Droid's unsecure system????

[Alexis]

Ok, earlier I posted about how our IT guys were makin' me angry saying that my boss can't get emails to his new Droid X b/c of some reason or another. But, I just found out that the actual problem is with the droid. I am told that if we did end up making it to were he could get work emails onto his phone it would subject our whole network to the possibility of a hack. We currently use a terminal server that is super secure (we're a lawfirm so it must be extreamly secure). Does anyone know why this is or if there is anything to do about it?

 

[Darkseider]

What? First off if your IT department set it up so that in order to get corporate email you have to log into the terminal server they should be fired. Second if all your boss has to do is log into the terminal server there is a RDP client for Android that works pretty good. Last but not least assuming your company is using Exchange there are apps like TouchDown and K9 to handle corporate exchange mail assuming the DX can't. If you are running Lotus Notes your boss can log directly into the web interface and it will be recognized as an iPhone and format it appropriately.

 

[Alexis]

I find it interesting you say our IT should be fired. They do seem to be causing more problems about this that what I feel should be. Our entire network is backed up and on this terminal server. How else would we get corporate emails without logging on? Also, what is the difference b/t "Touchdown" and the RDP client of Andriod?

I downloaded touchdown onto boss' Droid X but IT wouldn't give me the info I needed to make it work. Now they say it's because it jepordizes (sp?) our entire system.

 

[Skull One]

Your IT department is doing what any "GOOD" IT department should/would do.

Any time a new piece of hardware with a new piece of software is being introduced from an outside source (your boss' personal Droid X) they should make sure it is cut off from access immediately. The reason for that is simple. They do not know the full impact of adding the device to a "known working situation". If you want them to integrate it in a timely manner, you will need to provide them a working Droid X, the applications that will be installed and then they will have to figure out a way to lock the Droid X down so that no other apps can be added.

This is Security 101 here. Esp for a business that has to prove it is ethically above board at ALL TIMES.

I doubt your boss is willing to foot the IT bill for figuring out the security issues. Which means at present, unless someone above IT makes this a project, I doubt you will get it to work.

 

[maxnicks]

If you are using an Exchange server for your email, I read somewhere or the other that your droid can only perform BASIC authentication. If that is the case, then your IT department is partially correct.

Here is a quote from a post on these forums. Reading it explains how your IT department can make the provision for your individual phone. This would not create a security whole for the entire server.

-- BEGIN QUOTE
I would first try to prove that a security policy does exist before goin to your exchange admin. This can be done my simply connecting to your ex hange serger with WindowsMobile phone or iPhone. Once you add your corporate email to it, it will tell you that you must apply a security policy and force you to create pin.

How to disable from the server level. An admin can disable th entire security policy and no one will have to create a "device pin lock" on thier phones, or they can just tell exchange your account is an exception, and to not apply a secuirty policy.

To ad your accont as an exception, log into the exchange server, open ESM ( exchange system mananger...it's the exchange admin tool). Expand the structure, and select global properties of of mobile devices. Right click mobile devices and select properties. There should be a security tab that says "exceptions". Brose ad and add your domain account.

At this point remove an re add your account to the droid.
-- END QUOTE

You can read the thread yourself at http://www.droidforums.net/forum/dr...642-exchange-2007-calendar-sync.html#post7316.

Lastly, doing a google search on "droid exchange sync" returns a plethora of results for your learning pleasure.

Good Luck!

 

[Darkseider]

Seriously Skull. The IT department, persons, whomever should be beaten with a stick. I manage 4 large VM farms with over 1000 server VMs and 3000 workstation VMs. I have been doing this for a LONG time and from what the OP has mentioned the folks running that IT department are clueless. Not to mention the phone is a client only piece and receives data and simply sends an acknowledgement when complete. There would be no other access by this device to the network except the ports required for email whether it be POP/IMAP or Active Sync.

 

[Skull One]

Seriously Skull. The IT department, persons, whomever should be beaten with a stick. I manage 4 large VM farms with over 1000 server VMs and 3000 workstation VMs. I have been doing this for a LONG time and from what the OP has mentioned the folks running that IT department are clueless. Not to mention the phone is a client only piece and receives data and simply sends an acknowledgement when complete. There would be no other access by this device to the network except the ports required for email whether it be POP/IMAP or Active Sync.

You missed the point of my statement. I doesn't matter how easy it is. It matters how secure something is perceived.

The Droid X is an unknown to them. So lets list the logical issues that they have to be address before they can even begin.

1) The Android OS is an unknown from a security standpoint. The fact that we have root shows that as a fact.

2) The App Market is a gateway for new apps with NO security testing done to any app submitted. Again a fact that has to be looked at strongly.

3) The user can install any app from any source. Well, unless they are on AT&T

So lets use one of your examples for gaining access. A RPD client. Can you prove that it is impossible for an Android application to sniff, piggy back, inject data into the RDP client that is running? Based on what you list as your background, I am going to hope you wouldn't even dare to say it can't be done and it is 100% secure.

And what happens if the Boss roots the phone? Then it becomes even easier for a security issue to occur.

I do not disagree with your assertions. But I do understand what "ethically bound companies" are required to do to protect their data and their clients data. Because that is something I have been doing since 1985 for my clients and companies that I have worked for.

 

[Darkseider]

Seriously Skull. The IT department, persons, whomever should be beaten with a stick. I manage 4 large VM farms with over 1000 server VMs and 3000 workstation VMs. I have been doing this for a LONG time and from what the OP has mentioned the folks running that IT department are clueless. Not to mention the phone is a client only piece and receives data and simply sends an acknowledgement when complete. There would be no other access by this device to the network except the ports required for email whether it be POP/IMAP or Active Sync.

You missed the point of my statement. I doesn't matter how easy it is. It matters how secure something is perceived.

The Droid X is an unknown to them. So lets list the logical issues that they have to be address before they can even begin.

1) The Android OS is an unknown from a security standpoint. The fact that we have root shows that as a fact.

2) The App Market is a gateway for new apps with NO security testing done to any app submitted. Again a fact that has to be looked at strongly.

3) The user can install any app from any source. Well, unless they are on AT&T

So lets use one of your examples for gaining access. A RPD client. Can you prove that it is impossible for an Android application to sniff, piggy back, inject data into the RDP client that is running? Based on what you list as your background, I am going to hope you wouldn't even dare to say it can't be done and it is 100% secure.

And what happens if the Boss roots the phone? Then it becomes even easier for a security issue to occur.

I do not disagree with your assertions. But I do understand what "ethically bound companies" are required to do to protect their data and their clients data. Because that is something I have been doing since 1985 for my clients and companies that I have worked for.

Your first point is null and moot and has no relevance to the security of Android simply because we have physical access to the device. Give me physical access to any PC/Server and whatever OS and I will have Admin/root access in about 2 minutes.

Your second and third points hold little to no water either. Simply because it has an app market is nothing different than being able to install applications on your local workstation or for that matter plugging a USB key to your PC from home, etc... There are numerous attacks and infections that have occurred simply because someone plugged an infected, thought to be safe device, into a workstation. Not to mention these being lawyers I am sure they use their personal units on the network as well as possible VPN from home units which is even a larger risk.

I am also willing to bet that they have iPhones and are able to connect and receive email due to the perceived notion that the iPhone OS and its' walled garden of apps are safe. Both of which are untrue.

 

[Skull One]

Seriously Skull. The IT department, persons, whomever should be beaten with a stick. I manage 4 large VM farms with over 1000 server VMs and 3000 workstation VMs. I have been doing this for a LONG time and from what the OP has mentioned the folks running that IT department are clueless. Not to mention the phone is a client only piece and receives data and simply sends an acknowledgement when complete. There would be no other access by this device to the network except the ports required for email whether it be POP/IMAP or Active Sync.

You missed the point of my statement. I doesn't matter how easy it is. It matters how secure something is perceived.

The Droid X is an unknown to them. So lets list the logical issues that they have to be address before they can even begin.

1) The Android OS is an unknown from a security standpoint. The fact that we have root shows that as a fact.

2) The App Market is a gateway for new apps with NO security testing done to any app submitted. Again a fact that has to be looked at strongly.

3) The user can install any app from any source. Well, unless they are on AT&T

So lets use one of your examples for gaining access. A RPD client. Can you prove that it is impossible for an Android application to sniff, piggy back, inject data into the RDP client that is running? Based on what you list as your background, I am going to hope you wouldn't even dare to say it can't be done and it is 100% secure.

And what happens if the Boss roots the phone? Then it becomes even easier for a security issue to occur.

I do not disagree with your assertions. But I do understand what "ethically bound companies" are required to do to protect their data and their clients data. Because that is something I have been doing since 1985 for my clients and companies that I have worked for.

Your first point is null and moot and has no relevance to the security of Android simply because we have physical access to the device. Give me physical access to any PC/Server and whatever OS and I will have Admin/root access in about 2 minutes.

Your second and third points hold little to no water either. Simply because it has an app market is nothing different than being able to install applications on your local workstation or for that matter plugging a USB key to your PC from home, etc... There are numerous attacks and infections that have occurred simply because someone plugged an infected, thought to be safe device, into a workstation. Not to mention these being lawyers I am sure they use their personal units on the network as well as possible VPN from home units which is even a larger risk.

I am also willing to bet that they have iPhones and are able to connect and receive email due to the perceived notion that the iPhone OS and its' walled garden of apps are safe. Both of which are untrue.

*sigh* I am sorry my last sentence wasn't clear enough.

Let me rephrase:

I agree with your assertions 100%.

Their perception though is the issue at hand and my points were the questions that they are going to ask and want answer to before proceeding to help with a solution.

It doesn't matter how much YOU or I know about this subject matter. But a STANDARD IT TEAM better do their job right and ask questions before opening what may be perceived as a security risk.


BTW, I know I could solve the problem in less than an hour. Possibly in as little as ten minutes. But I would be a fool to tell another IT Department how to do their job when I am not part of their team or their perception.

 

[Darkseider]

You missed the point of my statement. I doesn't matter how easy it is. It matters how secure something is perceived.

The Droid X is an unknown to them. So lets list the logical issues that they have to be address before they can even begin.

1) The Android OS is an unknown from a security standpoint. The fact that we have root shows that as a fact.

2) The App Market is a gateway for new apps with NO security testing done to any app submitted. Again a fact that has to be looked at strongly.

3) The user can install any app from any source. Well, unless they are on AT&T

So lets use one of your examples for gaining access. A RPD client. Can you prove that it is impossible for an Android application to sniff, piggy back, inject data into the RDP client that is running? Based on what you list as your background, I am going to hope you wouldn't even dare to say it can't be done and it is 100% secure.

And what happens if the Boss roots the phone? Then it becomes even easier for a security issue to occur.

I do not disagree with your assertions. But I do understand what "ethically bound companies" are required to do to protect their data and their clients data. Because that is something I have been doing since 1985 for my clients and companies that I have worked for.

Your first point is null and moot and has no relevance to the security of Android simply because we have physical access to the device. Give me physical access to any PC/Server and whatever OS and I will have Admin/root access in about 2 minutes.

Your second and third points hold little to no water either. Simply because it has an app market is nothing different than being able to install applications on your local workstation or for that matter plugging a USB key to your PC from home, etc... There are numerous attacks and infections that have occurred simply because someone plugged an infected, thought to be safe device, into a workstation. Not to mention these being lawyers I am sure they use their personal units on the network as well as possible VPN from home units which is even a larger risk.

I am also willing to bet that they have iPhones and are able to connect and receive email due to the perceived notion that the iPhone OS and its' walled garden of apps are safe. Both of which are untrue.

*sigh* I am sorry my last sentence wasn't clear enough.

Let me rephrase:

I agree with your assertions 100%.

Their perception though is the issue at hand and my points were the questions that they are going to ask and want answer to before proceeding to help with a solution.

It doesn't matter how much YOU or I know about this subject matter. But a STANDARD IT TEAM better do their job right and ask questions before opening what may be perceived as a security risk.


BTW, I know I could solve the problem in less than an hour. Possibly in as little as ten minutes. But I would be a fool to tell another IT Department how to do their job when I am not part of their team or their perception.

See I would tell them I could solve their problem in 10 minutes. The only thing is they would need to pay me first. I have a very LOW tolerance of IT departments. Particularly those that have a lot of paper on the walls and absolutely ZERO experience. Which unfortunately happens to be a lot of the IT departments out there. This is why I love being a department unto myself. I have free reign over my domain and any mistake to be made is mine and mine alone.

 

[mcapozzi]

Sounds like your IT team is playing a game we call "C.Y.A.".

Let's just say the IT department opens up ActiveSync and enforces the Mobile Device Security Policy. Then the owner of the Droid installs Lockpicker because having to type in a password every single time the screen shuts off gets annoying after the first hour. He then decides to leave his phone in the local pub and some jerk takes it. The jerk reads some very interesting e-mails that end up compromising the litigation your law firm was working on. Your clients could sue, your firm could lose millions, and you may all be looking for work elsewhere. Or the jerk extorts your firm for money and the IT department will surely take the blame (they ALWAYS do).

Sometimes, data is kept out of potential public view, for a reason.

If the sanctity of your electronic communication is critical to the success of your business, you don't let them connect on portable devices that have limited security capabilities. This applies mostly to financial, legal, medical, and defense industries. In fact it is against the law (the United States) to accidentally release those types of information. But my experience is mostly with just EAR and ITAR.

In my business, mistakes like that can cost hundreds of millions in fines.

-Mike