![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Android phones becoming schizophrenic?
Oct. 14th, 2011 07:34 am"AT&T is adopting technology that gives a person with an Android device two user profiles, enabling company email and other data to reside in an encrypted partition separate from a user's apps, games and unfettered web browsing. AT&T is calling the feature Toggle, and plans to release it later this year. Toggle is a regular app that, once installed, creates its own encrypted desktop under the control of company IT bosses. Toggle is a rebranding of an app developed by startup Enterproid, which continues to develop its own version. AT&T think this move will encourage smartphone adoption in the enterprise. Interestingly, Apple's current version of iOS and app guidelines exclude multiple profiles on one device."
I can see this as a good move that will help the phone be increasingly adopted in business, but what they need to do is extend this encryption to the entire phone! People are realizing that we're now functionally carrying our entire life in our pocket or purse: photos, contacts, personal and private information, etc., and that can be a real problem if lost. I've carried a PDA for close to 20 years now, and I've been cognizant of this and kept the important stuff in encrypted files. A lot of information was still vulnerable, but at least the most important stuff was affected.
But now in California, Michigan, and other states, you can get your phone sucked dry by the cops during a routine traffic stop. So this really needs to be extended throughout the phone.
One thing that I find interesting is in relation to my current employer. Currently Blackberry's are the standard data phone. I was speaking to one of my fellow IT drones and he said that policies were being put in place so that people with iPhones and Microsoft phones can have them connected to the enterprise. Conspicuously absent from the list? Android phones. The problem viewed from a security perspective is that the operating system is forked for just about every manufacturer and almost every phone. They have different screen dimensions, different keyboards, different feature sets, and this requires customizations and extensions to the operating system. And in doing so, increases the chance for exploits. This is a case where monolithic control over the code base can be an advantage.
Overall, I agree with the Free/Open Source concept of many eyes makes problems visible and easy to fix, but this works in both directions, for good guys and bad guys. And the bad guys are very highly motivated, there's a lot more money for them to find and sell an exploit than there is for the good guys. And this is a problem for the overall Android code base: Maker X finds a significant bug that can lead to an exploit in their code, so they fix it. They may or may not notify other Makers because that bug may or may not exist in their code base. And they can report the bug to Google's Android team, but THEY CANNOT directly patch the fix back in to the base code tree! Most F/OSS projects you can either directly patch the code or submit a patch for review to the code maintainers, unless Google has changed this policy since I first heard of it, its a lot harder to get these patches submitted to them.
http://apple.slashdot.org/story/11/10/14/0350258/android-phones-get-dual-accounts
I can see this as a good move that will help the phone be increasingly adopted in business, but what they need to do is extend this encryption to the entire phone! People are realizing that we're now functionally carrying our entire life in our pocket or purse: photos, contacts, personal and private information, etc., and that can be a real problem if lost. I've carried a PDA for close to 20 years now, and I've been cognizant of this and kept the important stuff in encrypted files. A lot of information was still vulnerable, but at least the most important stuff was affected.
But now in California, Michigan, and other states, you can get your phone sucked dry by the cops during a routine traffic stop. So this really needs to be extended throughout the phone.
One thing that I find interesting is in relation to my current employer. Currently Blackberry's are the standard data phone. I was speaking to one of my fellow IT drones and he said that policies were being put in place so that people with iPhones and Microsoft phones can have them connected to the enterprise. Conspicuously absent from the list? Android phones. The problem viewed from a security perspective is that the operating system is forked for just about every manufacturer and almost every phone. They have different screen dimensions, different keyboards, different feature sets, and this requires customizations and extensions to the operating system. And in doing so, increases the chance for exploits. This is a case where monolithic control over the code base can be an advantage.
Overall, I agree with the Free/Open Source concept of many eyes makes problems visible and easy to fix, but this works in both directions, for good guys and bad guys. And the bad guys are very highly motivated, there's a lot more money for them to find and sell an exploit than there is for the good guys. And this is a problem for the overall Android code base: Maker X finds a significant bug that can lead to an exploit in their code, so they fix it. They may or may not notify other Makers because that bug may or may not exist in their code base. And they can report the bug to Google's Android team, but THEY CANNOT directly patch the fix back in to the base code tree! Most F/OSS projects you can either directly patch the code or submit a patch for review to the code maintainers, unless Google has changed this policy since I first heard of it, its a lot harder to get these patches submitted to them.
http://apple.slashdot.org/story/11/10/14/0350258/android-phones-get-dual-accounts
