It would be interesting to see how the blackphone and priv do compared to standard andriod handsets and how BB10 compares overall.
Faux Disk Encryption: Mobile phone crypto not a magic bullet
Full-disk encryption on mobile devices is nowhere near as secure as commonly believed and Android offers less granular control than iOS, according to security researchers from NCC Group. Daniel Mayer and Drew Suarez debunked some commonly held but inaccurate beliefs about smartphone crypto as well as presenting a comparison …
COMMENTS
-
-
Monday 16th November 2015 17:00 GMT Anonymous Coward
Re: Is no one starting the...
Is no one starting the usual Android vs iOS bun fight?
Nah. I'm just waiting for the next paper that will exclusively focus on iOS problems. If you can't recognise a trend you have no business being in security in the first place.
In my opinion, it is possible to get any platform up to a reasonable standard, what differs is the amount of effort it requires to establish and maintain that. Even a vault with walls made from butter can be made secure if you're prepared to waste a fortune on cooling, but why should you?
I had good hopes for Blackberry, but although I understand the motivation to sing along with Android I am far from enthusiastic about that. It's a shame, I rather like their priv hardware, but I understand it's hard to maintain your own platform if people are not interested enough, going the Android route means there is at least a ready amount of apps out there.
The blunt reality is that security is not a volume argument - it is still only of interested to a small percentage of users.
-
-
Monday 16th November 2015 17:40 GMT Anonymous Coward
One Apple issue
Moreover, locally stored data often includes authentication tokens that are, typically, long-lived than browser applications.
I recently had to disable an account of a member of staff who left in less than perfect circumstances. You would think that resetting their domain account password would suffice? Nope their iPhone could still connect for at least 2 days. I felt like a right plonker, I'm not sure if disabling the account would have worked but meh I'm busy. Tried it on an S5 linked account and it lost access straight away, go figure.
Was exchange 2007 but now 2013, those remote wipe features are looking worth the money !
-
Monday 16th November 2015 17:56 GMT Synonymous Howard
Re: One Apple issue
So are you saying that the issue is with iOS or that Microsoft Domain accounts are not synchronising in a timely manner?
You can't blame a client for caching authentication tokens if the server side does not expire/invalidate their use immediately everywhere when requested to.
-
Monday 16th November 2015 17:57 GMT Anonymous Coward
Re: One Apple issue
I'd say the blame lies in the server moreso than the phone. Maybe iOS is ignoring or otherwise incorrectly handling a message telling it to expire that token, but proper security means that you cannot depend on the client to behave.
Otherwise one could take advantage of that misplaced trust by deliberately coding a malicious client that maintains access even after the account is locked. This would be a rather severe security problem in the event of disgruntled employees etc.
-
Tuesday 17th November 2015 07:13 GMT Anonymous Coward
Another Apple issue
Oh, there is more that can be improved. Try to reset the certificate store when the user has stupidly accepted one of those certs hotels keep serving to allow connections to their idea of Internet (enabling a Man In The Middle risk).
If anyone has an idea how to do that without resetting the phone I'd be grateful. I have to find a way to lock the phone down so it's simply not possible, but I haven't found a way yet. I'm a bit new to iOS yet I have to somehow keep this thing from going unsafe. So far, not good.
I may just sling a VPN on it and be done with it.
-
Tuesday 17th November 2015 20:46 GMT Sel
Re: Another Apple issue
Settings -> General -> Profiles
Select the 'bad' Profile (certificate)
Click 'Delete Profile'
This is also where your VPN certificate will appear once served to the device.
If you don't own the IOS device then there is not much you can do to stop users doing insecure things.
If your company owns the IOS device and a Mac (with restricted access) then there is OSX Server Profile Manager.
http://www.apple.com/uk/osx/server/features/#profile-manager
There are other BYOD provisioning systems that can speak to IOS too if you don't have a Mac.
-
-