Apple, Google Diss the DoD Over Mobile Security 150
Julie188 writes "The Defense Information Systems Agency (DISA) has long supported the use of BlackBerry smartphones for soldiers. It built a system called Go Mobile to provide secure communications, training, and collaboration applications to mobile soldiers. DISA recently decided to add Android and iPhone to the list of approved devices because of high demand from users. Unfortunately, this choice has become a giant pain in the flank. Why? Because both Apple and Google refuse to give DISA access to their security APIs."
Use the souce. (Score:3, Insightful)
Want to access the "security" APIs? Use the Source.
Why not just offer a custom DoD firmware for Android phones?
Seriously, there's no way for an application to be "secure" if the platform the application runs on is itself untrusted.
IMO, My device is not "secure" unless I can control the device's OS & inspect the device's hardware. My phone, my router, my PCs, my GPS, all have firmware I've compiled myself. If an average coder like myself can do this, the DoD shouldn't have any problems either.
Note: Android works on iPhones too, it's still buggy, but the DoD could help with that if they desired, or just use phones that support custom, open source firmware.
DoD should not support the Foxconn iPhone (Score:3, Insightful)
The iPhone is made by the Foxconn division of Hon Hai Precision Industry Company Ltd, in Shenzen, China. Apple is just the design and sales firm. That's not a reliable source for secure DoD communications.
There are still some non-China cell phone manufacturing facilities. DoD needs to look hard at sourcing.
Access to what? (Score:5, Insightful)
TFA is very light on technical details. What security API are they looking to access? To do what? They have access to AOSP/Linux, and could even cook up custom ROMs if they needed. Is there some cryptographic hardware driver they need or something?
Also, From the 'article'
It seems to me that Apple and Google are making self-centered bad decisions here that won't play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies
WTF? Maybe this journalist should re-think his self-centered trite opinion fluff pieces. Oh wait, it's NetworkWorld. Not much chance of that happening I guess.
Re:Unpatriotic? (Score:1, Insightful)
It's not possible for big $$$ corporation to be unpatriotic.
Patriotism? (Score:5, Insightful)
Re:Use the souce. (Score:3, Insightful)
My phone, my router, my PCs, my GPS, all have firmware I've compiled myself.
Who modded this insightful?
Do you even have the source code for your GPS firmware, the baseband in your phone, your PC's BIOS and so on? No. Even if you did, are you seriously saying that you've perfectly audited hundreds of thousands of lines of code?
Where's the "-1 this is really stupid" option?
Re:Unpatriotic? (Score:2, Insightful)
For my more serious contribution to this discussion...
So which do you think offers more security?
Oh dear.
As well as the app review process the iPhone does prompt when an app wants to first use location services, notification, push services, etc. and then allows you to manage and subsequently revoke those permissions. The apps are also sandboxed.
I am not in a position to comment on any of the Android flavours or BlackBerry security, so I won't.
Re:Use the souce. (Score:3, Insightful)
Sometimes control isn't security, but lack of control is always insecurity. Any solution that results in security will necessarily require control.
If you need security, then this simply isn't going to be one of your goals. Instead, you're going to want 10 second install from your repository, which consists solely of software that you have audited. As a compromise, it might be software that someone else that you trust has audited, but that'll be someone like Theo deRaadt or maybe (stretching a little, but there are degrees of security) the Debian team. But it sure as hell won't be Apple or Google, because while those parties might be competent, their goals are at cross purposes with yours.
And it's those cross purposes that this story is really about. Apple doesn't have a "Security API"; they have a "Apple Security API" which is intended to protect Apple's interests, not the interests of the users or the owners.
Re:Access to what? (Score:5, Insightful)
One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to "talk to our integrators and carriers."
I don't have any more details than the author but he seems to be making assumptions based on conversations that he wasn't involved with. Maybe the simple fact of the matter is that Apple doesn't have any security APIs that would meet the DoD standards. Frankly Apple has designed their phone for the consumer space; Blackberries are more designed for security. Also it may be that Apple simply doesn't want to share any source code with the government. If they did, someone here on slashdot would espouse some conspiracy theory that Apple was helping the federal government track and mind-control you through your iPhone.
As for Android, it is open source so the DoD can make their own modifications like the NSA did with SELinux.
Re:DoD should not support the Foxconn iPhone (Score:2, Insightful)
I don't see why the DoD can't contract Texas Instruments to make them a custom Android phone entirely in the US.
Because even the DoD can't afford a seventy-thousand-dollar-each cellular phone with every component made in the USA.
Heck, considering that you'd have to open new fabs for some of the parts, it'd probably run more like $170,000 each.
Even with the defense contractor mark-up, 170k is not how much it would cost to make an iPhone or Android in the US. Well, unless the plants were run like a unionized auto-plant...
Re:Access to what? (Score:4, Insightful)