What to do about mobile devices that lie

Apple pulls jailbreak detection from iOS 4, and InfoWorld catches Androids that lie about Exchange policy support -- so what can IT trust?

1 2 Page 2
Page 2 of 2

There is a way to detect devices that are lying about their capabilities. Google is using it in the forthcoming Chrome OS laptops: an encrypted hardware module that can't be hacked. The technology, called Trusted Platform Module (TPM), has been around for years and is used in some laptops -- particularly those in the defense industry. In order to work, device management software needs to have access to the device's read-only status through the operating system, to compare the safeguarded actual state against the device's software-reported state.

Conceivably, all the mobile device makers could agree to implement TPM in some common way, providing an API-level tool that could not be hacked to lie. That's unlikely -- and it hasn't happened in the world of laptops, which are much more widely deployed and tend to hold gobs of potentially sensitive information.

Another approach is to have a secure client run on a device with its own encrypted "real state" information that a management tool can then compare against the device's reported state. That's how mobile device management tools such as MobileIron's detects jailbroken iPhones even without Apple's jailbreak-detection API. Network access controllers (NACs) have used a similar approach for years.

As for the problem of lying Androids that weren't jailbroken but somehow shipped from reputable manufacturers, the use of a client app that coordinates with a server tool can also work to detect the liars. In fact, that's how several mobile management tools catch such lies.

In the case of Android, there's an even simpler way to block lying devices: compare the known capabilities of a device to the ActiveSync policies at the server end, rather than worry about what the device is reporting. Again, mobile management tools use that technique -- though Exchange by itself does not. The flaw in this approach is that it requires the mobile management vendors to keep their profiles updated for all supported devices, and for IT to keep its systems updated accordingly; as anyone who handles security patches and antivirus definitions knows, this is not so easy to do.

As you can see, the lie-detection techniques aren't simple or consistent; as more devices connect to corporate resources, there's a greater chance some of them are lying about compliance. IT can reduce the risk by spending money on mobile device management tools. IT can simply disallow risky classes of devices (such as all Androids) from access to corporate resources despite the furor that will cause. IT can turn a blind eye to the devices and focus instead on in-the-network detection of malware and internal access controls based on user authorization, or it can try a mix of these approaches. There's no easy answer -- just like in any security endeavor.

This article, "What to do about mobile devices that lie," was originally published at InfoWorld.com. Read more of Galen Gruman's Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2