Are Droids lying about their security compliance?

IT may be forced to buy costly management software, block all Android devices, or risk unsafe data handling

The current Froyo 2.2 version of Google's Android OS for smartphones such as the Motorola Droid and HTC Incredible doesn't support on-device encryption, making it incompatible with security settings at many businesses. However, some users are reporting that their Droids can connect to such networks, despite the policy mismatch. That indicates some Android smartphones are lying about their security compliance.

The Microsoft Exchange email server has a tool called Exchange ActiveSync (EAS) that lets IT set policies for a device to access the server. One common policy at many companies is requiring that the device encrypt any data stored on it. Many states' law requires such encryption be enabled on devices that contain customers' and employees' personal information, for example.

[ Also on InfoWorld: Get the details on what each mobile OS actually supports for mobile management and security. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ]

Android users can install the NitroDesk Touchdown app or a mobile management app such as that from Good Technologies to create an encrypted workspace on their Android smartphones. These apps then manage your email and keep it encrypted in those workspaces, which complies with the EAS policy requirement. Without such apps, Android does not support the EAS on-device encryption policy.

When a colleague bragged to me recently that his new Droid X was able to connect to the corporate network, which requires on-device encryption, I became concerned. It was only a year ago that Apple's iOS 3.2 update revealed that older iPhones had been lying about their compliance with EAS's encryption policy. The problem was a bug in the OS that Apple quietly fixed, but became a public embarrassment calling into question Apple's honesty when suddenly thousands of devices stopped connecting to Exchange servers.

Could the same thing be happening here? Are some Droids falsely reporting on-device encryption compliance?

It's quite possible -- you can install hacks from the Internet to make the Android OS lie about EAS compliance and get around corporate security requirements. My colleague swears he doesn't have one of those hacks, and that he is using the out-of-the-box Froyo version of Android that came on his Droid X. Motorola recently updated its version of Froyo, so perhaps it introduced the same kind of bug Apple had a year ago. (After four business days of looking into the issue, Motorola still had nothing to say.)

If Droids are lying about their EAS policy support, businesses have a tough choice to make:

  • They can invest in a mobile management tool (for example, the one from Good Technology) that can detect modified smartphone OSes and compare what a device claims to support against what it actually does support.
  • If such a tool is out of their budget, and they have to rely on EAS, they have to decide whether to risk allowing unsecured Droids in or banning them all. (EAS has no way to tell if the device is lying.) The more security-conscious a business is, the more likely it is to ban all Droids.

Ultimately, the burden should be on Google to deal with this issue. First, it needs to add on-device encryption to the Android OS. Second, it needs to ensure that the OS can't be hacked to lie about its security compliance. Otherwise, Android will be a consumer-only smartphone OS.

This article, "Are Droids lying about their security compliance?," was originally published at InfoWorld.com. Read more of Gruman et al.'s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies