Apple, Google Diss the DoD Over Mobile Security

Julie188 writes "The Defense Information Systems Agency (DISA) has long supported the use of BlackBerry smartphones for soldiers. It built a system called Go Mobile to provide secure communications, training, and collaboration applications to mobile soldiers. DISA recently decided to add Android and iPhone to the list of approved devices because of high demand from users. Unfortunately, this choice has become a giant pain in the flank. Why? Because both Apple and Google refuse to give DISA access to their security APIs."

Umm something is fishy

[JonySuede]

Android is open source, how hard could it be to download the code and look into it to find those elusives security apis ?
I have rolled custom firmware onto an android device using the instruction on some forums, and it worked great, if a dude with is budgies can do it, why can't they ?

I don't think this is the full picture...

[EnglishTim]

Shenanigans! There's got to be more to it than this.

The entire source for Android is available; what could Google be holding back? It's not as if they manufacture the phones.

What are these 'Security APIs'? It doesn't make any sense.

I think it's more likely that the DoD asked for some of Google / Apple's signing keys and the companies rightly refused.

Re:Use the souce.

[mercury83]

I know this is Slashdot and all, but still:

IMO, My device is not "secure" unless I can control the device's OS & inspect the device's hardware. My phone, my router, my PCs, my GPS, all have firmware I've compiled myself.

This doesn't make it secure. It just means that if someone's made a mistake, or inserted a backdoor, you've missed it. Control != Security -- sometimes it just creates a poor illusion of security. If you don't have control, you have to trust someone to provide security. Depending on who it is and what their experience is, I often prefer to trust.

Regardless, one of the big issues that I've seen in this area is that although yes, you CAN jailbreak iPhone or install custom firmware on whatever device you want, you want the ability to deploy commercial-off-the-shelf stuff to users in the field with a 10 second install from the app store. They want to leverage the existing distribution network for the product and application distribution for software packages. They want to piggyback off the commercial world with minimal development effort and cost. What you're proposing a better model from a secure perspective, but is massively more expensive.

security, the ultimate pretext

[bzipitidoo]

The military's security evaluations are heavily biased. Any technology the military does not want to use can be declared insecure, whether or not it is, and vice versa. One can always find a reason something is not secure.

For example, they wanted to use Windows, and not any flavor of UNIX. The fact that Windows is produced by an American company was trotted out as a reason it was more secure. Code written by foreigners might have back doors, etc. Also, open source software development was shot down as fundamentally less secure than proprietary ways. Anyone might slip malware into open source. So, no Linux or FreeBSD. But then, why not a proprietary UNIX? They also prefer dealing with big companies, which informally disqualifies many UNIX vendors. They just have to come up with good sounding excuses, and security ones are great.

For the other side of the issue, they'll lean on their evaluators to rubber stamp tech that they like. Often it seems that what they really want out of their evaluators is creative reasoning that gives them the cover they need to use what they want, not impartial evaluations. Or they'll bypass them. They can get approval on an interim basis when there is nothing secure enough, and they have to have something. They're accustomed to Windows, and they like it, so they found ways to get it on board.

However, they can't do absolutely anything. Often there are ways that though extremely inconvenient, do increase apparent security, and which cannot be worked around. A big one is the "air gap". Need a separate computer for each network, to prevent information leakage across the boundaries.