What To Do About Mobile Devices That Lie

GMGruman writes "InfoWorld has caught two Android devices that falsely report security compliance that the Android OS does not actually support, and Apple quietly has dropped its jailbreak-detection API from iOS 4. So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware? There's no easy answer, but Galen Gruman explains what current technologies can do to help — and how Apple, Google, and others might increase the trustworthiness of their platforms in the future."

Nothing

[xnpu]

Do nothing. Didn't we read yesterday that the NSA assumes they're compromised. Sounds like a healthy way to operate - for everyone. While it may sound slightly paranoid and a "hassle", this is only true initially IMHO.

You don't.

[PhrostyMcByte]

So how can IT and businesses that allow iPhones, iPads, and Androids trust that the new generation of mobile devices won't become Trojan horses for malware?

You don't trust them. Just like you should be doing with desktops/laptops, don't setup services in a way that they allow a phone to ruin your data.

Re:You don't.

[arivanov]

That is the case anyway. At least to some extent.

The problem is elsewhere. Admins upon security advice upload settings which make the device unusable. In that case "reporting compliance" while it is not from the user viewpoint is actually a useful feature.

Example - I have a Nokia E71. I was seriously stupid at some point to configure my company exchange server on it. As a result it started autolocking itself in 2 mins requiring a security code. So far so good, however it autolocked and put screensaver on in applications which _MUST_ run in foreground - GPS navigation and the media player. It also autolocked itself when docked on a car craddle, etc.

After a couple of near misses on the motorway trying to get myself from A-Z or trying to dig out the name someone from contacts I tried to turn it off. Guess what, settings uploaded via these APIs _CANNOT_ be turned off. Even if you wipe out the mail for exchange application, disconnect, etc the settings are either not allowed to be changed any more or come back after a change. At the end I had to factory reset the phone and reset the settings partially from backup to recover the phone to a useable state.

Thankfully I do not have to read my company mail on my phone for a living. If I had to, I would have paid for one of those HTCs without giving it a second thought.

Similarly, I am not surprised about Apple starting to take away powers away from the security software (and the people who use it). Apple's key selling point is user experience. The way some corporate security people use these APIs sends the user experience into "Mordok, denier of information services" territory. Knowing Apple, they are guaranteed to do something about it and in the land of "i" noone will hear the security people scream.

Stop thinking of them as phones.

[Kenja]

Treat them like any other computer.

What a Phenomenally Stupid Question

[ewhac]

Let me get this straight: You've been acquiring personal computers, integrating them into your businesses, and installing on them software products so monumentally shitty that it beggars the imagination that anyone with even the slightest sense of pride would admit to writing them. What's more, you were told by people who actually know what the fsck they're talking about that the products were shitty, both at a superficial and fundamental level -- and you systematically ignored them, and kept throwing bad money after worse money, all the while complaining when your systems crashed, your data was corrupted, and your networks infiltrated...

And you've been doing this for at least the last 30 years...

And NOW you suddenly claim to give a shit about platform integrity?

And I suppose the complete absence of any mention of WinCE or Windows Mobile in the article is sheerest coincidence.

What selective, partisan crap.

You got the wrong Partisans

[IBitOBear]

If you RTFA you discover that the whole second half is boosterism for putting "Trusted Computing" modules inside cell phones. In that light the agnostic condensation of both "jailbroken iThingies" and "that unreliable open source Android thing" makes perfect sense.

This article has nothing to do with exchange boosterism etc, it is back-door partisanship for trying to revive the Trusted Computing Hardware Module that the technical industry managed to ignore into oblivion.

The article _is_ an attack on reason, but the goal isn't about Exchange etc, its about re-initializing the idea of corporate capture of your personal property and turning your device from a personal resource to a limited media consumption node. The media used this time isn't movies, its "corporate email" etc.

Disclaimer: I would _love_ TPM hardware if there were a law that required that _I_ get the _master_ _keys_ for my hardware when I buy it. This would, of course, allow me to lie to an exchange server if I so chose, and would do _nothing_ to prevent jailbreaks. Of course I would also have to demand that there was no "government key" etc. With those elements in place, a TPM would let my paranoia be soothed when I boot my gear.

So anyway, bitching about how bad exchange software is etc, falls into the hands of the author who is trying to false-flag some emergency to spur on "trusted computing" on the "new platform battlefield".