Consumer Grade or Enterprise Ready? Google just announced their entry into the smartphone, or as they call it the super phone, market today. The Google Nexus One super phone runs their Android Operating system but the hardware is built by HTC. The Nexus One is entering a smart phone market that is taking increasing heat from enterprises for their lack of robust security features. So how does the Nexus One stack up? Let's take a look.
The Nexus One has many of the table stakes security features that we've come to expect. These include:
-Screen lock: A new (new to me anyway) feature here is the ability to use gestures/drawings as your passcode for the screen lock instead of a alphanumeric code. A bit of a novelty for sure and of questionable security strength but very cool none the less.
-VPN: Nexus One fully support IPSEC VPN. It supports certificate authentication as well. The certificate store on the phone is kept encrypted for added security which is a nice touch. The VPN client supports 3DES and AES crypto. Performance is unknown.
-Wireless Security: Google's phone supports all of the wireless security features found on your typical laptop client. WPA and WPA2 support with or without certificates is supported. The wireless radio supports 802.11n.
-Application sandboxing: The Android OS relies on typical Linux file and application permissions as well as some advanced security controls of its own. Android OS runs each application in its own process and limits the communication between applications. Here is how the android developers guide describes it:
A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.
An application's process is a secure sandbox. It can't disrupt other applications, except by explicitly declaring the permissions it needs for additional capabilities not provided by the basic sandbox. These permissions it requests can be handled by the operating in various ways, typically by automatically allowing or disallowing based on certificates or by prompting the user. The permissions required by an application are declared statically in that application, so they can be known up-front at install time and will not change after that.
-Corporate enforcement of security settings: Another critical, but missing, enterprise security feature is the ability for companies to enforce phone security settings (screen lock pwd strength, screen lock timout, data encryption and remote wipe are most common) on any device that is issued by them or uses one of their services (like email for example). Blackberry has this functionality nailed and is by far the leader in this space. Apple has made some nice headway here and is at the point now where it meets most requirements. Nexus One must add this in a subsequent release in order to be taken seriously in the corporate phone space.
-Application Signing: This is where the Nexus one falls down hard vs the iPhone. Nexus one does require all applications to be signed using certificates in order to run. However, it enforces no requirements that a trusted Certificate authority sign the certificates. As a result, the application signing requirement adds no security and instead could give users a false sense of security. Most android applications use self-signed certificates, which are practically worthless. Apple iPhone requires application signing and it issues and revokes the certificates making it a powerful security feature.
-Hardware Data Encryption: This is another major security feature that is missing from Nexus One. Enterprises are requiring that any smart phone that hold company data must be encrypted. iPhone and blackberry are examples of phones that do support this necessary feature. Without encryption, any data you store on your phone is retrievable by whoever possesses the phone.
-Remote wipe: This feature does not appear anywhere in the Nexus One user guide posted on google.com so I have to assume it is not supported either. Without both encryption or remote data erase features Google will be hard pressed to convince enterprise customers to adopt this phone.
-Operating system: The Android operating system is in its infancy and like any new piece of software is likely to be full of security bugs. Android is also open source, so it is highly susceptible to developers with malicious intent finding those bugs quicker than if the OS was closed like the iPhone or blackberry OS. However, the open source nature of the OS should also become a benefit for its security longer term as coders with good intent scrub Android and find the security holes and patch them. Without the source code this job becomes much harder and takes considerably longer. Bottom line is it’s a mixed bag, less secure in the short term but able to become more secure faster than a close OS can.
All in all the Google Nexus One Phone is ready for primetime as a purely consumer smart phone. We will inevitably start to see corporations try to ban this phone from their workplace because of its lack of robust security just like all other smart phones when they were young (especially the iPhone). As the Nexus One and its Android OS mature the game will change as it always does I'm sure. But for now, I don't expect to see any corporations handing out the Nexus One to their employees.
Here is a link to the google Nexus One website
Here is a link to the security framework of Android
As a consumer phone the Nexus One seems ripe to give the iPhone a run for its money, especially since it will soon be available on Verizon! I like it because competition spurs more innovation and I like more nerd knobs. ☺
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.