You are here

False Security Claims by Vendors

Galen Gruman on his Infoworld blog has noted recent - and not so recent - discoveries that some smart phone models lie to corporate servers.

Microsoft Exchange has a mechanism called Exchange ActiveSync which synchronizes data with mobile phones. Part of the mechanism sets restrictions on what the phone can do. For example, the server can tell the phone to disable its camera, Bluetooth, storage card, texting, Wi-Fi, and specific applications. It can also require device encryption - demand that all data on the phone be encrypted.

In fact, vendors of certain Droid models calmly connect to Exchange servers and claim to provide encryption when it's not really there. Apple established the precedent for this when it claimed non-existent encryption on the iPhone and iPad.

I suppose the vendors call this a "compatibility" issue. People want to use fancy smart phones on the corporate networks. If the phone honestly says it can't enforce a particular policy then it can't connect to the server. So the vendor programs the phone to lie, and leaves it up to the company to identify non-compliant products and ban them.

The whole point of ActiveSync policies is to automatically detect whether the smart phone can do the job securely or not. By lying, these phones simply make everyone's' job harder.

Post category: 
Wordpress tag: 

Comments

As a vendor I think I would expect right from the get-go that a policy that makes implementation much harder but cannot be enforced would get violated. On the other hand, putting the feature in Exchange anyway probably makes for a nice marketing bullet point and an easier sell.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer