Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it. - Brian Madden - BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.
Brian Madden's Blog

Past Articles

Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it.

Written on Jun 18 2013 8,006 views, 6 comments


by Brian Madden

Last month I switched from iPhone to Android. I don't want to start a religious battle about why, rather, I want to share the MAM-like security scheme I've put in place and see if it might make sense in other scenarios.

First a bit of background information. One of the things I like about iOS is that whenever you protect the device with a PIN (even the simple 4-digit one you can configure via the UI), iOS enables full device encryption. Having an encrypted phone seems like a good idea to me, so I wanted to do the same thing for Android.

You can also enable encryption on Android, though for some reason Android (even 4.2) uses the device unlock password as the key for the encryption. Because of this, when you enable encryption, Android forces you to have a device password that's at least 6 characters long, along with at least one digit and one uppercase letter. From my perspective as a user, this represented an undue burden, as it means I would have to type 9 key clicks every time I unlock my phone. (6 for the characters, 1 to shift for the uppercase, 1 to shift for the digit, and one to "submit" when I was done typing.) The full character-based password also means I have to unlock the phone with the QWERTY virtual keyboard instead of the 12-button numeric keypad, meaning that the buttons are smaller which further slows down the password entry. So for me, nine clicks on a QWERTY keyboard just to take a photo of my dancing hamster is a bummer.

On top of that, using a six-character encryption key is horribly weak. Anyone who steals my phone and wants to crack it can do a simple Google search, and thanks to today's automated rainbow table-based cracking tools, they can have the entire contents of my phone in about 30 seconds. (Literally 30 seconds.) So nine key clicks instead of four and I'm not really any more secure than I would be with no encryption. (After all, if the person who steals my phone has the wherewithal to extract my personal info, then they certainly know how to google [crack android phone].

(By the way if you have the actual Android Open Source Project version of Android then you can specify a different password for the device lock versus the device encryption, but Samsung doesn't enable that for my phone and CyanogenMod is not yet available for my particular device and carrier. Also, by the way, iOS works a bit differently, where the 4-digit device lock PIN decrypts a key that works with another key that's burned into an iPhone's hardware, making cracking iOS archives from third-party devices very difficult. Also it means you can change your device PIN without having to re-encrypt the entire phone. More info in this PDF.)

So because of that I decided that I won't use full device encryption. I've ensured that my 1Password encryption uses a strong password that I've never used before, I subscribe to my carrier's MDM ($1.99/mo) solution for "find my phone," and remote wipe capabilities, and I know that if I lose my phone I can quickly change the passwords on various web-based accounts that are automatically available on the phone (Amazon, Google, Twitter, etc.) So I feel pretty good in general.

That said, I still want to have a basic (4-digit) PIN lock on the phone to prevent the casual meth head who finds my phone at the bar from texting all my friends and buying spoons with my Amazon account. Of course since I talk about EMM and MAM so much, I've gotten to like the idea of only wrapping security around the apps that matter. In my case it would be great if I could get access to the camera, create a note or recording in Evernote, and access all my music apps (Shazam, Play Music, Spotify, etc.) without having to use my PIN, yet have all the important apps protected by a PIN. (So basically I want MAM.)

But of course we don't use any MAM products at TechTarget. And even if we did, I don't know if there are any MAM products out there that work with all of the "enterprise" products as I define them as a user. (I want to use Dropbox, not whatever MIM product my MAM vendor supports. I want to use real Evernote, the normal built-in Mail and contacts clients, real Google Docs, and Hootsuite rather than the built-in Twitter client.)

On top of all that, I also want to protect a bunch of my own personal apps that many MAM products can't protect. So no protection for United Airlines boarding pass app, but yes protection for Uber. (Don't need the smack addicts using my Uber to take black cars to their methadone appointments.)

So even if one of these cloud-based MAM vendors offered to give me free access to make me a single user MAM environment, I still don't think they would give me all the granularity I need. (Which is understandable, since my use case is more like the user choosing their own apps instead of IT.)

I started googling for solutions and came across a whole category of apps in the Android App Store known as "app lock" or "app protector" apps. Basically you install one of these on your Android phone and then tell it which apps you'd like to protect, and then this app intercepts the protected apps by popping up an authentication screen. Personally I chose App Lock Smart App Protector+ from SpSoft, but it looks like there are hundreds of them that all do similar things.

Overall they seem pretty advanced. For example, the one I chose:

  • Can make it so that if you unlock one app, they are all unlocked until the lock screen comes back on
  • Can put an icon in the taskbar which means that Android will never shut it down in low memory situations. (And you can set the taskbar icon to transparent to hide it.)
  • Has a helper app to relaunch the main app if it is closed or crashes
  • You can set the app icon and name to be whatever you want
  • You can whitelist locations (based on GPS, WiFi SSID, etc. so it doesn't lock at home, etc.)
  • You can authorize it to use Android's Admin API which means it can protect WiFi, 3G, USB, and wipe the device after too many incorrect passwords

Honestly I can't really find any holes with this idea? People say things like, "Yeah, but an attacker can just crash or quit that app, and then you lose your protection." True, if the app isn't running then you do lose your protection, but you can use this app to block the task list and any other way someone would kill the app in the first place.

And again, beyond that I'm not worried. I'm not looking for ultimate protection against sophisticated thieves who want to steal my phone to steal my identity. I'm just looking to prevent the casual person from doing bad things long enough for me to realize my phone is gone and change my important passwords and/or remote wipe it.

So what do you think? Am I missing anything huge here? And what about MAM vendors? Is there an opportunity for them to provide a "poor man's" app protection so that users can provide some basic protections around the apps that the enterprise doesn't protect?

 
 




Our Books


Comments

rahvintzu wrote re: Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it.
on Tue, Jun 18 2013 3:06 AM Link To This Comment

Instead of using the Carriers MDM for remote wipe.

You could use CISCO Meraki MDM for free.

Shaun Ritchie wrote re: Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it.
on Tue, Jun 18 2013 4:26 AM Link To This Comment

I've wondered for a long time why iOS and Android can't allow some apps to function outside the lock screen.

Why can't there be a folder that you drop apps into and these then appear as icons on the lock screen.

Why do I need to unlock my phone to read the news, use google maps, or set an alarm?

rpassero wrote re: Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it.
on Tue, Jun 18 2013 6:52 PM Link To This Comment

Lookout! Mobile Security offers free AV, backups, and find my phone, and can be upgraded to do remote wipes for $2.99/mo if you actually lose your phone.

Martin Sheppard wrote re: Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it.
on Wed, Jun 19 2013 2:57 AM Link To This Comment

It is interesting that Windows Phone 8 gives you pretty much what you are asking for in terms of a way to bypass the lock screen for certain apps, but they market it quite differently. It is called the "Kid's Corner" and intended as a place to put applications that you are happy for your kids to use without being able to fully unlock the phone, but you can equally use it for applications that you want to use without unlocking the phone.

Harry Labana wrote re: Here's my "home brew" MAM-like solution for Android phone security. Tell me what's wrong with it.
on Wed, Jun 19 2013 8:38 AM Link To This Comment

BYOMAM personal edition certainly possible if simplified enough for the average user.

(Note: You must be logged in to post a comment.)

If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.