Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Equipping a Company With Secure Android Phones?

Posted by timothy on from the try-this-new-hal-9000-model dept.

An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"

15 of 229 comments (clear)

  1. Re:Cell phone calls are already encrypted by Anonymous Coward · · Score: 5, Informative

    And blackberry messenger is too.

    To clarify on the blackberry messenger encryption: It's encrypted by default with a global key (hardly useful) but pin to pin communications can be encrypted using an organizational key, if you subscribe to a S/MIME package.

  2. Blackberry? by twnth · · Score: 5, Informative

    Why android? is there an app you need or something? or is it a latest bling thing?

    Because Blackberry does the encrypted thing, and if you buy BES you can also set device policies and centrally administer the devices (remote wipe for example).

    1. Re:Blackberry? by b0bby · · Score: 4, Informative

      But if you're running BES (or the free Professional if you're small), everything is encrypted end to end with your own key. That's why they are so secure; 3rd parties don't have access to your data. In India & Saudi Arabia the government has put taps on the telco provided BES, but they still can't tap your private BES communications if your server is outside.

    2. Re:Blackberry? by narcc · · Score: 4, Informative

      Even cooler, with BlackBerry Balance, you can seamlessly separate work and personal use on the device. No worries about copying corporate data to personal accounts.

      Add to that the above-par remote management features and it's not even a choice -- there is only one enterprise-ready mobile platform.

      --
      Required reading for internet skeptics
  3. Good for Enterprise by jmarka · · Score: 2, Informative

    Timothy, You should take a look at Good for Enterprise www.good.com Best, jmarka

    1. Re:Good for Enterprise by Bogtha · · Score: 4, Informative

      One of my clients attempted to use Good for secure email on iOS last year. They were entirely unresponsive to even the slightest technical queries and their stuff was incompatible with other apps. Also, parent comment sounds like spam.

      --
      Bogtha Bogtha Bogtha
  4. Sounds like a job for... by a90Tj2P7 · · Score: 4, Informative

    ... Blackberry. Aside from encrypting phone calls themselves, everything you're asking to do is something even a basic Curve will do out of the box - encrypting the phone storage and SD card, requiring a password to install apps. And that's without using any enterprise tools to manage the devices and security policies across the board, remotely.

  5. Re:Apple by Anonymous Coward · · Score: 5, Informative

    As much as I absolutely HATE to say this, you're absolutely right.

    Blackberries suck, Android's security is left to the manufacturer (so it usually doesn't get done right), Windows Phone 7(.5) is still not ready for the Enterprise, Symbian is dead, so are Meego and Maemo...

    iPhones are locked down, have enterprise support tools, come encrypted by default. Unless you're willing to inflict Blackberries on your users, AND pay for the BES, AND pay the per-handset CAL, iPhones are your best bet.

  6. Weak spec: Secure from what while doing what? by Fubari · · Score: 5, Informative

    You spec could honestly be stronger.
    What threats do you want to secure against? What scenarios do you want to avoid? Do you want to ensure against virus protection? Lost devices? (e.g. oh noes! our client list is on wikileaks!) Locking down data?
    For bonus points, what are the top three things your "reps" need to do?
    Just make calls? Or do texting? Or access web mail? Or...?
    And how many "reps" are there today? How many will there be next year?
    And what is your logistics model? Everybody at the same physical workplace? Distributed "virtual" office? Different countries? Different languages?
    Does your phone need to integrate with any of your workflow software?

    Try writing up five or six hundred words on the above to enhance your question - I'm sure you'll get some useful advice if you do that.

  7. BB by Corson · · Score: 4, Informative

    There is a... um, little known company, don't know if you ever heard of it, called Research in Motion, that has been making security on their smartphones their main priority SINCE 1999.

  8. Re:Apple by Anonymous Coward · · Score: 2, Informative

    The cluelessness of your post is why I'm hoping you're not in a position to set hardware standards in the enterprise.

    I'll take the curated iOS "controlled" app store over the wild-west install-from-anywhere wild-west Android alternative any day.

    The reason(s) that the enterprise prefers iOS (or *gasp* RIM) over Android is precisely the reason the tech-saavy iHaters lambast them for.

    Until Android is able to completely lock down a phone and give the administrators full rights to manage what gets put on it, Android will always be the LAST choice - if any choice.

  9. Blackberry is the right choice by juniorkindergarten · · Score: 3, Informative

    The combination of Blackberry and BES is the correct choice if you want a secure enterprise solution. With a BES server you have complete control over the phones. Policies allow logging of everything that the phone does, including if you want all incoming and outgoing text messages, push and pull apps and calling restrictions.
    The difference between consumer and enterprise blackberry is that the BES server has a secure key that you create and is unknown to blackberry, bis is controlled by blackberry and is snoopable by governments.
    I've found that the battery life is better on a blackberry, but the browser isnt the greatest, but has improved in the newest models. Another thing to keep in mind is the battery is field swappable, so if the battery wears out, YOU can switch it out, or carry a spare.
    Blackberry made the mistake of getting into consumer phones, but for enterprise situations, blackberry is the best way to go.

    --
    "Every security scheme that is based on secrets eventually fails." - Steve Jobs
  10. Re:Apple by Anonymous Coward · · Score: 3, Informative

    Yes, I do.

    Do you have any clue about what I'm talking about? Apparently not.

    And yes, Encryption EXISTS, and is SUPPORTED, but is not always actually on. For that, it requires manufacturer support (I think this may have changed in ICS). And, a lot of phones you can buy right now come with... GINGERBREAD! Which can be encrypted, but it's solely left to the manufacturer.

  11. Re:Cell phone calls are already encrypted by Anonymous Coward · · Score: 2, Informative

    To clarify on the blackberry messenger encryption: It's encrypted by default with a global key (hardly useful) but pin to pin communications can be encrypted using an organizational key, if you subscribe to a S/MIME package.

    Not quite. Blackberry messenger by default does use a global key (and the key is known by many in the security community), but blackberry messenger is also encrypted with 3DES, which is a bit weak. With a million dollars of computers, 3DES can be brute-forced reasonably quickly.

    By comparison, blackberry email is encrypted with AES.

    If your company has a blackberry enterprise server, you can set your own key for blackberry messenger, you don't need the S/MIME package (fyi, S/MIME is free).

    You are correct that pin to pin communications can be encrypted using S/MIME.

    You can also get a PGP module for blackberry, but you have to pay for that.

  12. Android + BlackBerry Universal Device Service? by Anonymous Coward · · Score: 2, Informative

    Your use case and focus on security really suggests that BlackBerry would be the best bet, but if you are focused on finding a way to securely deploy Android devices, but still maintain some security, take a look at the BlackBerry Universal Device Service product as an MDM solution:

    Feature Checklist: http://ca.blackberry.com/content/dam/blackBerry/pdf/brochure/northAmerica/english/BlackBerryMobileFusion,UniversalDeviceServiceFeatureChecklist-1.pdf

    Details: http://us.blackberry.com/business/software/mobilefusion/

    Docs: http://docs.blackberry.com/en/admin/subcategories/?userType=2&category=Universal+Device+Service

    BlackBerry Mobile Fusion Client for Android: https://play.google.com/store/apps/details?id=com.rim.mobilefusion.client&hl=en

    You can deploy policies to enforce media card encryption, not sure about the call/SMS logs or encrypting the rest of the file system. That's probably something that would have to be baked into the OS - if you have to do it via a mod or rooting the device, you potentially open yourself up to more vulnerabilities.

    The UDS product can detect if a device is jailbroken or rooted, and you can set rules to lock out access to internal resources. You can also do remote device lock/wipe, so that gets you halfway there.