Analysts Question Nexus One Enterprise Security

Google pulled the covers off its Nexus One smartphone today at a press event at its corporate headquarters, touching off for some talk about whether or not it will be able to compete with other smartphones in the enterprise.

This of course leads to a larger question of how Google’s latest play in the mobile space stacks up security-wise with other smartphones, as well as how enterprises should secure the devices when their employees bring them into the workplace.

“Nexus One is running on Android 2.1, the latest update, so is equivalent to iPhone 1.0 and the first version of webOS,” opined Dan Dearing, vice president of marketing at Trust Digital. “webOS has improved its security to be on par with iPhone 2.0. (But) the iPhone 3GS provides the most comprehensive security controls with the addition of hardware-based encryption.”

Businesses are increasingly adopting the iPhone 3GS because of its security and management features, Dearing said. iPhone 3GS however has had its security issues as well, as a researcher demonstrated last year in a pair of YouTube videos.

“Nexus stacks up favorably against other smartphones,” said Forrester Researcher analyst Andrew Jaquith. “Each running application runs in its own process, and is isolated by the OS from other apps. The applications themselves are self-contained and must be digitally signed, so they can’t be tampered with. Perhaps most important, inter-application communications can be restricted by creating a manifest that enumerates what parts of an application other apps can access. There is a lot of granularity in the security policy, underpinned by the Java Runtime Environment that all apps run on top of. As a Java dork, it’s actually quite cool what they are doing.”

Unlike the iPhone however, Android does not have a centralised model for distributing signed applications, he added.

“In Android, you can sign your own applications, and what those applications do is left up to the developer, for good or ill,” he said, adding both models have their pros and cons. “With the iPhone, Apple’s stated intent with their approval process is to make sure the applications aren’t doing anything naughty or using banned APIs. Unlike Android, Apple can yank a developer’s certificate if it needs to.”

Google did not comment on any security features it built into the phone. However, analysts agree the single biggest threat to smartphones remains the physical loss of the device.

“With Blackberry and later generation Windows Mobile phones, enterprises can enforce the needed security policies – mandatory password, mandatory timeout timer, data encryption on device, remote wipe,” said Gartner analyst John Pescatore. “However, we estimate that less than 30 percent of enterprises actually enforce these polices on those devices and worse – until very recently on the iPhone you couldn’t do all four.”

“Android phones should have all four available through 3rd party software, it all depends on how the phone will be setup, he added.

When it comes to managing smartphones, here are some common best practices for enterprises to consider:

• Basic security facilities such as password/pin and remote wipe to protect information when an Android device is lost. These settings must be set remotely via policy.
• Encryption (data at rest) support to protect information on the whole device if lost.
• Add a password lock to the phone, which should kick in after a reasonable amount of time, for example, 30 minutes. “You want to protect against the case where a stranger swipes the phone,” Jaquith said. “But you don’t want to annoy the user who has to do a lot of things with quickly in succession.”