Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    In response to the growing threat of mobile malware, one intriguing concept has emerged as a potential solution to help enterprises secure mobile devices: dual-identity devices.

    The idea is actually fairly simple. On the phone there will be two distinct profiles: one for personal usage, another for work usage. The apps and data of each profile would be kept distinct from each other. The “personal” profile would be managed by the user, and the “work” profile would be kept locked down (the way most IT people would prefer it). In theory, everybody is happy: the user gets to use their phone as they see fit, the user’s company has their data safe and sound. It’s a win-win situation, right?

    The concept is appealing enough that both Blackberry and Samsung have announced that they are both using this very concept in their newest products. However, the devil is in the details – and that is where we discover there are a few problems.

    Firstly, there isn’t a standard for how to do this sort of security. What it means is that if enterprises really want to use a feature like this, they might find that only a small percentage of devices are as secure as they ought to be because many employee devicest ha aren’t on the right platform. Alternately, they mighve to limit their users to a very specific device or platform – which goes against the grain of the entire Bring-Your-Own-Device trend.

    Secondly, there’s the issue of usability. How will the user “see” the secured, encrypted portion? Blackberry’s implementation treats home/work as a setting, which can be easily changed from the phone’s home screen. Samsung’s implementation is more analogous to an app that has to be used.

    Security features that are inconvenient to use won’t be used. Consider passwords: in theory, they work well enough, but because users find it inconvenient to memorize secure ones, they use weak ones which are trivial to break. If these features are difficult to use, then they will likely be ignored or bypassed.

    It’s quite likely that we’ll see similar security solutions become more common in mobile platforms either this year or next. The idea itself has plenty of merit; the problem is how it will be implemented. If it turns into a fragmented mess with each vendor, each OEM, each carrier having their own “solution” then this idea will go nowhere.

    On the other hand, if a reasonably multi-platform solution that’s easy to use for both IT administrators and users is found and sees widespread adoption, it would be a huge step forward in making BYOD easier for enterprises to swallow as part of a comprehensive and well-thought out consumerization plan.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Dave Walker

      Hmm – “there isn’t a standard for how to do this sort of security”. Last I looked, there were a couple, depending on whether you want to do it at a hypervisor level and have 2 copies of the OS (and get appropriate assurance against whatever’s replaced the old Common Criteria SKPP) or do it at an OS level, with label security (and get appropriate assurance against whatever’s replaced the old Common Criteria LSPP). The former would be easier on Android, as MLS SE Android is hard to polyinstantiate apps on – and it would also potentially open the door to making use of the (very elegant) ARM TrustZone architecture…


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice