (outside of the NSA) that implements hardware encryption like Blackberries do. Apple introduced encryption on the 3Gs but it was cracked about fifteen minutes after it was announced if memory serves. I fully expect RIM to lose market share this year but I would not count them out just yet.

I doubt this is Google's business offering. They know it will take much more to crack that nut. In the meantime they can sell this to the masses to increase interest in a business class device.

Re:RIM's bread and butter

[ArhcAngel]

Thanks, for some reason Google failed me. But it would probably be better to direct to the actual article rather than a tech blog about the article...

http://economictimes.indiatimes.com/RIM_agrees_to_pass_BlackBerry_content_on_condition/rssarticleshow/3056271.cms

from the article:

"The encrypted data packets sent through BlackBerry are password protected and could be deciphered only with the help of "Public Key" and "Private Key" together. The other provision is to build a super computer, which could take nearly three years and the results beyond a certain frequency were not guaranteed.

So yeah they "helped" the Indian government snoop but hardly gave them a master key.

Good prediction

[YourExperiment]

I particularly loved this line from the article: -

But for now, I don't expect to see any corporations handing out the Nexus One to their employees.

I guess he didn't hear about a little corporation named "Google".

Re:Good prediction

[alen]

and google probably has an email system where everything is stored in Gmail in the cloud. for the rest of us, we have exchange and people store a lot of data on phones

Remote data wipe?

[ducomputergeek]

Phones are easy to loose or get nicked. One of the features enterprises like about the Blackbery is the ability to do a remote datawipe. On my iPhone I can set a password. If it's entered incorrectly 10 times, the device automatically wipes itself. I can also do a remote datawipe as well. I've tried googling about this feature on the N1 and so far have found nothing.

Ability to do a remote data wipe is key for the enterprise market.

Re:Remote data wipe?

[Qubit]

On my iPhone I can set a password. If it's entered incorrectly 10 times, the device automatically wipes itself.

I take it you have no small children or friends with an impish sense of humor, do you?

Re:I have my doubts

[shentino]

How do we know the government hasn't got some super-secret telepathy interceptor that you are just trying to lead our thoughts right into?

You could very well be a double agent yourself.

Why should we trust you?

For those who don't want to skim TFA

[DJRumpy]

Screen Lock (including gestures to unlock in addition to alphanumeric codes)
VPN support
Standard Wireless Support (Wireless-N as well which is nice)
Application Sandboxing
Lacks Corporate Policy Enforcement (fail for enterprise)
Application Signing - Doesn't require trusted signers which defeats the purpose
No hardware encryption (fail for enterprise)
No Remote Wipe (fail for enterprise)

IMO, the phone definitely seems ready for the home user, but is very lacking for enterprise

King? iPhone Is The 3rd Place Phone

[MediaStreams]

http://www.intomobile.com/2009/11/12/apple-iphone-takes-third-place-in-q3-global-smartphone-sales.html

Nokia is the king.
RIM behind them.

And finally Apple in third place. So, no, Apple and iPhone isn't the king of anything in the cellphone market.

Re:King? iPhone Is The 3rd Place Phone

[Patch86]

And no consumers want choice, right? People much prefer to compromise on what they want from a product because of a limited product line, obviously!

(Nokia sells a range of different devices filling a whole range of price and hardware niches. Seeing as their combined range outsells Apples combined range by a considerable amount, I'd guess it's a strategy which is serving them pretty well).

Remote datawipe does exist on Android.

[tweek]

While the default Exchange integration on Android 2.0 doesn't support all of the Exchange security features, Touchdown ( http://www.nitrodesk.com/dk_touchdownFeatures.aspx ) DOES. I used it initially on my DROID and am currently testing the native stuff now that Motorola released a corporate directory app on the app store. Remote wipe *IS* supported by the native android ActiveSync implementation but not PIN security IIRC.

At least he avoided using "sheeple"

[Quiet_Desperation]

Yeah, a good user experience and plenty of useful applications that just work. What sort of damned fool would ever want that?

Re:At least he avoided using "sheeple"

[indiechild]

The universe doesn't revolve around the US.

Application signing is worthless?

[tibman]

The application signing is worthless because they are self-signed certs? WTF is this guy smoking. Just because someone pays a CA to sign their cert doesn't make it magically more secure. I'll be honest, i think CAs should die off (in their current forms).

Nexus One vs iPhone 3Gs vs. N900

[Hurricane78]

I’m sure if you ask the Japanese, they will laugh in your face. But a quick comparison:

Nexus One vs iPhone vs. N900

CPU: 1GHz Qualcomm SnapDragon | 600 Mhz ARM Cortex-A8 + PowerVR SGX | 600 MHz ARM Cortex-A8 + PowerVR SGX
RAM: 512MB | 256MB | 1GB
Display: 800x480 AMOLED | 480x320 TFT | 800x480 TFT
Camera: 5 MP, LED flash | 3 MP, no flash | 5 MB + 0.3 MP (dual), LED flash | (All without optical zoom, which in this day and age, is pathetic.)
Storage: 4 GB + unlimited | 16 GB (fixed) | 32 GB + unlimited
Battery: 1400 mAh | 1219 mAh (non-removable) | 1320 mAh | (all 3.7 V li-ion)
Input: capacitive touchscreen + trackball | multi-touch touchscreen | resistive touchscreen + 38-key backlit keyboard
OS: Android | iPhone OS | Maemo Linux
Dimensions: 119 * 59.8 * 11.5 mm | 115.5 * 62.1 * 12.3 mm | 110.9 * 59.8 * 18 mm
Java support: yes | no | yes
GPS: They all got A-GPS and Wi-Fi triangulation is possible with a software. Although from what I heard, the iPhone has that software built-in. (I bought it for 3€ for my Nokia, so not much trouble there.)
Ability to put on it and do with it what you want: likely | locked down | absolutely
FM radio: no | no | yes

That’s about the differences I could make out. I hope this gives a better picture. I tried to stay unbiased. (And I’m sure I will draw hate for this. ;) As always: No guarantees.

Re:Nexus One vs iPhone 3Gs vs. N900

[jspenguin1]

The N900 has 256MB actual RAM, plus 768MB swap on an internal MMC card. It has to have more memory because unlike the iPhone and Android, applications must be explicitly closed (by closing the window) before they are unloaded.

The internal storage card is split into three partitions: 2GiB app storage, 768MiB swap, 25GiB user. The reason the app storage is separate is because it is formatted ext3, but the user storage must be formatted FAT for Windows hosts to access it through USB Mass Storage. Some applications (games, mostly) do install large data files there, though.