Securing Android For the Enterprise

Orome1 writes "While many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. The Android operating system doesn't just lack an integrated IPsec VPN client, it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly. Until a 'real' IPsec VPN client is available, Android users can use their devices' integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A 'real' IPsec VPN connection, however, is more secure because it encrypts data prior to authentication."

OpenSSH

[1s44c]

Use OpenSSH. You can tunnel TCP over SSH, it works very nicely on iphones and nokia n900's. I've not tested it on android but It should work.

The very last thing anyone should be doing is bridging their networks to a mobile phone.

Re:OpenSSH

[Karma's+A+Bitch]

Hi, new poster here but have been lurking for about a decade -- but as fucked up as IPSec is, there are some important benefits:

* IPSec tunnels your traffic over an unreliable datagram protocol (either IP protocol ESP or over some UDP port -- I forget the number). This avoids the performance problems of running a reliable protocol (TCP) over another reliable protocol (TCP). Some time since I looked at this, but IIRC, retransmits in the upper protocol kill you. Probably not too bit a problem if you aren't running significant traffic.

* IPSec is processed in kernel mode which improves processing performance. This isn't as important on the client which is only handling one tunnel as it is on the gateway which is handling many connections and where the CPU load could be important. Disadvantage is that a bug in IPSec is a bug in kernelspace.

* Of course anyone doing something like this should terminate the IPSec connection on a network outside their LAN and should also consider blocking comms between indials.

Just wish whoever designed IPSec had done a proper job.

Re:It's not just about the VPN aspect

[afidel]

There are MDM's that provide those capabilities, heck just hook most Android phones up to any ActiveSync compatible server or service and you get basic remote wipe. If it weren't for the fact that we provide Citrix for remote access the limitations on getting most Android devices working with ASA would have been a serious redmark against adoption, but as it stands the huge number of usability problems we ran into trumped everything else. Android is great as a geek OS, and fairly good for a consumer OS (my wife likes her Optimus V just fine), but the persistent issues like WiFi clients that randomly failed to work or the email clients that just stopped receiving email from the Exchange server and required a device wipe and resync to reestablish communications to the weird certificate errors we would get all made it so we were not going to foist it as a platform on our users. We offered them iOS or Blackberry and 2/3rds chose to stay on Blackberry for the superior core email capabilities. Personally I'm still on my Android test device because for me the small nagging flaws are outweighed by a physical keyboard (big plus over an iphone) and huge selection of applications and a decent browser (big win over Blackberry).

Re:It's not just about the VPN aspect

[BulletMagnet]

Android needs some sort of remote wipe software to make it even remotely feasible for most businesses. For example, the government requires remote wipe, and some sort of encryption. Until Android has a solution for these two, the VPN-less capability is moot.

Like this?

Re:It's not just about the VPN aspect

Remote wipe has apparently been supported via activesync since android 2.2

Re:Not surprised

You're actually more misinformed now. Android does in fact have IPsec capabilities, as well as PPTP and L2TP. Its had this for a while. I don't know why no one's not mentioned that the article is just plain wrong.

It does lack OpenVPN, though, which has been a bit of a thorn in my side - software exists to add this functionality, but so far they all require root privileges, as far as I know.

Cisco IPSec VPN now supported in Android 4.0 (ICS)

[daern]

"Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine.

I'm running an AOSP (kang) 4.0.3 here and this has now been fixed. I believe the official 4.0.3 is just around the corner, so yey! This has been my top #1 feature request since Android day 1 and I bought the GN specifically because of it. Yey Glooge!

Daern

I must be from another dimension

I am doing IPSec on my stock ICS phone right now.

Re:Not surprised

[aXis100]

I thought the same thing, I've been using the integrated L2TP client on my android phone, and it's only Froyo.

Re:Not the problem

[thegarbz]

It's not standard as part of Android (or at least it wasn't in 2.0 - 2.3), there is however the option on the AOSP port of ICS (4.0.3) to do full device encryption, so that may be a standard feature now.

That said there are many phones who have supported this for a long time, but the feature was added by the vendor and not a default function of Android itself.

Re:Stupid article is stupid

[thegarbz]

Stupid article is stupid because the *current* version of Android actually has full native IPSec support. I wish this is just a case of Slashdot being late to post, but TFA is dated Jan 3rd 2012 so it must just be a blogger who's not up with the times.

Already there

[Namarrgon]

Exchange-based remote wipe support was added in Android 2.2. Encrypted storage and password policies were added in Android 3.0. Full-device encryption was added in Android 4.0, along with an API for third-party VPN solutions, and IPsec support for the built-in VPN client.

Re:Cisco IPSec VPN now supported in Android 4.0 (I

[daern]

""Proper" Cisco VPN support (i.e. with group usernames and passwords) was added in 4.0 (Ice-Cream Sandwich) and works very well indeed. Be aware that there appears to be a bug in 4.0.1 and 4.0.2 on the GSM Galaxy Nexus which cause it to reboot as soon as you pass data over a VPN, connected via 3G...wifi works fine."

You say "works very well." I don't think it means what you think it means.

To clarify: It works very well indeed, but in 4.0.1 and 4.0.2 it only works with WiFi. Apparently, the 4.0.2 LTE version works fine on both WiFi and cellular connections.

In 4.0.3 it works very well on both WiFi and 3G and is a monumentally excellent feature to be added :-)

Re:It's not just about the VPN aspect

[Weezul]

Android has by-far the best cryptography suite amongst all phone/tablet OSs, well unless your running vanilla Linux on a tablet.

VPN Client API

[robmv]

This is false, since Android 4.0 there is an API to add new VPN clients without need to build kernel modules

Enhancements for Enterprise

VPN client API

Developers can now build or extend their own VPN solutions on the platform using a new VPN API and underlying secure credential storage. With user permission, applications can configure addresses and routing rules, process outgoing and incoming packets, and establish secure tunnels to a remote server. Enterprises can also take advantage of a standard VPNclientbuilt into the platform that provides access to L2TP and IPSec protocols.

Re:Stupid article is stupid

[csnydermvpsoft]

I'm running Gingerbread and have a VPN option with PPTP, L2TP, & OpenVPN. Could be a CyanogenMod feature but I don't think so.

OpenVPN is a Cyanogenmod addition: [source]