Slashdot Mirror

← Back to Stories (view on slashdot.org)

What To Do About Mobile Devices That Lie

Posted by timothy on from the spanking-is-harmful-to-the-screen dept.

GMGruman writes "InfoWorld has caught two Android devices that falsely report security compliance that the Android OS does not actually support, and Apple quietly has dropped its jailbreak-detection API from iOS 4. So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? There's no easy answer, but Galen Gruman explains what current technologies can do to help — and how Apple, Google, and others might increase the trustworthiness of their platforms in the future."

23 of 107 comments (clear)

  1. Nothing by xnpu · · Score: 4, Insightful

    Do nothing. Didn't we read yesterday that the NSA assumes they're compromised. Sounds like a healthy way to operate - for everyone. While it may sound slightly paranoid and a "hassle", this is only true initially IMHO.

    1. Re:Nothing by Kalidor · · Score: 3

      Agreed, so much of "security" from a lot of these companies is simply ruthless marketing these days anyway.

      --

      Code softly but carry a big magnet.

    2. Re:Nothing by The+End+Of+Days · · Score: 2

      Shocking, people figure out ways around the tightest security when the target is worth it.

    3. Re:Nothing by Z00L00K · · Score: 2

      Assume that all security claims are false. It's just that any security hole hasn't been found yet.

      There is always a way to hack something running software. Live with it, just make sure that you accept the risks of being overheard and that your address book may be downloaded to some third party that uses it for their own purposes.

      As for companies - considering the large amount of phones and crap around anyone that really wants to listen in on secret conversations/information uses more targeted methods. Only a few in a company have something really secret. And most of those secrets are short-lived anyway.

      The classic spy/bug method is still one of the best methods to use.

      But security in devices is something that the manufacturer shall allow for, but it shall not constrain the user. Because if users have freedom in their devices every device will look different and it's harder to do a massive harvesting of interesting information.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:Nothing by IchBinEinPenguin · · Score: 3, Insightful

      Indeed. The Chinese measures seem geared mostly towards stopping people (connection resets, dns poisoning, etc), whereas the US ones towards criminalizing people (logs.) Which is not to say that the Chinese would never prosecute you as a criminal, they probably will if it suits them, but it's not their default modus operandi.

      Perhaps it's because when some governments go after their citizens they don't bother with niceties like 'evidence', 'logs' or even 'trials'.

    5. Re:Nothing by Anonymous Coward · · Score: 2, Informative

      I am certain that Liu Xiaobo agrees with you, not that bad at all . . . .

    6. Re:Nothing by icebraining · · Score: 3, Informative

      Manning released thousands of confidential papers. Regardless of what we think about him (I support his actions, but then again, I'm not American), it's still more grave than a single re-tweet.

      --
      Dilbert RSS feed
    7. Re:Nothing by Opportunist · · Score: 2

      Nothing. Not even if you're in the IT sec business. My first reaction was "oh goodie, consulting will increase!"

      It didn't.

      Nobody gave a shit.

      Imagine this: You go to a company that not only has a lot of IP but also deals with China on a day to day basis because most of their manufacturing is there, present this to them and they dismiss it as "aw, that couldn't happen to us, our contractors are honest".

      It's one thing to be spied on. It another to make it trivially easy.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. You don't. by PhrostyMcByte · · Score: 4, Insightful

    So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware?

    You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.

    1. Re:You don't. by arivanov · · Score: 4, Informative

      That is the case anyway. At least to some extent.

      The problem is elsewhere. Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance" while it is not from the user viewpoint is actually a useful feature.

      Example - I have a Nokia E71. I was seriously stupid at some point to configure my company exchange server on it. As a result it started autolocking itself in 2 mins requiring a security code. So far so good, however it autolocked and put screensaver on in applications which _MUST_ run in foreground - GPS navigation and the media player. It also autolocked itself when docked on a car craddle, etc.

      After a couple of near misses on the motorway trying to get myself from A-Z or trying to dig out the name someone from contacts I tried to turn it off. Guess what, settings uploaded via these APIs _CANNOT_ be turned off. Even if you wipe out the mail for exchange application, disconnect, etc the settings are either not allowed to be changed any more or come back after a change. At the end I had to factory reset the phone and reset the settings partially from backup to recover the phone to a useable state.

      Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

      Similarly, I am not surprised about Apple starting to take away powers away from the security software (and the people who use it). Apple's key selling point is user experience. The way some corporate security people use these APIs sends the user experience into "Mordok, denier of information services" territory. Knowing Apple, they are guaranteed to do something about it and in the land of "i" noone will hear the security people scream.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    2. Re:You don't. by Bert64 · · Score: 2

      The "standard" way of implementing security these days seems to be to try and restrict users as much as possible...
      The problem is that doesn't work for a number of reasons, the restrictions are onerous enough to hamper people's ability to do their work which causes them to seek ways to bypass the restrictions and the restrictions are often poorly implemented and therefore easy to bypass.

      Incidentally, if your company wants you to read mail when your away from your desk they should supply you with a handset from which to do it, the idea of using your own handset is ludicrous... That's your handset, with their data on it, but because its your handset they lose control... They have no right to enforce policies on it, nor to wipe the handset...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:You don't. by Rich0 · · Score: 2

      Yup. I could make a killing if I sold an Email app that spoofs whatever is most common in major corps but which silently ignores the security policies.

      If employers want to control the phone, they should issue the phone. If they issue it, then they can be sure that it supports whatever features they need. They can reclaim and reissue phones once a quarter to reimage them or whatever for extra security.

      The problem is that employers want employees to use their shiny toys to do work off-hours, without paying for them. However, they don't like the fact that they now lose control over the platform.

      Them's the breaks - the owner controls the phone.

    4. Re:You don't. by melstav · · Score: 2

      As was pointed out in the comment I originally replied to, if you allow your phone to interact with an Exchange server, you end up giving the Exchange admins the ability to do a LOT of things to your phone without your knowledge.

      Including, erasing everything saved on the phone.

      I am not willing to give up that level of control.

      If I'm on call, or if my employer wants to replace my desk phone with a cellular one to make it easier to reach me, or they want me to be able to read and respond to email from my phone, I'm perfectly happy carrying two phones.

      But if I'm on my own time and I'm not on call, the work phone goes on a shelf, and it may or may not get turned off in the process.

  3. Stop thinking of them as phones. by Kenja · · Score: 4, Insightful

    Treat them like any other computer.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  4. What a Phenomenally Stupid Question by ewhac · · Score: 5, Insightful
    Let me get this straight: You've been acquiring personal computers, integrating them into your businesses, and installing on them software products so monumentally shitty that it beggars the imagination that anyone with even the slightest sense of pride would admit to writing them. What's more, you were told by people who actually know what the fsck they're talking about that the products were shitty, both at a superficial and fundamental level -- and you systematically ignored them, and kept throwing bad money after worse money, all the while complaining when your systems crashed, your data was corrupted, and your networks infiltrated...

    And you've been doing this for at least the last 30 years...

    And NOW you suddenly claim to give a shit about platform integrity?

    And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

    What selective, partisan crap.

    --
    Editor, A1-AAA AmeriCaptions
    1. Re:What a Phenomenally Stupid Question by IchBinEinPenguin · · Score: 3, Insightful

      And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

      Windows was excluded because neither of the Windows users have reported any problems. Yet.

      P.S. Couldn't agree more.
      You reap what you sow.
      Keeping your eye firmly planted on next quarter's profit margin (and the resulting bonuses) will eventually bite you in the ass.

  5. End all computer problems! by Paco103 · · Score: 2

    Hackers, please stop lying to our computers and telling them you have permission to do things when you know you don't. There. . . . now nobody will get anymore spam or viruses.

    I love when people say something "cannot be hacked". I also like the idea of security by requiring the client to tell the truth about what it is and what it can do. If everything would just tell the truth. . . we'd have better security. Sounds like the EA boss saying "To take the market back from Call of Duty, you just have to make a better game"

    How's this crap get published?

  6. Ignore stupid policies by Improv · · Score: 2

    If someone is setting up policies to make devices incompatible, they lose. End of story. Devices should be open, hacker-friendly, and free to lie. It's lies that form the foundation of virtualisation. It's lies that let us run OSs in VMs without permission. People who have a strong sense of policy do more to hold the platform back than advance it. More often than not, this is because of someone having the mistaken idea that information can be owned.

    --
    For every problem, there is at least one solution that is simple, neat, and wrong.
  7. Re:English_101 EPIC FAIL by Anonymous Coward · · Score: 2, Funny

    WTF is a Trojan Horse for Malware?

    Well, you see, you leave a gigantic wooden Clydesdale with a firewire port in the parking lot. Some fool is going to plug it in because they want to see what possible use firewire could have in a giant wooden horse. Once they do, you've got access to their systems.

  8. Do not trust your devices by Opportunist · · Score: 2

    "Trusted computing" my ass...

    There's nothing to be trusted about anything you did not make yourself. And even if you made something yourself, trusting it is a bit overconfident. Do not trust anything you own to be "secure". It is not. It is as secure as the company that made it thinks is necessary.

    Now, you know how security conscious the average person is, right?

    Why do you think security would be high up on the priority scale of the company making it if it is no selling point AT ALL?

    Do not trust anything you did not audit. If you cannot audit it yourself, have someone you trust audit it. Yes, at some point in that chain you will have to trust someone, especially if you do not have the knowledge and experience to do such an audit yourself.

    But for $deity's sake, do NOT trust the maker of a device to be security conscious. They make a device with the bare minimum required to sell it. That means it will have all the features the customer will request. And as stated above, security is a feature that is rarely, if ever, requested!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:Enforce choice of auditing by Opportunist · · Score: 2

    Cue customer of a new phone.

    "Ohhh shiny! I wanna use it, I wanna toy with it, I wanna see all the features and all the ... huh? What's an "auditor"? Ah, a list, uh... (thumbs through manual), whatever, this one looks spiffy. Now, where that feature I bought the phone for... huh? Search engine? Get off my back, dammit! I wanna toy with the billion megapixel cam! So, here, now let me... browser?"

    Tosses phone onto the counter.

    "Here's your crap back, gimme a phone that lets me do stuff!"

    And this is why we do not get that. Unfortunately.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. You got the wrong Partisans by IBitOBear · · Score: 4, Insightful

    If you RTFA you discover that the whole second half is boosterism for putting "Trusted Computing" modules inside cell phones. In that light the agnostic condensation of both "jailbroken iThingies" and "that unreliable open source Android thing" makes perfect sense.

    This article has nothing to do with exchange boosterism etc, it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.

    The article _is_ an attack on reason, but the goal isn't about Exchange etc, its about re-initializing the idea of corporate capture of your personal property and turning your device from a personal resource to a limited media consumption node. The media used this time isn't movies, its "corporate email" etc.

    Disclaimer: I would _love_ TPM hardware if there were a law that required that _I_ get the _master_ _keys_ for my hardware when I buy it. This would, of course, allow me to lie to an exchange server if I so chose, and would do _nothing_ to prevent jailbreaks. Of course I would also have to demand that there was no "government key" etc. With those elements in place, a TPM would let my paranoia be soothed when I boot my gear.

    So anyway, bitching about how bad exchange software is etc, falls into the hands of the author who is trying to false-flag some emergency to spur on "trusted computing" on the "new platform battlefield".

    --
    Innocent people shouldn't be forced to pay for inferior software development.
    --"Code Complete" Microsoft Press
  11. Re:Just use a blackberry. Duh. by perlchild · · Score: 2

    They've been found to meet the specifications of those places. If you don't know those specifications it tells you little.

    The legal troubles blackberry has had mostly indicate the one you care about is Canada, as Canada's privacy laws were a problem with the UAE, India and a few other countries. The solution was always for those countries to get blackberry servers/datacenters that they could seize, since the ones in Canada were out of reach. If you truly don't trust Canada's privacy laws, that's your business. If you find a better country for laws dealing with that, please let us know, I'm sure a few people on Slashdot want to move there.