5

I am a sysadmin for company X. They are interested in allowing ActiveSync access to devices that support local offline encryption of the downloaded attachments and email data.

Considering how the iPhone encrypts local data, where you need to have a 3GS phone or newer with the latest IOS, and click a configuration setting... what offline security provisions are in the Android phone?

I want to prevent a situation where a user can steal an Android phone, and copy off the non-encrypted data.

Question

How can I ensure that ActiveSync data downloaded locally to the device is protected?
Is there anything specific to version 2.2 that applies?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196
  • Dupe? http://serverfault.com/questions/203575/to-be-deleted-question-closed-closed – jscott Nov 19 '10 at 00:33
  • @jscott - Not a duplicate. If you read the questions they are different. People misunderstood my first question so I'm re-explaining here. – makerofthings7 Nov 19 '10 at 00:40
  • @MakerOfThings Fair enough, +1. Unfortunate the other question wasn't more clear in its purpose. fwiw, the other question has a reopen vote already. – jscott Nov 19 '10 at 00:49
  • 1
    Dupe or not, I don't see how a discussion of a phone's capabilities is related to system administration. – John Gardeniers Nov 19 '10 at 02:52
  • 5
    As a sysadmin, part of my job is managing activesync and exchange access. It's also my job to manage security on phones, etc., that are utilizing my network. This question is certainly relevant to systems administration O_o – GregD Nov 19 '10 at 14:13
  • 1
    Security and large scale administration of mobile clients is a professional Systems Administration task and the ability of device classes to support policies, such as full device encryption, is valid here IMO. – Helvick Nov 21 '10 at 20:42

2 Answers2

2

Local copies of emails are NOT encrypted, however it does use ssl to send and receive from the exchange server. Also as PMGoldstein said it allows you to wipe devices remotely. Here is a link to the current issue on the android request board for this feature, it states that it is currently not available in Froyo 2.2. I have also personally tested if data on the phone such as emails are encrypted and they are not. Here is another link to the droid pro apparently it will allow full device encryption in the first quarter of 2011. I'm not sure if this is due to a software update (2.3) or some feature from Motorola. I did find quite a few other sites on Google that will back this up. However the Motorola site did not have anything specific about this feature just that it will enable "advanced" IT security policies.

Supercereal
  • 793
  • 1
  • 8
  • 17
1

I'm not sure how local data is stored and would suspect it's not encrypted, however similar to the Blackberry standard, Android phones connected via Activesync can have their Exchange data remotely wiped via server command.

PMGoldstein
  • 466
  • 3
  • 12
  • Thank you but I'm primarily interested in local storage before a device is wiped... or if the phone is disconnected before a wipe command is issued/recieved. – makerofthings7 Nov 19 '10 at 00:41
  • Understandable. To the best of my knowledge, no mobile devices completely encrypt their data and if any were taken offline before a kill-command could be issued, would be vulnerable to having its storage sideloaded by another machine. Mind you this is only my suspicion and I haven't seen evidence of it being performed yet. – PMGoldstein Nov 19 '10 at 13:42
  • The iPhone 3GS and 4 has the checkbox to encypt local data. I assume this will thwart some attempts to get data off a jailbroken phone. – makerofthings7 Nov 19 '10 at 17:38
  • "Unlike Apple's iPhone, Android 2.2 does not support encryption." - From: http://www.computerworld.com/s/article/9177095/List_of_Android_phones_getting_2.2_upgrade_comes_out_gradually_ – PMGoldstein Nov 19 '10 at 19:40
  • @PMGoldstein - Interesting article from May 2010. Wonder if anything occurred more recently to change this issue. – makerofthings7 Nov 19 '10 at 20:55
  • @MakerOfThings7 May 2010 was the last release of Android since then nothing has changed. However I'm not sure when 2.3 is scheduled or if they are going to go right to 3.0. – Supercereal Nov 19 '10 at 21:17
  • @PMGoldstein You can connect a locked 3GS to a Linux computer with the USB docking cable and access the contents of the device. http://securology.blogspot.com/2010/02/apple-encryption-bypass-cover-up.html and http://securology.blogspot.com/2009/12/iphone-is-toy-nothing-more.html I just tried it with a iPhone 4G and it looks like they closed that particular hole. But I don't think that means that it's secure. It's just that the front door is now locked. – 3dinfluence Nov 19 '10 at 21:36
  • Gingerbread is generally accepted to be 2.3 [link][http://en.wikipedia.org/wiki/Android_(operating_system)#Update_history] and is coming down the pipe, but I haven't heard of any feature changes related to this area. – PMGoldstein Nov 19 '10 at 21:57