There is a skit on SNL Weekend Update where Seth and Amy read the headline to a news story with one of them following the other with “Really?!” That is my reaction every time I begin to think about mobile phone security. The darlings of our open-source world, the ones us geeks carry around on our belts, well…they fall short. In light of the police now being able to search your phone without a warrant, I decided to do a blog post on how-to protect yourself. Now I find myself asking the giants of Tech, REALLY!? Lets run through the major mobile phone platforms and see which ones encrypt data:
- iOS – Encrypts the storage and allows developers to access the crypto library
- Blackberry – Encrypts enough that countries around the world are putting pressure on RIM
- Windows Mobile 6.5 – Encrypts storage and allows access through .Net
- Symbian – Nope
- Android – Nope
- Meego – Nope
- WebOS – Nope
- Windows Phone 7 – Nope
Think for a second what using #4-8 are asking you to accept. Phone stolen? Phone confiscated? Your data is free for the taking. The passcode is susceptible to smudge attacks doesn’t really matter anyways. Why would I bother to ask/force you to provide it if I can simply plug it into a computer and dump the data for analyzing later?
As IT/IA architects we are also being asked to allow those platforms to host company data on phones that are susceptible to easy attack. I wouldn’t allow my companies’ email to be stored on a mobile and easily accessible device wandering through the world. Or worse yet, wandering the battlefield. General Dynamics and the Army have arm mounted devices providing situational awareness and data to the soldiers. Anyone who has served in the armed forces knows we never lose things in the field…
Tonight I found myself questioning my own choices. Looking at my Evo, I wonder if I feel comfortable storing anything on this device. I railed against the blackberry and iOS devices for their closed environments and lack of technology innovation, but they do one thing right. No longer will I say “what about (insert #4-8) in our enterprise?!”
Google/HP/Microsoft/Nokia – Y U NO ENCRYPT?!
Windows Phone 7 Acknowledgement from Microsoft for lack of encryption
Great Infoworld article comparing more the technical details for encryption of each device type