What to do about mobile devices that lie

Apple pulls jailbreak detection from iOS 4, and InfoWorld catches Androids that lie about Exchange policy support -- so what can IT trust?

Much of security is built on trust, but it turns out you can't always believe a mobile device's claims. They can be programmed to lie about their capabilities, as in the case of several Android devices, as well as jailbroken iPhones and iPads. Thus, they can appear to conform to IT security policies managed via Microsoft's Exchange ActiveSync (EAS) protocol even when they don't. Two recent events show that trust may be misplaced in the mobile world.

Last week, Apple quietly dropped its jailbreak detection capability from iOS 4's APIs, so iPhones and iPads can't report whether they've been jailbroken. (Apple did not comment.) Jailbreaking, although legal, can compromise a device, allowing malware and worse into the corporate network. Indeed, the few reported cases of iPhone viruses have occurred on jailbroken units.

[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ]

Also last week, InfoWorld.com discovered that Samsung's Galaxy Tab Android tablet can connect to Exchange servers that require on-device encryption to gain access -- even though, as Samsung acknowledged, the Android OS and, in turn, Galaxy Tab don't support on-device encryption. Samsung stopped responding to our requests when we pointed out its device was doing what the company said it shouldn't do.

The same thing happened last month when we discovered that Motorola Droid devices were accessing Exchange servers when they shouldn't have been able to, due to similar EAS policy restrictions. Motorola promised to investigate the issue but then stopped responding to us.

By contrast, our tests show that Google's own Nexus is truthful about its policy support, and Google publishes a list of the EAS policies supported (PDF) so you can know what behavior to expect from Android devcies and thus identify those that may be lying. Note that because Android is open source, device makers could modify their mail or other clients to include encryption in their workspaces -- or use third-party clients that do, such as NitroDesk Touchdown, IBM Lotus Notes Traveler, Good for Enterprise, and MobileIron MyPhone@Work.

So I have to suspect that Samsung and Motorola's devices aren't accurately reporting to Exchange the policies they in fact support. Perhaps some rogue developer or contractor thought he or she was being smart by getting around the EAS policy requirements. No matter: It feels as if maybe some in the Android community are abusing the trust that EAS requires to be effective -- and such behavior could cause businesses to distrust all Android devices on their networks and ban the whole lot.

If I were Google, I would use its trademark on the Android name and logo to force Android device makers to be honest or else lose the ability to use the Android name in their marketing. (Because Android is open source, Google can't prevent people from using the OS, but it can control the use of the trademark.)

The uncomfortable truth is that there's no easy way to make sure a device is being honest about its capabilities. Any software feature can be hacked, which is likely why Apple pulled the jailbreak detection from iOS 4 -- after all, a jailbroken iPhone is a hacked iPhone, and that hack could easily include a false status indication that it had not been compromised. It's better not to pretend you know the truth when you can't say for sure.

Devices need not be hacked to lie. In 2009, Apple's iPhone OS 3.0 OS incorrectly reported Exchange ActiveSync policy compliance due to a software bug, for example. When iPhone OS 3.1 shipped, the bug was quietly fixed, so truthful iPhones suddenly stopped connecting to Exchange servers, taking users and IT by unhappy surprise.

1 2 Page 1
Page 1 of 2