Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Equipping a Company With Secure Android Phones?

Posted by timothy on from the try-this-new-hal-9000-model dept.

An anonymous reader writes "I'm in charge of getting some phones for my company to give to our mobile reps. Security is a major consideration for us, so I'm looking for the most secure off-the-shelf solution for this. I'd like to encrypt all data on the phone and use encryption for texting and phone calls. There are a number of apps in the android market that claim to do this, but how can I trust them? For example, I tested one, but it requires a lot of permissions such as internet access; how do I know it is not actually some kind of backdoor? I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us. I was thinking of maybe installing Cyanogenmod onto something, using a permissions management app to try and lock down some backdoors and searching out a trustworthy text and phone encryption app. Any good ideas out there?"

8 of 229 comments (clear)

  1. Re:Cell phone calls are already encrypted by Anonymous Coward · · Score: 5, Informative

    And blackberry messenger is too.

    To clarify on the blackberry messenger encryption: It's encrypted by default with a global key (hardly useful) but pin to pin communications can be encrypted using an organizational key, if you subscribe to a S/MIME package.

  2. Dear slashdot by Anonymous Coward · · Score: 5, Insightful

    I'd like to know how to configure a kludge of shit (using all FOSS, of course) for my enterprise environment. I want everything under the sun plus the kitchen sink.

    Also, I'm going to be paranoid and reject anything you propose. After all, I can't be sure that anything I buy doesn't have a backdoor that the government or extra terrestrials could use to snoop on the uber secrets at my company.

  3. Blackberry? by twnth · · Score: 5, Informative

    Why android? is there an app you need or something? or is it a latest bling thing?

    Because Blackberry does the encrypted thing, and if you buy BES you can also set device policies and centrally administer the devices (remote wipe for example).

  4. RIM/Blackberry by alphax45 · · Score: 5, Insightful

    You basically described the RIM/Blackberry use case; why not use them? The Bold 9900 is actually a nice phone.

    --
    K Man
  5. Too expensive? by hawguy · · Score: 5, Insightful

    I know that Boeing is producing a secure phone, which is no doubt good — but probably too expensive for us

    If a secure, off the shelf phone is too expensive for you, you probably don't have the resources to build a secure phone yourself. Even the experts have trouble getting security right, an amateur will unknowingly leave big gaping holes.

    That said, Android ICS will do full filesystem encryption, make sure you use a secure passphrase and not a 4 digit PIN. Use SSL to talk to your email server to keep that traffic from being snooped. Don't use SMS's.

    Do you really need to encrypt your phone calls? Stick with a CDMA provider (supposedly it's trivial to hack GSM, but I believe CDMA is still relatively safe) and your calls are safe from all but the most determined (and well funded) eavesdropper. Unless you're worried about the US Government doing the eavesdropping, they'll just tap the call on the Telco side, so you need end-to-end encryption to protect against that.

    Skype reportedly encrypts skype-to-skype calls.

    But really, unless you're doing top-secret government work, your phone is the least of your worries. If the information is valuable, it's much easier to pay an employee to leak it than to steal your phone and hope to find the data stored on the phone. And if you are doing top-secret government work, a home-brew solution isn't going to meet the federal standards you'll be required to meet.

  6. Re:Apple by Anonymous Coward · · Score: 5, Informative

    As much as I absolutely HATE to say this, you're absolutely right.

    Blackberries suck, Android's security is left to the manufacturer (so it usually doesn't get done right), Windows Phone 7(.5) is still not ready for the Enterprise, Symbian is dead, so are Meego and Maemo...

    iPhones are locked down, have enterprise support tools, come encrypted by default. Unless you're willing to inflict Blackberries on your users, AND pay for the BES, AND pay the per-handset CAL, iPhones are your best bet.

  7. Weak spec: Secure from what while doing what? by Fubari · · Score: 5, Informative

    You spec could honestly be stronger.
    What threats do you want to secure against? What scenarios do you want to avoid? Do you want to ensure against virus protection? Lost devices? (e.g. oh noes! our client list is on wikileaks!) Locking down data?
    For bonus points, what are the top three things your "reps" need to do?
    Just make calls? Or do texting? Or access web mail? Or...?
    And how many "reps" are there today? How many will there be next year?
    And what is your logistics model? Everybody at the same physical workplace? Distributed "virtual" office? Different countries? Different languages?
    Does your phone need to integrate with any of your workflow software?

    Try writing up five or six hundred words on the above to enhance your question - I'm sure you'll get some useful advice if you do that.

  8. Re:good luck by X0563511 · · Score: 5, Insightful

    Blame the security "roles" not the app developers.

    Want your app to detect if you're on a call, so it doesn't blow your eardrum out with an alert tone?

    Well, then you need "Access to Phone State / Identity" ... just for an example.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...