Apple, Google Diss the DoD Over Mobile Security

← Back to Stories (view on slashdot.org)

Apple, Google Diss the DoD Over Mobile Security

Posted by Soulskill on Saturday December 11, 2010 @04:38AM from the who-wears-the-pants dept.

Julie188 writes "The Defense Information Systems Agency (DISA) has long supported the use of BlackBerry smartphones for soldiers. It built a system called Go Mobile to provide secure communications, training, and collaboration applications to mobile soldiers. DISA recently decided to add Android and iPhone to the list of approved devices because of high demand from users. Unfortunately, this choice has become a giant pain in the flank. Why? Because both Apple and Google refuse to give DISA access to their security APIs."

24 of 150 comments (clear)

Min score:

Reason:

Sort:

Unpatriotic? by fey000 · 2010-12-11 04:43 · Score: 4, Funny

Queue the Palin. Might be time for Apple and Google to be hunted down like Al-Qaeda. Is there any room left in the Assange bunker?
1. Re:Unpatriotic? by Myrimos · 2010-12-11 04:51 · Score: 2
  
  Queue the Palin.
  I saw this a few days ago. Is this a meme? Pedantically speaking, Palin is is a queue of one (at least!) wherever she is. Cue the responses. Might be time for Grammar Nazis and pendants to be hunted down like Apple and Google. Is there any room left in the Assange bunker?
  
  --
  Internet scofflaw
2. Re:Unpatriotic? by netsharc · 2010-12-11 05:17 · Score: 2, Informative
  
  It'll be convenient of Palin to forget that RIM is a Canadian company. Or are they the obedient little Labradors anyway (since the UK is the poodle).
  Also, Sergey Brin is Russian! Aaaaaa, he's a red commie!!!! But then again, Palin is neighbors with him, with she being able to see his childhood home front her front porch and what not.
  For my more serious contribution to this discussion, iPhone security is "trust that the app reviewer catches anything malicious that the developer is trying to do.". Android security is "You are going to install $APP. This app wants access to these features: [read/write SD card, see call status, read/write address book, read/send SMSes, use GPS location]. Do you want to allow all and install?", while BlackBerry security is, "This application wants these features. Choose which of them you want to allow, and which you want to deny."
  Or to be more detailed about it, for corporate BlackBerrys the admin can even do the allowing/denying, globally as well as individually for all apps, including denying the permission to the end-users to install all sorts of random apps.
  So which do you think offers more security?
  
  --
  What time is it/will be over there? Check with my iPhone app!
3. Re:Unpatriotic? by Anonymous Coward · 2010-12-11 06:26 · Score: 2, Insightful
  
  For my more serious contribution to this discussion...
  So which do you think offers more security?
  Oh dear.
  As well as the app review process the iPhone does prompt when an app wants to first use location services, notification, push services, etc. and then allows you to manage and subsequently revoke those permissions. The apps are also sandboxed.
  I am not in a position to comment on any of the Android flavours or BlackBerry security, so I won't.
Umm something is fishy by JonySuede · 2010-12-11 04:53 · Score: 4, Interesting

Android is open source, how hard could it be to download the code and look into it to find those elusives security apis ?
I have rolled custom firmware onto an android device using the instruction on some forums, and it worked great, if a dude with is budgies can do it, why can't they ?

--
Jehovah be praised, Oracle was not selected
1. Re:Umm something is fishy by JonySuede · 2010-12-11 05:25 · Score: 3, Informative
  
  first google link for budgies:
  http://www.freewebs.com/budgierisa/appearance.htm
  
  --
  Jehovah be praised, Oracle was not selected
Use the souce. by VortexCortex · 2010-12-11 04:55 · Score: 2, Insightful

Want to access the "security" APIs? Use the Source.
Why not just offer a custom DoD firmware for Android phones?
Seriously, there's no way for an application to be "secure" if the platform the application runs on is itself untrusted.
IMO, My device is not "secure" unless I can control the device's OS & inspect the device's hardware. My phone, my router, my PCs, my GPS, all have firmware I've compiled myself. If an average coder like myself can do this, the DoD shouldn't have any problems either.
Note: Android works on iPhones too, it's still buggy, but the DoD could help with that if they desired, or just use phones that support custom, open source firmware.
1. Re:Use the souce. by mercury83 · 2010-12-11 05:15 · Score: 5, Interesting
  
  I know this is Slashdot and all, but still:
  
  IMO, My device is not "secure" unless I can control the device's OS & inspect the device's hardware. My phone, my router, my PCs, my GPS, all have firmware I've compiled myself.
  This doesn't make it secure. It just means that if someone's made a mistake, or inserted a backdoor, you've missed it. Control != Security -- sometimes it just creates a poor illusion of security. If you don't have control, you have to trust someone to provide security. Depending on who it is and what their experience is, I often prefer to trust.
  Regardless, one of the big issues that I've seen in this area is that although yes, you CAN jailbreak iPhone or install custom firmware on whatever device you want, you want the ability to deploy commercial-off-the-shelf stuff to users in the field with a 10 second install from the app store. They want to leverage the existing distribution network for the product and application distribution for software packages. They want to piggyback off the commercial world with minimal development effort and cost. What you're proposing a better model from a secure perspective, but is massively more expensive.
2. Re:Use the souce. by VortexCortex · 2010-12-11 05:44 · Score: 5, Informative
  
  I know this is Slashdot and all, but still:
  
  IMO, My device is not "secure" unless I can control the device's OS & inspect the device's hardware. My phone, my router, my PCs, my GPS, all have firmware I've compiled myself.
  This doesn't make it secure. It just means that if someone's made a mistake, or inserted a backdoor, you've missed it. Control != Security -- sometimes it just creates a poor illusion of security. If you don't have control, you have to trust someone to provide security.
  I write code. I read code. Yes someone can make a mistake, I can miss the mistake, but I can also fix said mistakes as soon as the mistake is discovered. You can't do that unless you can compile your own OS / Firmware. Faster Fixes == Less Vulnerability Window == More Secure. I'm not arguing that open source makes something secure, but using the source can give you more security than otherwise.
  If you argue that control != security, I will put it to you that the inability to Control = No Provable Security. Thus, Control = infinitely times more secure than uncontrollable. How secure is a device that can auto-update it's firmware without your consent?
  
  Depending on who it is and what their experience is, I often prefer to trust.
  Let us not forget that I am compiling the same sources that those you "often prefer to trust" are compiling; Except that I am also sure that no additional closed source code has been included in my build.
  Binary_Blob == !Trust;
3. Re:Use the souce. by Timmmm · 2010-12-11 05:57 · Score: 2, Insightful
  
  My phone, my router, my PCs, my GPS, all have firmware I've compiled myself.
  Who modded this insightful?
  Do you even have the source code for your GPS firmware, the baseband in your phone, your PC's BIOS and so on? No. Even if you did, are you seriously saying that you've perfectly audited hundreds of thousands of lines of code?
  Where's the "-1 this is really stupid" option?
4. Re:Use the souce. by Anonymous Coward · 2010-12-11 06:49 · Score: 3, Insightful
  
  Sometimes control isn't security, but lack of control is always insecurity. Any solution that results in security will necessarily require control.
  
  you want the ability to deploy commercial-off-the-shelf stuff to users in the field with a 10 second install from the app store.
  If you need security, then this simply isn't going to be one of your goals. Instead, you're going to want 10 second install from your repository, which consists solely of software that you have audited. As a compromise, it might be software that someone else that you trust has audited, but that'll be someone like Theo deRaadt or maybe (stretching a little, but there are degrees of security) the Debian team. But it sure as hell won't be Apple or Google, because while those parties might be competent, their goals are at cross purposes with yours.
  And it's those cross purposes that this story is really about. Apple doesn't have a "Security API"; they have a "Apple Security API" which is intended to protect Apple's interests, not the interests of the users or the owners.
DoD should not support the Foxconn iPhone by Animats · 2010-12-11 05:01 · Score: 3, Insightful

The iPhone is made by the Foxconn division of Hon Hai Precision Industry Company Ltd, in Shenzen, China. Apple is just the design and sales firm. That's not a reliable source for secure DoD communications.
There are still some non-China cell phone manufacturing facilities. DoD needs to look hard at sourcing.
1. Re:DoD should not support the Foxconn iPhone by arogier · 2010-12-11 05:28 · Score: 2, Informative
  
  I don't see why the DoD can't contract Texas Instruments to make them a custom Android phone entirely in the US.
  
  --
  http://www.aaronrogier.net
2. Re:DoD should not support the Foxconn iPhone by hedwards · 2010-12-11 05:54 · Score: 2
  
  Because it's not like our allies spy on us.
Access to what? by beakerMeep · 2010-12-11 05:03 · Score: 5, Insightful

TFA is very light on technical details. What security API are they looking to access? To do what? They have access to AOSP/Linux, and could even cook up custom ROMs if they needed. Is there some cryptographic hardware driver they need or something?
Also, From the 'article'

It seems to me that Apple and Google are making self-centered bad decisions here that won't play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies
WTF? Maybe this journalist should re-think his self-centered trite opinion fluff pieces. Oh wait, it's NetworkWorld. Not much chance of that happening I guess.

--
meep
1. Re:Access to what? by UnknowingFool · 2010-12-11 09:00 · Score: 4, Insightful
  
  One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to "talk to our integrators and carriers."
  
  I don't have any more details than the author but he seems to be making assumptions based on conversations that he wasn't involved with. Maybe the simple fact of the matter is that Apple doesn't have any security APIs that would meet the DoD standards. Frankly Apple has designed their phone for the consumer space; Blackberries are more designed for security. Also it may be that Apple simply doesn't want to share any source code with the government. If they did, someone here on slashdot would espouse some conspiracy theory that Apple was helping the federal government track and mind-control you through your iPhone.
  As for Android, it is open source so the DoD can make their own modifications like the NSA did with SELinux.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
2. Re:Access to what? by russotto · 2010-12-11 10:51 · Score: 3, Insightful
  
  Apple doesn't have any integrators either, so that conversation makes no sense.
I don't think this is the full picture... by EnglishTim · 2010-12-11 05:08 · Score: 5, Interesting

Shenanigans! There's got to be more to it than this.
The entire source for Android is available; what could Google be holding back? It's not as if they manufacture the phones.
What are these 'Security APIs'? It doesn't make any sense.
I think it's more likely that the DoD asked for some of Google / Apple's signing keys and the companies rightly refused.
1. Re:I don't think this is the full picture... by digitaltraveller · 2010-12-11 13:43 · Score: 2
  
  Last time I looked (~2.0 era) there was still a ton of closed source stuff in android, usually labelled 'prebuilt' in the source directory.
  Even if all the prebuilt stuff is gone now, there is still a ton of closed source firmware that's not distributed, but required for a working handset.
  Cyanogen would be the man to ask get all the nitty gritty.
Patriotism? by SuperSlacker64 · 2010-12-11 05:08 · Score: 5, Insightful

According to the article, practically the only reason given as for why Google and Apple should give access to these APIs is to be patriotic. But as a few other people have pointed out, Google and Apple, though based in the US, are no longer solely US companies. What would this article's opinion have been had Russia or China or some other countries equivalent Department of Defense had asked for access to these APIs I wonder?
security, the ultimate pretext by bzipitidoo · 2010-12-11 05:24 · Score: 3, Interesting

The military's security evaluations are heavily biased. Any technology the military does not want to use can be declared insecure, whether or not it is, and vice versa. One can always find a reason something is not secure.
For example, they wanted to use Windows, and not any flavor of UNIX. The fact that Windows is produced by an American company was trotted out as a reason it was more secure. Code written by foreigners might have back doors, etc. Also, open source software development was shot down as fundamentally less secure than proprietary ways. Anyone might slip malware into open source. So, no Linux or FreeBSD. But then, why not a proprietary UNIX? They also prefer dealing with big companies, which informally disqualifies many UNIX vendors. They just have to come up with good sounding excuses, and security ones are great.
For the other side of the issue, they'll lean on their evaluators to rubber stamp tech that they like. Often it seems that what they really want out of their evaluators is creative reasoning that gives them the cover they need to use what they want, not impartial evaluations. Or they'll bypass them. They can get approval on an interim basis when there is nothing secure enough, and they have to have something. They're accustomed to Windows, and they like it, so they found ways to get it on board.
However, they can't do absolutely anything. Often there are ways that though extremely inconvenient, do increase apparent security, and which cannot be worked around. A big one is the "air gap". Need a separate computer for each network, to prevent information leakage across the boundaries.

--
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
1. Re:security, the ultimate pretext by AF_Cheddar_Head · 2010-12-11 05:55 · Score: 2
  
  WTF are you talking about. Unix and Linux are used extensively on mission systems with in the DoD. You think they use Windows to manage the Missile systems you need to think again.
  You are correct in thinking that if a general wants something then he can probably get it secure on not but you are an idiot to think that Open Source is not used in the DoD. The politics can overrule the evaluators. Many times I have seen the evaluators say something is not a good idea and get overruled by the bosses.
2. Re:security, the ultimate pretext by gandhi_2 · 2010-12-11 06:50 · Score: 2
  
  FBCB2 runs on Solaris and can be found in almost every Stryker since 2001.
  It can be found almost every US platoon of wheeled vehicles in Iraq or Afghanistan. Probably in all the Brads and Abrams too.
  
  --
  THL phish sticks
Bad summary by zigfreed · 2010-12-11 05:43 · Score: 2

Google and Apple just told the DISA to talk to the integrators. They aren't getting special treatment which makes sense: as big as the DoD is, they are still smaller and more specialized than the general public which the devices were meant to serve.
This is a job for a small, tight-knit development company developing under NDA, i.e. integrator.