Slashdot Mirror
Ask Slashdot: Equipping a Company With Secure Android Phones?
An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"
It's a crappy phone for the most part, but the motorola droid pro encrypts both internal storage and the SD card if you choose to. You need support built into the phone for whole disk encryption. Apps can't do that. Making transported data encrypted is a separate thing though.
And blackberry messenger is too.
its the only way you can get some one you "trust", if the price is too high, then your security is degraded.
I'd like to know how to configure a kludge of shit (using all FOSS, of course) for my enterprise environment. I want everything under the sun plus the kitchen sink.
Also, I'm going to be paranoid and reject anything you propose. After all, I can't be sure that anything I buy doesn't have a backdoor that the government or extra terrestrials could use to snoop on the uber secrets at my company.
We have one in works. Email to me df.inbox at gmail.com for details.
I would recommend developing your own system. If you are dealing with highly sensitive information, you want to make sure that it is fully secure. There are plenty of independent security contractors out there to develop something for you if you do not have the skill set to make it yourself within your company. Custom ROM, kernel, and various modifications to it should do it for you.
Yes, use an iPhone ! Let the flames begin...
Why android? is there an app you need or something? or is it a latest bling thing?
Because Blackberry does the encrypted thing, and if you buy BES you can also set device policies and centrally administer the devices (remote wipe for example).
Timothy, You should take a look at Good for Enterprise www.good.com Best, jmarka
While trolling around my Galaxy Nexus I found the ability to encrypt it (not using it though). At the least that should protect data on the phone, surely you can find more details about that feature on the intertubes.
Calls are already "secure" to a point but if you need even more security then perhaps Skype?
text ... I'll leave that to others
If you can't be good, be good at it!
my brief foray with android showed me that pretty much every app wants access to everything on the phone, including phone-home capability.
You basically described the RIM/Blackberry use case; why not use them? The Bold 9900 is actually a nice phone.
K Man
Get a Nexus phone or a contract with a vendor that guaranties security updates. Have a VPN. Pay for Google Apps (Remote wipe, forced password policies, forced full disk encryption all from a nice easy console). Even then, these are consumer phones. The manufactures aren't targeting towards you.
Also remove SMS and use some other communications tools such as Google Talk. There are secure SMS tools for android but the second one of your idiot employees installs the latest zynga game all of the text messages are able to be captured by that program.
--Sparksis.
Unfortunately I am of the opinion that Android is NOT the platform for this (I use Android for my personal phone). It doesn't support it and as you see you need to use third-party applications to even make it work. Even if you could trust those third-parties, now how do you push updates to your reps? The answer is you don't. There are just too many hoops to jump through for a business where security is a "major consideration." I'd recommend Blackberry but it seems RIM could be going under any day. iOS is probably a better choice because it supports FDE out of the box. Though, in all honesty, if security is a major consideration, the real answer is that your reps should ONLY be using feature phones rather than smartphones.
Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this.
These are contradictory requirements. If it's off-the-shelf it's not secure. You can't know that the chip factory isn't compromised, unless you inspect it.
The problem is you can't afford security. This is not a problem that has a solution. You need to just accept failure.
... Blackberry. Aside from encrypting phone calls themselves, everything you're asking to do is something even a basic Curve will do out of the box - encrypting the phone storage and SD card, requiring a password to install apps. And that's without using any enterprise tools to manage the devices and security policies across the board, remotely.
Android 4.0 has full device encryption.
Get a Nexus. However, nothing is secure once someone has their hands on it (insert obligatory XKCD encryption link.) At least F-Secure Mobile Security reduces the attack surface before it's stolen and allows you to remote-wipe after it has been stolen. I don't work for F-Secure BTW!
Pretty much sounds like you need a blackberry. Only they offer what you describe.
Trouble is, blackberry phones are crap, BES is crap, the blackberry network is crap, and the blackberry company (RIM) is circling the drain.
Turns out the infrastructure you need for your idea of a "secure" phone is more trouble than it's worth. Most companies have come to the realization that security is in fact a social and policy issue and much less a technological one. Just get good quality bog standard smart phones and create a policy that minimizes risk.
That said, iphones are officially supported activesync devices and will respect activesync security policies set by an exchange server. You can remote wipe them. (Funny thing - Winphone7's activesync support is provisional and not recommended for an enterprise environment - Microsoft's words!)
there's nothing you can do to a phone that a savvy user can't also do (or undo).
And if you are a phone manufacturer, (A) it's easy to more-or-less do what you're saying, and (B) there will still be people to can find work-arounds to break out of the lockdown.
The only reason I mention this is that Android has an energetic modding community, in spite of platform security built into some of these. (Locked bootloaders, S-ON partitions, etc.)
Just using your "for example" as an example... if you can put flash Cyanogenmod onto the phone, your users can flash a completely different ROM and defeat a lot of the things you want to do. The tools you would use are available to anyone, and if you try to deny your users root (for instance), there are plenty of root exploits available to break that jail.
In general, I think smartphones are too much general-purpose computers to really secure in the static way you're thinking about.
As to the (perhaps more weighty) matters like all-storage encryption, I have never seen a good answer. Anything you could install as an app would probably be too shallow (i.e., not effective before booting). In fact, I don't know if the standard Android Linux kernels are amenable to that; you'd need a custom bootloader or 2nd stage, and I haven't seen those specifically tailored for storage decryption.
I dunno. Sounds like you have a challenge ahead of you.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us
If a secure, off the shelf phone is too expensive for you, you probably don't have the resources to build a secure phone yourself. Even the experts have trouble getting security right, an amateur will unknowingly leave big gaping holes.
That said, Android ICS will do full filesystem encryption, make sure you use a secure passphrase and not a 4 digit PIN. Use SSL to talk to your email server to keep that traffic from being snooped. Don't use SMS's.
Do you really need to encrypt your phone calls? Stick with a CDMA provider (supposedly it's trivial to hack GSM, but I believe CDMA is still relatively safe) and your calls are safe from all but the most determined (and well funded) eavesdropper. Unless you're worried about the US Government doing the eavesdropping, they'll just tap the call on the Telco side, so you need end-to-end encryption to protect against that.
Skype reportedly encrypts skype-to-skype calls.
But really, unless you're doing top-secret government work, your phone is the least of your worries. If the information is valuable, it's much easier to pay an employee to leak it than to steal your phone and hope to find the data stored on the phone. And if you are doing top-secret government work, a home-brew solution isn't going to meet the federal standards you'll be required to meet.
Get BlackBerry. Android is the wrong choice for your requirements.
My company just released Raptcha which converts messages into captcha images to be sent via mms, email or however, thus bypassing keyword filters and traps.
http://www.google.com/m?hl=en&gl=us&client=ms-android-huawei&source=android-browser-type&q=google+play+raptcha
Just a question, but why Android?
If you indeed NEED the security (I do for work, which is why I have a BlackBerry) why not just go the tried and true route of BlackBerry? Security is built in, everything except SMS (to my knowledge) can be encrypted, and you don't have to worry about updates from a 3rd party firmware (CM) breaking your apps or security model.
Other things I LOVE about my BlackBerry...
This is a sincere question. I carry two devices (BB 9900 for work, and a CM9 rom'd SGS2 for my personal phone) and I personally cannot stand the exchange email client on Android, it just seems slow and clunky, and CM9 helped a little bit, but not much. Use the right tool for the job, instead of trying to shoehorn a tool into the job you want it to do.
I wish I was a neutron bomb, for once I could go off...
I'm using a Samsung Galaxy Note and noticed that it offers hardware encryption AND a "Samsung Enterprise Mobility" service. So, there's definitely a company offering encryption out there.
I would also say Blackberry, others have covered that angle well though...
But why are you not considering an iPhone? Storage on the device is hardware encrypted, and can be wiped remotely. You cannot have people using un-secured SD cards with it.
There's nothing you can do to secure SMS since that's a carrier level thing, but you can use any number of secured messaging applications.
But really the biggest red flag I see is - you claim to be worried about security but then are trying to base a solution on the single most vulnerable platform for malware attacks. How can you responsibly suggest that for enterprise use?
I would also recommend WP7 but I just don't know enough about the features it offers to be sure about securing the device.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Citrix CloudGateway: Access your apps(windows apps, web/saas apps, native mobile apps) and data, from any device, always secured using Citrix. It also has MAM - Mobile Application Management - built into it! Check it out at: www.citrix.com/cloudgateway
You spec could honestly be stronger.
What threats do you want to secure against? What scenarios do you want to avoid? Do you want to ensure against virus protection? Lost devices? (e.g. oh noes! our client list is on wikileaks!) Locking down data?
For bonus points, what are the top three things your "reps" need to do?
Just make calls? Or do texting? Or access web mail? Or...?
And how many "reps" are there today? How many will there be next year?
And what is your logistics model? Everybody at the same physical workplace? Distributed "virtual" office? Different countries? Different languages?
Does your phone need to integrate with any of your workflow software?
Try writing up five or six hundred words on the above to enhance your question - I'm sure you'll get some useful advice if you do that.
I have been using the codename android on nexus s phone and deleting ton of apps, kinda tricky but worth it, i could send you the package if you are interested, reply in comment
I'm surprised I'm the only one suggesting this: Android Management
Phone calls are already encrypted. Text messages stored on the phone will be encrypted if the phone's system storage is also encrypted. Data traffic can be encrypted by forcing the use of VPN back to the company's local network (and as such, web filtering, etc. also applied).
Reading through the posted answers I see BlackBerry popping up many times.
Why do I have a nagging suspicious that the 'anonymous reader' was hoping that would be the case?
This is the first question you need to answer, most likely the answer is the latter.
I haven't thought of anything clever to put here, but then again most of you haven't either.
There is a... um, little known company, don't know if you ever heard of it, called Research in Motion, that has been making security on their smartphones their main priority SINCE 1999.
I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?
Custom-rolled solutions like this are a bad idea, and from a practical standpoint will likely result in less security going forward. Do you just have too much free time on your hands?
This is a problem that's largely been solved.
#DeleteChrome
use encryption for texting and phone calls.
I can't recommend or not recommend but http://www.koolspan.com/ offers a product to do this. Otherwise Nokia has been doing it for 8 years though with Symbian not Android.
How do you know anything?
And just a heads up, your company and it's information isn't nearly as important as you think it is and probably doesn't necessitate the need for any of this.
Whisper Systems is still in beta, but is free.
How about Enterproid's Divide App It basically carves out an "Enterprise" section to an individuals phone. Space is encrypted and you can enforce Exchange mobile security policy. In function, when you log into the app it looks like a whole new Android Launcher with secure apps for phone, calendar, email, sms, etc. Give it shot. J
The combination of Blackberry and BES is the correct choice if you want a secure enterprise solution. With a BES server you have complete control over the phones. Policies allow logging of everything that the phone does, including if you want all incoming and outgoing text messages, push and pull apps and calling restrictions.
The difference between consumer and enterprise blackberry is that the BES server has a secure key that you create and is unknown to blackberry, bis is controlled by blackberry and is snoopable by governments.
I've found that the battery life is better on a blackberry, but the browser isnt the greatest, but has improved in the newest models. Another thing to keep in mind is the battery is field swappable, so if the battery wears out, YOU can switch it out, or carry a spare.
Blackberry made the mistake of getting into consumer phones, but for enterprise situations, blackberry is the best way to go.
"Every security scheme that is based on secrets eventually fails." - Steve Jobs
You can choose from any number of Mobile Device Management solutions, most of which consist of keeping the business stuff in its own encrypted area separate from the personal stuff. These solutions are especially in BYOD (bring your own device) situations which are increasingly the norm as users either want to carry a single device or prefer their device to whatever the organization provides (typically Blackberry). RIM's MDM solution, and others have the ability to manage iOS, Android, Blackberry OS and other mobile environments. You get features like remote wipe, jailbreak detection etc. At work, we are migrating away from Blackberry at work to iOS (at least at first) and will likely include Android devices, as well as BYOD. It will mean a significant savings in support costs in the long run. If I can remember the name of the MDM solution we selected, I will post it here. Also, even if you don't like (or don't choose) Good's MDM solution, their website has a lot of good background information and white papers.
Install a script on the phone to configures the iptables firewall on the phone to block outgoing data except from openvpn (which you install on the phone and have autostart on boot). Block every incomming data except ESTABLISHED,RELATED.
Then allow browser and any other apps you want to have access to the internet through the vpn. You might want to allow the browser access to the internet directly when the vpn is down (for example to log into hotspot), but have the vpn startup script disable this!
For encryption you can use the dm-crypt facility available in the linux kernel (this will require you to build your own kernel), for non state secrets I think this is enough.
When you lock for more than say 5 minutes the phone the data partition should be unmounted. You may want to use a phone with a keyboard as this makes entering long passwords simpler.
Remove the market (duh!)
You'll definitely want to investigate an MDM solution to help manage this deployment from a device/user management, security and incident response perspective. Having said that, I know Samsung (Samsung SAFE), Motorola, 3LM (middleware) and HTC (HTC Pro - not the same as HTC * Pro devices) all have proprietary MDM frameworks added onto Android in specific phones. These will let you control things like encryption a bit better than Android out of the box. I can't answer to encrypted text messages or phone calls though. Without coming off as a shill, I'd recommend investigating solutions from Good Technologies, AirWatch, and MaaS360. Those products meet different needs, but they all do what they do very well.
Its not a full solution, but in terms of texting - check out ProtectedSMS by these people: http://www.protectedmobility.com/ Its been FIPS 140-2 certified, which assumes you trust the certification agency, but its a good start.
Your use case and focus on security really suggests that BlackBerry would be the best bet, but if you are focused on finding a way to securely deploy Android devices, but still maintain some security, take a look at the BlackBerry Universal Device Service product as an MDM solution:
Feature Checklist: http://ca.blackberry.com/content/dam/blackBerry/pdf/brochure/northAmerica/english/BlackBerryMobileFusion,UniversalDeviceServiceFeatureChecklist-1.pdf
Details: http://us.blackberry.com/business/software/mobilefusion/
Docs: http://docs.blackberry.com/en/admin/subcategories/?userType=2&category=Universal+Device+Service
BlackBerry Mobile Fusion Client for Android: https://play.google.com/store/apps/details?id=com.rim.mobilefusion.client&hl=en
You can deploy policies to enforce media card encryption, not sure about the call/SMS logs or encrypting the rest of the file system. That's probably something that would have to be baked into the OS - if you have to do it via a mod or rooting the device, you potentially open yourself up to more vulnerabilities.
The UDS product can detect if a device is jailbroken or rooted, and you can set rules to lock out access to internal resources. You can also do remote device lock/wipe, so that gets you halfway there.
Dear Anonymous.
I developed my next version of an android client server VOIP system and next week I will deploy it. This system only works if the Client Owns the server.
The traffic will not pass in our servers and we cant be able to get even a byte from our clients traffic. The client traffic will be between his devices and his own server.
Once deployed our server, that is a java program, you will be able to install it in your own server and we will not have access to it.
You will be able to rent or buy the server and the way your client will reach your server is very simple, you can have a fixed IP ( if buy ) or you will be able to access it using a dns service like no-ip.org ( if you rents or buy ).
All system uses UDP and pre defined ports, in this way you will be able to setup a firewall to open only these ports for udp access.
A good firewall for your client is the droidwall.
Please contact me if you want, and next week I will deploy this system for your evaluation.
Technical descryption.
Up to 20 users in conference ( half duplex ).
Point to point full duplex voice conversation.
Works in EDGE ( better with half duplex ).
Symmetric key encryption AES-128 CBC
Key exchange: ECDH 256 bits
Authentication: Voice authentication and HMAC in server, the HMAC keys will be generated by you.
No backdoor in contract.
We can develop customized versions and can negotiate a possible source code deployment of our system.
Name: Cesar Bremer Pinheiro
email: cesar.bremer[at]secvoice[point]com[point]br
My site is not up to date with this new system, only next week ( secvoice.com.br ).
Next week I will deploy the android client for evaluation, the system is finished and the english site is being built.
SAP recently bought Sybase, which made the Afaria platform. This will actually let you set policies across phone types (BB, Android, and iOS) such as device encryption, application restriction, remote wipe, etc. Cross-platform solutions like this are attempting to enable the "Bring Your Own Device" methodology to the workplace. Many of the posts above are very true, though, especially when it comes to Android flavors. It's been noted that the Samsung phones seem to have the most robust encryption, etc. Now the rub. This tends to be a very expensive solution, and therefore limited to larger Enterprises, so tread lightly and research it (as you should do with any MDM app) before jumping in. Linkage: http://www.sap.com/solutions/technology/enterprise-mobility/management-afaria.epx Not sure if this helps, but something to look at.
Virtually all the malware (and there is some drive by stuff happening) attacks people with rooted phones, so installing even a secure "ROM" is probably the worst thing you can do for security. By looking for software that has gone through the common criteria (assuming that still exists or another similar certification process) you will have some reassurances that it was designed in a secure manner. I would also look for something using other government standards, like FIPS 140-2.
The Motorola (Droid) Pro+ has a number of enterprise level additions to it, focusing on security in a business environment. Including encryption, remote wiping, and "dead zones" to disable features like the camera, etc. in certain areas. And it's got a querty keypad (candbar design, not a slider) Check it out!
Without full disclosure on the OS, the source, and hardware you can't guarantee its secure.
I am guessing here, but it seems to me cell phones are designed from the ground up to be insecure.
"If any question why we died, Tell them because our fathers lied."
Buying into the "Walled garden == Security" philosophy doesn't cut it because you have no way to VERIFY things haven't been tampered with. You just "believe" they haven't been. Unless you jail break/root you can't be sure because you have no access. That makes it just as un-trustworthy as a trac-fone you found in the gutter. You might as well just use cyanogen, root it, get an sha1sum of everything on the device and have a way to track changes. Feeding Apple all your $$ while drinking all their "walled garden koolaid" is just going to get the industry another monopoly
Join the Slashcott! Feb 10 thru Feb 17!
Enterproid http://www.divide.com/ mobile device management is a service that costs $60/device/year that creates a secured remotely wipe-able sandbox on Android. They also submitted their app to the Apple store so it should be appearing soon for iPhone's.
FYI, they are working with Fixmo to be Common Access Card compliant for NSA standards...
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
I had the same task not long ago. Android is the right choice. Even though Androids from AT&T have cruft and bloatware to the point that the phone is almost unusable without flashing and rooting. Verizon stock ROMs suck less than AT&T but not by much. A stock ICS ROM with a valid MD5 sig from either google or the OEM is acceptable in my opinion.
After research and testing, this is the solution I proposed.
Unlocked International Galaxy S2 GT-i9100 Handsets.
http://www.amazon.com/Samsung-Galaxy-GT-I9100G-Unlocked-Touchscreen/dp/B0053HSZQG/ref=sr_1_1?ie=UTF8&qid=1338497771&sr=8-1
Use Samsung's Kies Utility to update the stock gingerbread 2.3.5 ROM to Ice Cream Sandwich (ICS) 4.0.3 - http://www.samsung.com/us/kies/ There are many 3rd party ICS ROMs to choose from, but how do you know you can trust any of them? Unless you check all the code yourself then compile it, you just can't be 100% sure. Especially in a corporate IT environment, when your reputation and/or job might be on the line. I could not be comfortable recommending any after market ROM unless it came directly from google, or Samsung.
Use Google to create, manage and enforce security policies (for free) - http://www.google.com/apps/mydevices - (we use google apps for our email, so this is a really good fit for us. Google contacts and email sync very fast, and reliably) - With this service you can enforce device encryption and strong user passwords plus other useful admin features.
Secure messaging is easy, use kik. - http://kik.com/ It's free to use, and has the ability to encrypt messages. It's cross platform, so you can use it on the Androids you will deploy, plus iOS devices, Nokia, Windows Phones, and even some Blackberrys.
I hope that this information helps you, message me directly if you have any questions. @DishManDan
Hey,
I see some hesitation about how to get the job done; first things first:
Simply begin by reading the (very brief) paper "Reflections on Trusting Trust",
written by no less one of the two original authors of the Unix environment.
Enlightenment will just come, trust me!
After that, you'll know what security is about. And that's THE ONLY THING security is about.
Maybe get the company to treat its people well enough so that they are loyal to your company, and thus will cooperate with your security aspirations? Then trust but verify: occasionally probe the phones to verify what's installed.
Nah. Makes too much sense.
Come on, where are the geeks in here!!
NSA's SE Linux has been ported to SE Android, offering all of the compartmentalization and strong Type Enforcement under development for the last half decade or more. Add to that Gibberbot which offers Off the Record Messaging (OTR) with an optional TOR client and you're in pretty good shape. Also Whisper offers call encryption. Anyone who suggest Skype needs to stop talking. The Chinese publicly announced that they cracked Skype's voice encryption capability a very long time ago.
Start with Gibberbot OTR and Whisper today, and start looking at rolling your own Android 4.x with SEAndroid.
Ask OK labs. Theyve been doing mobile virtualization and security for years. Their main kernel is in around a billion phones. They have partnerships with Sirrix and Fixme, along with their SecureIT platform. They should at least be able to give you a good recommend.
INTEGRITY Global Security lists a mobile solution on their website. They use the top notch INTEGRITY and INTRGRITY-178B RTOSes in their solutions. Maybe ask them too.
Nick P
schneier.com blog
I work for HP, and we have over 150,000 android devices...they ALL are encrypted and secured against installing non approved apps. All it takes is a little knowledge and some money, how much of either is debatable.
I really hope the submitter reads this, I actually know how to set this up (I have done it myself).
First off, ICS 4.0 has native encryption, you can recompile the kernel for Gingerbread to support encryption. (Using the LUKS project which uses linux dmcrypt).
http://www.appbrain.com/app/luks-manager/com.nemesis2.luksmanager
This is under the guardian project for android: https://guardianproject.info
Also, there is SELinux for android hosted here: http://selinuxproject.org/page/SEAndroid
If you are interested in more, post a reply with your email (or other communication medium). (I suppose I'm just paranoid myself, but I actually know a fair bit about cell phone security).
One thing I don't understand about Android is why in ICS I can choose to encrypt the entire device -- great, woo hoo -- but there doesn't seem to be a way to encrypt the SD card (other than 3rd party which is pointless). Anyone with any insight on why this is the case?
There isn't much real security provided by closed source encryption products. If they've no intentional backdoors, you still face the company concealing their mistakes to save face, which costs you security.
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
http://www.rohde-schwarz.us/en/products/secure_communications/voice_and_data_encryption/TopSec_Mobile.html
This device uses your phone as a modem for real-time voice. It doesn't matter what you do to secure the phone. If you can own the baseband you can own the phone. You can own the baseband. https://www.youtube.com/watch?v=rr2u1lrqDsI
Take a look at secvoice, these guys from Brazil have a strong android system for voice encryption. The site is outdated, but they answer email requests an have a demonstration version.
These guys from Brazil have a strong voice encryption system for android, the site is outdated, but they answer emails and have a demonstration version.
Requires Google Apps though:
http://support.google.com/mobile/bin/answer.py?hl=en&answer=190930&topic=2365092&ctx=topic
If you stop someone in the street and ask 'How do i get to the post office', would you be happy the following answers?
1) "Nah you dont want to go to the post office, its UPS you want. To get to UPS you should go..."
2) "Its 11am? what sort of idiot goes to the post office at 11am? the queues will be terrible, you should just go home."
3) "There are many ways to go the postoffice, i cant tell you which if you dont give me the exact critiera by which you can judge the best route. Is it fastest? shortest? most scenic? safest? does it need to be wheelchair friendly?"
4) "You should just use email! you fool!"
No? then dont ask slashdot...
Reading posts you can generally tell what product each poster owns. Point for point the Blackberries match up with the requirements. Despite personal biases they have the goods and plenty of market experience doing so.
Put another way you're asking for a bread slicer. Instead of buying the industry standard machine that slices bread you have all sorts of proposals for trying to make ninja swords do the job instead. Hey, the sword will be a lot more flashy. At the end of the day security and business focus the only real bread slicer available is the blackberry. This has been their focus from day one. Not entertainment, not the latest greatest games, plain simple secure business apps. Ask the majority of law firms, accounting firms, security firms, police forces, military and government users. Alas, they are not using android or i-ninja-swords to slice the bread. Plain simple non-nonsense BES and Blackberries.
http://www.whispersys.com/
This may or may not be what you're looking for... not all of their offerings appear to be open source.
Both you and the poster above are kinda screwey in terms of thinking.
First of all... while implementing security code in VHDL or Verilog is possible and has been done, the CPU is just not a big risk in this case. You can use a CPU from a company you're sure is fishy and so long as the software above it is written properly, it should make no difference. It's not really even a matter of cost. Encryption is a software feature... security in general is software oriented. In a system such as Android where the processor itself doesn't even run the executable code but instead runs code JITed for the processor, it's even less relevant. I can write 10 pages on this to prove my point, but it's a waste of time.
On the other hand, there's nothing that says that a second microcontroller couldn't be hidden in the phone which runs a second network session in the background. Still, there is too much dependence on software and things like keys and such that would make it impossible for this to be an issue if the software is written properly.
It would just be stupid to waste time developing a malicious CPU if you can just install what you want on the phone itself as software.
The new BB based on QNX is not tested for security yet. Yes... they did internal testing and all that and QNX has a history for being secure for the most part, but with several million new lines of code to compose the full rewrite of black berry's software, there's no possible way they could have tested that phone for any reasonable level of security in that time.
Also please keep in mind that QNX develops their own TCP/IP stack which I personally have used for about 20 years. And after having access to the OS source (and having worked closely with QNX on software projects for years) I don't feel confident that their stack is as secure as they say it is. Remember that QNX is one of the hardest operating systems on the planet to perform system level debugging on. This makes it very hard to properly audit the stack. It is however a user-mode stack which means there's less chances of kernel level "root kits".
Also, the phone is based on Java which is not very hard to hack... a simple "friendly" app can easily replace the JAVA class loader and pretty much run key loggers and such without a problem.
The only thing which appears to make BB secure is their advertising. They tell us all how secure they are and we feel secure with them. Without a proper code audit, I wouldn't ever consider them secure.
Pre-QNX BB was pretty secure... but with the whole rewrite, there is absolutely no possible way a device with that much code changed and that little use so far can be secure. I justify it above.
Run a locked down, virtualized handset image on whatever phone you select. You can homebrew this image based on virtually any Cyanogenmod ROM with whatever VPN client, remote wipe, mail clients, security policies,etc that you need. Elegant, beautiful segregation of the personal vs private phone issues that invariably arise with enterprise phones - and no attendant warranty issues rooting and ROMing the hardware.
Here's a demo of it in action:
http://www.engadget.com/2011/02/15/vmware-android-handset-virtualization-hands-on/
He might end up with Blackberry based on QNX which is not the secure BlackBerry which the NSA and those guys cleared for Bama.
Blackberry on QNX is a thoroughly untested system based on a nearly full rewrite of the operating system which we all know suffered from severe rush to market syndrome. Meaning that there is no possible way a product which is almost certainly a million lines of code or more has been thoroughly tested for security. I mention in previous comments that QNX runs an in-house TCP/IP stack which almost certainly is exploitable. It runs in a separate process from the kernel, but it's still not the IP stacks used by millions and tested by every security lab on earth. The way you know for sure that it's got holes in it is that no one has reported holes on it. What this means is, no one has put it to the test yet. Or we could be expected to simply believe that QNX wrote every line of code perfect and they never had a bug... ever.
I've worked with QNX (with them directly on project with many many developers on their side as well as mine) and learned that QNX, just like other companies is not perfect. The only reason why they're secure is that we don't know what the holes are yet.
Let's not forget the Java platform which really does make it wonderfully hackable. Java provides so many possible ways to install rootkits and trojans that unless they found a way to run each app in a separate process, it's hopeless.
So... if people want to steer the reader well... they should recommend the old Blackberry stuff... it'll be years before we can consider this to be secure.
I am a system level developer who has implemented encryption technologies used in top-secret environments. Also I have worked on mobile device development at a system level for many years. I can't detail my credentials, but for as much as anyone else on Slashdot can be considered reliable, ... well you take it from there.
... and often did.
1) So far as I know, the only "smart phone" OS which has been "properly audited" was the specific versions of BlackBerry OS which is used by Obama. This does not include all versions of Blackberry OS... only the versions which have been specifically audited and approved for use on his phone. This does not mean that the OS is secure, the NSA audit on the code was performed too quickly for my tastes. It just means that the majority of "obvious holes" are not present. This completely rules out the newer QNX based OS for Blackberry since there is absolutely no possible way that much code could be properly audited in the time which it has been available. On top of that code audits are only a small part of what you need to do to secure a few million lines of code which is heavily communication oriented. Of course, running a simply security auditor on the OS helps as well, but I wouldn't bank on that either. An OS needs years of testing at a single revision before it can be truly solid.
2) Android may or may not be secure. It's extremely unlikely. If however you want Android and can't live without it, make sure to use only OS images which are hash check verified (MD5, SHA...) from Google directly. If the phone can't run the stock OS, DON'T USE IT! The reason for this is that the OEMs often update and modify code before putting it on the phones. They are feature oriented, not security oriented. Google Nexus would be a decent choice for this.
3) Don't even consider Windows, Symbian or iOS based phones. iOS is the safest of those three, but lacks pretty much all the features you're interested in. So far as I know, Apple doesn't even care about a "trusted platform" as the cost of maintaining a trusted platform is WAY TOO HIGH and would never yield the profits Apple demands from products. Windows and Symbian just aren't about trusted in the first place and the serious short comings in the Symbian "Development process" make it far too susceptible to being able to be hacked. Without decent development tools and kernel level debugging (which Symbian simply lacks for the most part) it's not possible to harden an OS. Also since Symbian never made use of things like "Test driven development", any change in one place could wreck 100 things elsewhere
4) Never EVER allow users to install apps... ESPECIALLY ON A JAVA PHONE meaning Blackberry or Android. This is because Java is insanely easy to hack. Yes, I know Oracle and Sun say otherwise... but I recall Yugo also calling their cars safe. Voluntarily installing an app which replaces the class loader on the system is enough to hack the entire thing. There are hundreds of other ways to hack Java which is obvious to me an others that can be exploited with a simple malicious chunk of code in an app. Also, since Java based platforms don't generally allow sandboxing, the apps all kind of have access to override system resources and interfere with each other.
While I personally despise Blackberry having tried it a few times and felt like I was using junk, if you must have these features, you should use their hardened and audited system.
https://github.com/Fuzion24/Permission-Control
Yes use cyanogen mode, encrypt it & your SD card. I to would like to see pentest results from some of these communication-encryption apps
Pick two.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Check it out
http://www.nsa.gov/ia/programs/mobility_program/index.shtml
http://fastest-android-phone.blogspot.com/2012/03/nsa-built-android-phone-for-secret.html
Worth watching what NSA is doing.
http://www.informationweek.com/news/government/mobile/232600238
The way the "common criteria" are defined, you need to be an accountant or a logician to figure out just what feature set they claim a high security on. I usually wasl "would it meet B2?" If they can't answer, it won't (;-))
--dave (and yes, on good days I am a logician) c-b
B2, from the Orange Book, is an old military standard, approximately what SELinux meets. C means crappy, and there were a very few people who got an A
davecb@spamcop.net