Google
pulled the covers off its Nexus One smartphone Jan. 5 at a press event at
its corporate headquarters, touching off talk about whether or not it will be
able to compete with other smartphones in the enterprise.
This, of course, leads to
a larger question of how Google’s latest play in the mobile space stacks up
securitywise with other smartphones, as well as how
enterprises should secure the devices when their employees bring them
into the workplace.
“Nexus
One is running on Android 2.1, the latest update, so is equivalent to
iPhone 1.0 and the first version of WebOS,” opined Dan Dearing, vice president
of marketing at Trust Digital. “WebOS has improved its security to be on par
with iPhone 2.0. [But] the iPhone 3GS provides the most comprehensive security
controls with the addition of hardware-based encryption.”
Businesses are
increasingly adopting the iPhone 3GS because of its security and management
features, Dearing said. iPhone
3GS, however, has had its security issues as well, as a researcher
demonstrated last year in a pair of YouTube videos.
"Nexus stacks up
favorably against other smartphones,” said Forrester Researcher analyst Andrew
Jaquith. “Each running application runs in its own process and is isolated by
the OS from other apps. The applications themselves are self-contained and must
be digitally signed, so they can't be tampered with. Perhaps most important,
interapplication communications can be restricted by creating a manifest that
enumerates what parts of an application other apps can access. There is a lot
of granularity in the security policy, underpinned by the Java Runtime
Environment that all apps run on top of. As a Java dork, it's actually quite
cool what they are doing."
Unlike the iPhone,
however, Android does not have a centralized model for distributing signed
applications, he added.
“In Android, you can sign
your own applications, and what those applications do is left up to the
developer, for good or ill,” he said, adding that both models have their pros
and cons. “With the iPhone, Apple's stated intent with their approval process
is to make sure the applications aren't doing anything naughty or using banned
APIs. Unlike Android, Apple can yank a developer's certificate if it needs to.”
Google did not comment on
any security features it built into the phone. However, analysts agree the
single biggest threat to smartphones is the physical loss of the device.
“With BlackBerry and
later-generation Windows Mobile phones, enterprises can enforce the needed
security policies—mandatory password, mandatory timeout timer, data encryption
on device, remote wipe,” said Gartner analyst John Pescatore. “However, we
estimate that less than 30 percent of enterprises actually enforce these
polices on those devices and worse, until very recently on the iPhone you
couldn’t do all four.”
“Android phones should
have all four available through third-party software; it all depends on how the
phone will be set up," he added.
When it comes to managing
smartphones, here are some common best practices for enterprises to consider:
- Have basic security facilities such as
password/pin and remote wipe to protect information when an Android device
is lost. These settings must be set remotely via policy.
- Have encryption (data at rest) support to
protect information on the whole device if lost.
- Add
a password lock to the phone, which should kick in after a reasonable
amount of time, for example, 30 minutes. “You want to protect against the
case where a stranger swipes the phone,” Jaquith said. “But you don't want
to annoy the user who has to do a lot of things quickly in succession.”
IT Security & Network Security News & Reviews News & Reviews 
