Android + encryption = no go? - Android Software Development

Hi,
I own a HTC HD2 and since it has been possible to run Android on it I've started to love the device. Our companys policy does not allow Android phones to synchronize phones with the Exchange server, although it is possible and I have been doing it since I got Android. The reason that Android phones are not allowed to sync is that they do not support encryption. According to one of the persons in our IT staff the only mobile OS's that support are Windows Mobile and iPhone OS.
Is this correct and if so, will Android ever support encryption?
Our employees have a lot of sensitive information in their mailboxes..
I don't wanna go back to WinMo.

What kind of encryption do you mean? Encryption of data stored on a device? It's easy thing to do and it's a matter of software, not hardware, so actually any smartphone should be able to do that - including Android devices.

I mean hardware device encryption. If a person gets his phone stolen we want to make sure that the thief is unable to connect the phone to his computer and get access to all the data. Not just for the memory card but for the entire phone memory.
It is possible to open the phone and take out the storage and then connect it to a PC and collect data. But with hardware encryption that's way harder.

scanie said:
I mean hardware device encryption. If a person gets his phone stolen we want to make sure that the thief is unable to connect the phone to his computer and get access to all the data. Not just for the memory card but for the entire phone memory.
It is possible to open the phone and take out the storage and then connect it to a PC and collect data. But with hardware encryption that's way harder.
Click to expand...
Click to collapse
And does really iPhone and WM give you possibility to encrypt a whole partition using your passphrase, so you will have to enter it at boot time? If no, then it's not a true protection and Android can do that too.

My friend went thru the same prob on his hd2. Its more like so the IT staff can wipe your phone remotely/ change internet and emailing controls. Blackberry, Winmo, and iPhones do it.
U should use winmo at work then boot android on the way to the house. Best of both worlds.
Sent from my Androidized HTC HD2

WaveSecure anyone? It's the first application that came into my mind. I'm sure i've seen free solutions as well. If i remember well, Android 2.2 has this feature built-in.

Brut.all said:
And does really iPhone and WM give you possibility to encrypt a whole partition using your passphrase, so you will have to enter it at boot time? If no, then it's not a true protection and Android can do that too.
Click to expand...
Click to collapse
Yes they do. That's the whole point. My WM phone has an enforced policy and will not boot until the filesystem is unlocked by the passcode (that's not even to the WM splash screen).
The fact that no Android phones support hardware encryption means that whatever Google might say (and I've not seen it in their roadmap even now), their Exchange Provisioning support is substandard and therefore not suitable for secure enterprise use.

t1g3r3y3 said:
WaveSecure anyone? It's the first application that came into my mind. I'm sure i've seen free solutions as well. If i remember well, Android 2.2 has this feature built-in.
Click to expand...
Click to collapse
Wavesecure isn't actually encryption, it's just a solution for finding/wiping/backing up your phone.
Froyo does not have encryption built in.

Froyo permits device management by IT services, using Exchange. This allows remote wipe etc.

pulser_g2 said:
Froyo permits device management by IT services, using Exchange. This allows remote wipe etc.
Click to expand...
Click to collapse
But not device encryption, which is the whole point of this thread.

scanie said:
Hi,
I own a HTC HD2 and since it has been possible to run Android on it I've started to love the device. Our companys policy does not allow Android phones to synchronize phones with the Exchange server, although it is possible and I have been doing it since I got Android. The reason that Android phones are not allowed to sync is that they do not support encryption. According to one of the persons in our IT staff the only mobile OS's that support are Windows Mobile and iPhone OS.
Is this correct and if so, will Android ever support encryption?
Our employees have a lot of sensitive information in their mailboxes..
I don't wanna go back to WinMo.
Click to expand...
Click to collapse
Im not sure whom are you asking, Android its a open source OS, its up to those who make the devices to offer such features, ask HTC for instance if they plan to release such a "corp" devices, linux comes with such features so i doubt it would be very hard to make.

roalex said:
Im not sure whom are you asking, Android its a open source OS, its up to those who make the devices to offer such features, ask HTC for instance if they plan to release such a "corp" devices, linux comes with such features so i doubt it would be very hard to make.
Click to expand...
Click to collapse
Another post wide of the mark.
It's got nothing to do with the device makers or HTC. Android is Google's OS and the feature list of core releases (Froyo, Gingerbread etc.) is entirely under their control, as is the minimum hardware spec for each release. Device manufacturers like HTC are hardly going to go to the expense of building in device encryption if isn't supported by the OS provider or even on their roadmap.
Hence until Google decides otherwise Android will remain a leisure-orientated OS and just doesn't cut it for secure enterprise use.

without hardware support, like an extra encryption chip or a CPU, that has special functions, like AES-NI, full system encryption will be very, very slow.

xcreatir said:
without hardware support, like an extra encryption chip or a CPU, that has special functions, like AES-NI, full system encryption will be very, very slow.
Click to expand...
Click to collapse
Really? Doesn't seem to affect WM, Symbian and iOS devices which fully comply with Exchange security policies, nor those PC users protecting their hard disks with Bitlocker etc. No, this is just a case of Google dragging their feet because corporate users aren't high on their priority list.

Have you tried the encrypted certificate installer i think its a .psx doc. thats what let me into my server which still thinks it cant allow android phones.
vision

Interesting discussion. I know I can use up to 256bit AES encryption on Titanium Backup Pro...but thats it. I am guessing the software handles everything, only on backups and system data, but cant help but feel the phone has a say "of some kind" too.

Ineedtoys said:
Another post wide of the mark.
It's got nothing to do with the device makers or HTC. Android is Google's OS and the feature list of core releases (Froyo, Gingerbread etc.) is entirely under their control, as is the minimum hardware spec for each release. Device manufacturers like HTC are hardly going to go to the expense of building in device encryption if isn't supported by the OS provider or even on their roadmap.
Hence until Google decides otherwise Android will remain a leisure-orientated OS and just doesn't cut it for secure enterprise use.
Click to expand...
Click to collapse
But, HTC (or anyone else) can add and remove code to their build for the phone when adding/removing drivers or that [email protected] they load on your phone as someone said, it works under Linux who says I can't work for Android (anyway the kernel was made for modules)
As the hd2 roms are (mostly) pre-rooted who says you can't load the module to support filesystem encryption.
Sent from my Nexus One using XDA App
Edit: god I need to check what I am copying

Won't work. No network security manager in their right mind would make an exception for an unsupported hack. So until Google formally support all the Exchange policies (along with the responsibility should those implementations prove defective), many corporates will maintain a blanket ban on all Android connections.

foxwolfblood said:
But, HTC (or anyone else) can add and remove code to their build for the phone when adding/removing drivers or that [email protected] they load on your phone as someone said, it works under Linux who says I can't work for Android (anyway the kernel was made for modules)
As the hd2 roms are (mostly) pre-rooted who says you can't load the module to support filesystem encryption.
Sent from my Nexus One using XDA App
Edit: god I need to check what I am copying
Click to expand...
Click to collapse
This does nothing but further fragments Android as a platform. It's already suffering from Enterprise fragmentation due to Exchange client support: HTC's Exchange Client is notoriously the buggiest out of all the major Android Phone Manufacturers.
I would not want them developing that for Android.
My job banned Android phones after I had my first Vibrant stolen, because they were unable to Remote Wipe/Lock it or anything. Now, the server won't even let the phones connect to the Exchange server.
This is a serious issue. They actually banned everything but Windows Mobile phones for a while after that incident, but eventually let iOS and Nokia users connect after some "testing." Blackberries go through BES, so this were never a problem for them, since they don't use ActiveSync to access the Exchange server.
Android is still banned, and the fact that one manufacturer supports it when users can have phones from 5-10 different manufacturers who don't will not convince any IT department to allow them. Making these types of pointless exceptions does not help anyone.

http://www.nitrodesk.com/security.aspx

Related

Attention all Android fans - This is Important

We really need to rally and get Google to fix some major issues with the Android OS. If Android is going to be truly universal and be able to compete, and beat Apple, it needs to at least be able to do what it can do. Please read: http://claar.org/blog/?p=180 and call, email, post, blog, whatever you can to get Googles attention on these issues.
And thank you for your support.
P.S. Pass this url on to every android user you can.
http://claar.org/blog/?p=180
Sent from my ADR6300, not my wife's iPad...
You have a legitimate argument but those items you listed are never performed by me. =[ Sorry. Everything I need done, works. =]
[ Sent from an LG Optimus V ]
Android still has a way to go before being all things to all people. It has the potential though so i'm sure we'll see improvements in the areas where it's currently weak.
Nice write up though. I hope these issues are resolved for you soon.
Write your congressman. Attend your local PTA meeting.
Don't gey me wrong, I love my Android phone, just saying that Google is missing the boat on the Enterprise side of things. Used to have an iPod touch that worked flawlessly on our corporate intranet, can't say the same for my dinc. As the workforce continues to become more mobile, they'll be carrying iPads instead of Xooms or Galaxy tabs.
Sent from my ADR6300, not my wife's iPad.
are there really people who use android's and ipad's/iphone's for work???
o-o?
id rater use a PC or laptop. but yha.
think all the company's want to be cool?
i cant go suport this.because my android does what it needs to do.
remember. smartphones and tablets aren't pc's,so they shouldn't do the work of a pc.
ghost010 said:
are there really people who use android's and ipad's/iphone's for work???
o-o?
id rater use a PC or laptop. but yha.
think all the company's want to be cool?
i cant go suport this.because my android does what it needs to do.
remember. smartphones and tablets aren't pc's,so they shouldn't do the work of a pc.
Click to expand...
Click to collapse
Why shouldnt they? Why should they have limitations. I say the more capabilities the better!
Universally, I don't understand Googles LACK of contact and attention to it's customers. Like most people are aware that e-mailing google is a complete WASTE OF TIME. I'd love to meet someone who has yet to actually get a meaningful response from google. I understand that they are a HUGE company and can easily get overwhelmed by emails, but the complete lack of response in general is UNACCEPTABLE. Why do they act this way, ESPECIALLY to their customers? Eitherway, they should respond in some way to all emails, understandable for free products, but for PAYING customers like us Android users, should get a response.
Google is worse than Sprint when it comes to response. I don't get it or understand.
I'm an IT Director for a medium sized medical manufacturing company and I've been testing ipads as a laptop alternative for our salesforce, and I have to say, I would be absolutely pissed if I had to use an ipad(or any tablet for that matter) for work.
Don't get me wrong. They work. But do you want to do all your work on them? HELL NO.
I have a remote desktop app on my mytouch 4g and I use it every now and then when I need to fix something or get onto the server for any reason. That doesn't mean I'm going to ditch my computer because my phone is capable of doing something my laptop does. Tablets, smartphones, mobile devices in general...they should be used to supplement computers, not replace them.
And as far as google 'not listening to their customers', you obviously haven't been on any sort of development team before. Especially not one that had any sort of fast progress. I don't know if you've noticed, but chip manufacturers have released dual core mobile cpu's. So google can either work on your vpn problem and appease a small number of enterprise users(people who will actually use a vpn on their phones), or they can concentrate on optimizing their code so it will work well with the next generation of hardware. They're obviously going to concentrate their manpower(or womanpower) on development for next-gen hardware. If the support ticket exists, they'll work on it. But there are thousands of them, and people need to realize that just because it's important to you specifically, doesn't mean it's an important problem. VPN access doesn't effect the overall functionality of the os during normal use, so it's going be put on the back burner, that doesn't mean it won't be fixed.
And whoever said go to pta meetings, PTA = parent teachers association. Good luck getting heard there.
While on the subject of fixes, I'm more concerned about linked market data and being able to transfer purchases to different accounts. I.E. switching from a google apps account to a gmail account. Also, the 'master account' crap. There should be a way to change which login you use to connect to gtalk and the market without having to reset your device to factory. That just sucks.
LOL, I used to get those "wake-up" calls from the 3rd shift platform operators. I got my butt out of bed, got on my PC and fixed the problem or marked it "next day" and fixed it when I got to work.
I can't see using a phone's screen size to debug a couple hundred lines of JCL or batch COBOL program Not to mention, I was usually talking to the operator at the same time I needed to see something on the PC; very hard to do with a phone.
Can it connect to Microsoft's pptp? Yes - http://www.techrepublic.com/blog/smartphones/connect-to-a-pptp-vpn-from-your-android-phone/2145
problem 1. You can connect to a proxy (unless i'm not understanding your complaint) There's Proxy options under the settings menu.
Problem 2. I've noticed this but apparently some 3rd party browsers can do it.
Problem 3. Not sure about this one, but i connect to many different networks (public, domestic and at uni) and have never had a problem like this.
What you're saying is that you have various problems that the vast majority of people will never experience and you are wondering why Google aren't dropping everything to fix it immediately? These problems (to me at least) seem incredibly minor.
kccasey said:
Universally, I don't understand Googles LACK of contact and attention to it's customers. Like most people are aware that e-mailing google is a complete WASTE OF TIME. I'd love to meet someone who has yet to actually get a meaningful response from google. I understand that they are a HUGE company and can easily get overwhelmed by emails, but the complete lack of response in general is UNACCEPTABLE. Why do they act this way, ESPECIALLY to their customers? Eitherway, they should respond in some way to all emails, understandable for free products, but for PAYING customers like us Android users, should get a response.
Google is worse than Sprint when it comes to response. I don't get it or understand.
Click to expand...
Click to collapse
Because they already have your money, therefor they could care less. And they will continue to get your money, his money, her money etc because they make a product and provide a service that we all have come to rely on. They've got the hook set, you can't break free and they can let us dangle as long as they want.
But maybe the combination of google, samsung, and verizon has destroyed my outlook.
Samsung Fascinate
Frankenclean 2.8
EB16-ish Voodoo Kernel
Mob87's Honeycomb theme
Sent from XDA Premium App
I think many of these issues will take a long long time to see resolved.
You need to consider what motivates google RE Android. Hint: It is not paying customers.
Thing is, normal market forces are not at work in the Android space. This is
my BIGGEST issue with Android.
@andmiller
You don't think your needs are most important ones, do you? There are many, many things to do, not only these mentioned by you.
For me your "This is Important" bugs are minor. Actually I didn't know about them to this time. I care much more about NDK APIs, performance and UI improvements and this is exactly what Google does.
Also there is one good reason to focus on new APIs, standard libraries, developer tools, etc.: Google is only one who can improve them and sooner is better. They could fix bugs at any time, they could also port them to older versions of OS. But if they add new API, it will take some time for developers to use it, because new API won't be supported by most of devices. So it's much better to work on a new features first and fix minor bugs later.
BobPaul said:
I think many of these issues will take a long long time to see resolved.
You need to consider what motivates google RE Android. Hint: It is not paying customers.
Thing is, normal market forces are not at work in the Android space. This is
my BIGGEST issue with Android.
Click to expand...
Click to collapse
You have got that completely backwards. Iphone is not normal market space. Each manufacturer running android os have to set themselves apart from each other, hence skinning the os. If customers demand, need it, it will get fixed or innovated.
Apple controls all, What they say goes. Example: no flash, theming....
Amazon drops their android app store on tues. Why, market forces.
Sent from my SGH-T959 using Tapatalk
hey dude most of those issuses were fix sort of well i wouldnt say fix because google came out with a whole new O.S. most of ur issuses hav been resolved in the honeycomb os and greater but u dont need a fix u need a app that can handle what u need
> Can it connect to Microsoft's pptp? Yes - http://www.techrepublic.com/blog/sma...oid-phone/2145
No, or at least, not for several hundred people at least, some who have even provided logs of both sides of the conversation. Some bug comments are from companies, representing complaints from their customer base, so it is probably more. I could write an article that shows how to do it, too, but that doesn't mean that I've tested all combinations. If the author's VPN was not encrypted, he wouldn't have seen the problem, and--since his connection worked, and there's that encryption checkbox--he might have just assumed it worked. He might have even tried it: You can connect with encryption, you just can't stay connected for any length of time.
> problem 1. You can connect to a proxy (unless i'm not understanding your complaint) There's Proxy options under the settings menu.
I can manually set a proxy, although there are reports that this is not a standard part of android, but a value-add by the phone mfr. A third-party program could perhaps recognize which WAP I connect to and set values accordingly, but only if I want everything to go through the proxy, and not just some things. That would have worked at HP, but my ulterior motive is to proxy a specific blocked port so that I can pop my email to my wifi tab. OK, I'll admit, my actual reason isn't a compelling case for Google! ;-)
> Problem 2. I've noticed this but apparently some 3rd party browsers can do it.
I'm not surprised that some clever programmer patched around the breakage, but it needs to be solved generally. Really, this and VPN are the most important issues for me.
> Problem 3. Not sure about this one, but i connect to many different networks (public, domestic and at uni) and have never had a problem like this.
You have never had a problem like this that you know of! Most folks have been bitten by this when the run into a place with short leases, and only find out--if they do--by accident, since most places don't check for violators.
Other comments
For the person who asserted that these are fixed in the latest release, that doesn't appear to be the case, according to the bug reports.
Are there really people who use their portable device for work? Not if it is android-based! (I know, cheap shot, but--for many of us--a true statement).
I have a galaxy tab. With working VPN and ssh, I could login and do a simple database change "echo blah blah blah|mysql", restart a job, whatever. I'm not going to write a couple of thousand lines of code, but I might look at a couple of thousand lines of a log file! Instead, I have to fire up the PC, which means I have to be around the PC, and I'd rather have the freedom of mobility.

Modded Exchange Server APK?

For the Rezound,and other phones I guess, there is a modified Exchange server app that does away with the Administrator Rights requirement when connecting to some Exchange Servers.
Here is the issue. Mind you, this security policy only applies if the device supports it. Meaning one Android device or iPhone can connect without enabling Admin rights, while another one does.
But what happens, is that if the Exchange Server sees that the device supports it, it enforces this policy in order to set up and allow access to the email account. It gives the IT department COMPLETE control of your device. They can lock you out, format it, etc... Also, it forces you to set up a PIN, and it disables the camera and encrypts the storage of the device. So you can see how this an be an issue with a personal device. ANy pics you take, files you download, etc... are encrypted and can ONLY be accessed from the device. You cannot copy them to your PC and access them. Huge pain in the ass!
On the various ICS ROMs for the Rezound(the phone I have), there is a file that I can install, a modified Exchange.apk file, that lets me set up the account, and while it will force me to use a PIN, it ignores the rest and doesn't force me to disable the camera or encrypt the storage.
So, is there such an app for this device? Can I use the one for ICS that I use for the phone?
Any idears?
Please don't do that. Many times there is a legal requirement for that policy. Feel lucky that you can use a personal device for work. Many people have to deal with the policy and carry a dedicated work phone.
ekinnee said:
Please don't do that. Many times there is a legal requirement for that policy. Feel lucky that you can use a personal device for work. Many people have to deal with the policy and carry a dedicated work phone.
Click to expand...
Click to collapse
There is almost never a legal requirement, it is a corporate policy. I am using this type of modded Exchange.apk right now, have been for months.
The irony of the "security policy", is that if your phone does not support the feature, then the Exchange Server ignores it and lets the device right in with full access. It only affects certain devices. If I had a DroidX, no problem, Exchange lets me in. I upgrade to a Rezound, now I have to encrypt my entire device.
Don't use it if you don't want to, but many of us do, as this file is available for many phones. I just need to locate one for the N7.
You can try it. At where I work it is not worth it since doing so will get you fired for violating company policy which every employee signs.
The policy they use however doesn't affect the use of the camera and most employee's have a company phone so it's not theirs to begin with. Those that need email and also want privacy, have two phones.
You might want to talk to the admins to see if they can remove the camera block as that may be something they turned on without thinking.
There was an offshoot of a modified APK and then it turned into Enhanced Email, and since then I've switched to Touchdown. Instead of forcing encryption and standards on your personal device, it handles it's own secure space. Also it handles High Importance messages with recurring alerts.
I can't dig up the case at the moment, but for the record, there is absolutely president (at least in the U.S.) if a company requires you use a personal device for work, they have no legal recourse to require factory wipe access and may face steep penalties if they fire you as a result of you circumventing them.
Definitely an area where it's worthwhile to know both:
A. Your companies policies, in and out.
B. Your rights as a citizen of whichever country you reside in.
krelvinaz said:
You can try it. At where I work it is not worth it since doing so will get you fired for violating company policy which every employee signs.
The policy they use however doesn't affect the use of the camera and most employee's have a company phone so it's not theirs to begin with. Those that need email and also want privacy, have two phones.
You might want to talk to the admins to see if they can remove the camera block as that may be something they turned on without thinking.
Click to expand...
Click to collapse
Guys, I really don't need lectures on whether I should do it or not. I currently do it. I will continue to do it. I won't get in trouble at work, it is just how they set it up and they are not going to change it for me, but it is an inconvenience.
I just need to be able to do it on THIS device.
DanielNTX said:
There was an offshoot of a modified APK and then it turned into Enhanced Email, and since then I've switched to Touchdown. Instead of forcing encryption and standards on your personal device, it handles it's own secure space. Also it handles High Importance messages with recurring alerts.
Click to expand...
Click to collapse
Tried that before, hated Touchdown.
The modded one on the Rezound is the stock app, just that part taken out and it works perfectly, That's what I am after here.
SquireSCA said:
Tried that before, hated Touchdown.
The modded one on the Rezound is the stock app, just that part taken out and it works perfectly, That's what I am after here.
Click to expand...
Click to collapse
I think any mod made for jelly bean would work for you since it's all based off of aosp. I'd try the one linked below (and making a backup beforehand).
http://forum.xda-developers.com/showpost.php?p=28246860&postcount=1
Sent from my Nexus 7 using xda premium
DanielNTX said:
There was an offshoot of a modified APK and then it turned into Enhanced Email, and since then I've switched to Touchdown. Instead of forcing encryption and standards on your personal device, it handles it's own secure space. Also it handles High Importance messages with recurring alerts.
Click to expand...
Click to collapse
mwalt2 said:
I think any mod made for jelly bean would work for you since it's all based off of aosp. I'd try the one linked below (and making a backup beforehand).
http://forum.xda-developers.com/showpost.php?p=28246860&postcount=1
Sent from my Nexus 7 using xda premium
Click to expand...
Click to collapse
Cool. I just got the thing a couple hours ago, so it is not unlocked or rooted yet, and you need that to install these.
The ones for the Rezound were made to install in the OS, not from Recovery, but once CM10 is out and stable, I will unlock and go to that and then I can use it. For now, my phone has it so I do have email on the go for work.
Thanks!

Looking for custom virtual ROM on HTC One with reward

This is for all the developers out there. Let's see if anyone out there has the talent to get this done. I will pay money for something like this to a developer as well. Here is the goal:
To set up a platform on smartphones that basically comes with two separate partitions. Ideally what would be better would for manufacturers to manufacture a smartphone with two separate flash drives. Say a for a 32gb device they would use two 16gb flash drives and for a 64gb device they would use two 32 gb flash drives. The main objective here is security and privacy from all these invasion of privacy that all these applications on Google Play store require. Usually they require access to your call logs,pictures,files,memory card,SMS messages,contacts list/s,notes,calendars,videos,audio,etc...
What would be nice is for one to have an option to say download an application like Facebook which pretty much requires every permission you can think of to be downloaded on a separate flash drive to where it has pretty much access to nothing except for what you choose to install on that flash drive or that partition. Wechat recently pulled a dirty trick in one of its updates to where one can not completely uninstall the application after installing it on a HTC smartphone.
Would like to have a secure and safe partition or separate flash drive preferably that would allow one to input contacts,photos,SMS messages,notes,calendars,call logs,etc.. That no application could have access to for our own privacy and safety along with security. Something like how one can ru two separate systems on a MacBook computer to where Windows can also run using Paralles?
Any geniuses here no how to do this or get this done?
This doesn't require a genius... This requires resources lol! Nobody can do it other than a manufacturer at all.
1. For 2 seperate NAND chips we would need to recreate it's PCB board, reconnect the ICs and chipsets which can't be done by household tools or by human hands
2. That would require full customization of the filesystem of android which would probably then be blocked by google because it won't follow their convention. Ask Madame Dianne Hackborn regarding this
desiregeek said:
Something like how one can ru two separate systems on a MacBook computer to where Windows can also run using Paralles?
Click to expand...
Click to collapse
Yes but when you do that, any Windows app or Mac app can still access anything on both partitions. How is that more secure? You cannot tell android to give app permission to photos on Partition1 but not to Partition2.
I suppose you could have 3 partitions, one that boots and lets you choose which of the other 2 to mount. Who is going to reboot their phone every time they want to switch between E-Mail and FaceBook though? ...if that's what you want, you can just use CWM and restore whichever backup you like, though that will take about 4-min of shutdown/restore/reboot everytime you switch.
What if you use users like in many 4.2.2 Roms. If you want an APP installed with to many access switch to a guest user
retschy said:
What if you use users like in many 4.2.2 Roms. If you want an APP installed with to many access switch to a guest user
Click to expand...
Click to collapse
Yes this should be a great solution for dodgy apps. That way they won't have any access to the data located in another users account.
desiregeek said:
To set up a platform on smartphones that basically comes with two separate partitions. Ideally what would be better would for manufacturers to manufacture a smartphone with two separate flash drives. Say a for a 32gb device they would use two 16gb flash drives and for a 64gb device they would use two 32 gb flash drives. The main objective here is security and privacy from all these invasion of privacy that all these applications on Google Play store require. Usually they require access to your call logs,pictures,files,memory card,SMS messages,contacts list/s,notes,calendars,videos,audio,etc...
Click to expand...
Click to collapse
edit: nevermind I thought the OP meant dualboot but he means a virtual machine, though I think this has been done as well on android before
godutch said:
edit: nevermind I thought the OP meant dualboot but he means a virtual machine, though I think this has been done as well on android before
Click to expand...
Click to collapse
I guess it would basically be a virtual machine. There has to be a way to where one can separate things like two hard drives where in this case it would be on flash drives. Blackberry released something similar recently on their new OS.
Would be nice to be able to download all the basic applications which these days come with ridiculous permissions of which have access to everything on your smartphone. At times one does not wish to share their call log with Facebook or Whatsapp or Line Naver. One also may not to share their private SMS messages with those applications.
If we could choose where we want things installed it would be great.
rpmccormick said:
Yes but when you do that, any Windows app or Mac app can still access anything on both partitions. How is that more secure? You cannot tell android to give app permission to photos on Partition1 but not to Partition2.
I suppose you could have 3 partitions, one that boots and lets you choose which of the other 2 to mount. Who is going to reboot their phone every time they want to switch between E-Mail and FaceBook though? ...if that's what you want, you can just use CWM and restore whichever backup you like, though that will take about 4-min of shutdown/restore/reboot everytime you switch.
Click to expand...
Click to collapse
What if the smartphone came with Operating Systems then on each Flash to where each was separate but you could switch back and forth between each like you can on a Macbook running Paralles. Being on separate Flash drives insures that one can get info from the other.
Seems like these days there is no way of blocking permissions without the application failing to load or run.
I have an HTC One and have Wechat on there. The other day I tried uninstalling it but I was unable to uninstall it as Wechat removed the uninstall option and gave us a downgrade option which leaves Wechat running. You can disable it though. Not sure how Google Play allows for such applications to be put up on Google Play that does not allow the user the ability to uninstall completely if they wanted to uninstall. This is why it would be nice to have a safety or dummy flash drive to separate private info and public info on a smartphone.
Again, what does choosing where something is installed have anything to do with permissions? Even if you swapped SD-Cards, then apps on one couldn't access apps on the other, but both could access everything on the system partition. The only way storing things in 2 different locations adds security, is if you can fully unmount all other locations, which would always require a reboot. Even a virtual-machine running on my PC can still access my PC and all of my network, and my PC along with all of the network can access the VM.
I don't think what you are trying to do (have 2 isolated drives) has anything to do with the goal of security. I don't think the actual security solution (having 2 isolated operating systems and needing to reboot to switch with no cross-access) is anything most people would want to deal with.
I think your best solution is to buy 2 phones.
rpmccormick said:
Even a virtual-machine running on my PC can still access my PC and all of my network, and my PC along with all of the network can access the VM.
Click to expand...
Click to collapse
No it can't the virtual machine can only access virtual hardware or the hardware the vm makes available to the os running on the vm
godutch said:
No it can't the virtual machine can only access virtual hardware or the hardware the vm makes available to the os running on the vm
Click to expand...
Click to collapse
There has to be a way. Just takes some Einstein to get it done right.
Like this basically..
http://www.gottabemobile.com/2013/04...efore-you-buy/
http://www.samsung.com/global/busine...ung-knox#con02

[Q] Corporate Android Usage

Hello Guys,
before I start: My apologies for this, I am not quite sure if I am even in the right Topic.
I think of myself as pretty new to Android, but got some experiences in Rooting, Custom Roms and such. But that is already as far as it gets.
Now my Problem: We lost our BES and now my Company decided to go with Android (SG4 I9505) and I have to make it happen :angel:.
1. I Need some Kind of Freeware tool to administer Android Devices (Basic: find device, delete data, restrict Apps)
2. If something like this dont exist (which I dont think-I just havent found it)), I would Need to know if I can use CM 10.2 as our Standard Rom and before you start rolling your eyes with experimental and such....
I have to restrict the phone solely to Telefone, Exchange and some preselected (mostly travel)Tools. NO GAPPS!!! and I think that nightly CM provides this with no problems
To realize this I downloaded the nightly from 18th, I think. I then added some APK´s into \System\app Folder and installed the ROM. This actually worked fine until I updated to phone afterwards via build in updating tool - all Tools were gone.(what did I miss?)
Now, our Standard is SG4 I-9505.
Any ideas on how I could do this? (I couldnt find what I was looking for)
1. Adminster a fleet of androids (free)
2. Customize a Custom ROM for corporate Identity (How to pre-setup Exchange Boot Logo, Lockscreen, etc.)
3. or customize a ROM to the Point it cannot do much except what is in the \System\app Folder and turn off updates
Any link is much appreciated. Sadly there is sooooo much andoid articles out there that I seem to get lost while searching for the right one. Thanks in advance!!!!
AccEss-dEniEd said:
1. Adminster a fleet of androids (free)
2. Customize a Custom ROM for corporate Identity (How to pre-setup Exchange Boot Logo, Lockscreen, etc.)
3. or customize a ROM to the Point it cannot do much except what is in the \System\app Folder and turn off updates
Click to expand...
Click to collapse
My guess is I'll get flamed for saying this - but here goes.
Android corporate (MDM) leaves a lot to be desired next to iOS, at least as far as I've been able to find. We manage a lot of iPads and obviously minus the custom ROM we've been able to do it all for little to no cost. We've shied away from Android a lot because of the limited MDM control.
But, since you asked:
1. Meraki Systems Manager (and the accompanying app from Google Play)
2. Good luck with that
3. See number 2
I think the reality is you're going to need to do something to the effect of either cook your own ROM and deploy it or use a tool like CWM to create an "image" that you would then restore to the devices. I did that with a batch of 60+ Nexus 7s and it worked out pretty well.
Edit:
With all that said - I would urge your management to reconsider their approach as the world has changed since Blackberry was the only game in town. Yes, still stick with MDM, device location, remote wipe etc. But unless you're dealing with highly sensitive information (exp banking), let people actually USE the device you're giving them. Don't lock it down to where its basically a first generation iPhone. I'm a big fan of giving someone a good tool and letting them use it the way that works best for them, while still keeping the device and more importantly the data under corporate control.
Assuming you have Exchange, does this not provide the management part?
AccEss-dEniEd said:
Hello Guys,
before I start: My apologies for this, I am not quite sure if I am even in the right Topic.
I think of myself as pretty new to Android, but got some experiences in Rooting, Custom Roms and such. But that is already as far as it gets.
Now my Problem: We lost our BES and now my Company decided to go with Android (SG4 I9505) and I have to make it happen :angel:.
1. I Need some Kind of Freeware tool to administer Android Devices (Basic: find device, delete data, restrict Apps)
2. If something like this dont exist (which I dont think-I just havent found it)), I would Need to know if I can use CM 10.2 as our Standard Rom and before you start rolling your eyes with experimental and such....
I have to restrict the phone solely to Telefone, Exchange and some preselected (mostly travel)Tools. NO GAPPS!!! and I think that nightly CM provides this with no problems
To realize this I downloaded the nightly from 18th, I think. I then added some APK´s into \System\app Folder and installed the ROM. This actually worked fine until I updated to phone afterwards via build in updating tool - all Tools were gone.(what did I miss?)
Now, our Standard is SG4 I-9505.
Any ideas on how I could do this? (I couldnt find what I was looking for)
1. Adminster a fleet of androids (free)
2. Customize a Custom ROM for corporate Identity (How to pre-setup Exchange Boot Logo, Lockscreen, etc.)
3. or customize a ROM to the Point it cannot do much except what is in the \System\app Folder and turn off updates
Any link is much appreciated. Sadly there is sooooo much andoid articles out there that I seem to get lost while searching for the right one. Thanks in advance!!!!
Click to expand...
Click to collapse
I currently work in the infrastructure of a good sized corporation. We're using IOS with a mixture of android hardware and there's some good news and bad news for what you want to do.
Good news is, like Jpcurrie said, exchange will handle remote wiping and locking the phone down. you can require the phone to use a PIN, remote wipe and and a bit more. As for locating the phone, Google actually has finally built in remote locating of your device and remote wipe as well. There's a couple good apps out there (lookout) will turn on your GPS and allow you to locate the phone and they're free. If you happen to have a virtualized environment with VMware, you could also use VMware View Horizons which builds in a secure sector on the phone and you can remotely manage which apps and files the user can use. the best part of View is you can use a BYOD model and keep corporate data secure. The biggest issue is if you don't happen to already use a VMware architecture it gets pricey quickly.
Here's the rub now. you want to install your own logos on the bootup which you could do by installing a custom ROM. This will void your warranty on the hardware and as it isn't 100% stable you'll be spending a LOT of time trying to keep a consistent environment.
Like netsyd said, talk to management about an MDM, and the branding of the devices, maybe even talk to them about using a BYOD to reduce costs of hardware and administration of that hardware.
Isn´t Knox supposed to allow administrators to only delete the data that belongs to the Corporate account (emails, calendars, tasks, etc.), or an administrator can still force a full device wipe? Sorry if the questions is too basic, I've tried searching around for info on Knox but couldn't find anything besides press releases.
I'm not a network administrator, I'm just a user and my school secure wifi installs a device administrator.
I'm sorry to deviate the topic a little bit from the original.
At Delta we use Air Watch but it's far from free. You can however manage devices and remote wipe. You can also view installed apps and remove what should not be there. Options for device profiles also. I help maintain these devices everyday. Not Free but an MDM is your best bet.
Sent from my SAMSUNG-SGH-I337 using xda app-developers app
long time - no see
Hiya,
sorry I didn t answer - kinda was overwhelmed with this Task.
Wanted still to thank you: I did what you suggestet and wanted to let you know where I am now.
1. Meraki = implemented - now runnning 160+ devices. (at no costs)
2. CM12.1 implemented (without GAPPS/no SU)
3. Standard Image/w Apps defined. (Mostly Offline capable Tools like "here" etc.(which actually reduced costs))
4. Since Android has limited capability to be administered in a "real" professional Fashion we mitigated this issue by creating a policy to forbid the user to temper with the device (e.g. Installation of Software/SU etc) yet to allow the Installation of Software manually by us via creating a ticket. We check the Software mainly for "sanity" and malware and install it if ok.
This has been working so far like a charm for us. None of the user were happy to loose the Gapps obviously - but once they had their Software and settled in, all was ok. For the Administering part: Meraki can tell me if Software is beeing installed without our Knowledge, also we see if SM doesnt speak with us anymore. So, for now, we got the most out of the System and I am happy to say: I got minimal Control in a Quality sense. No no more "KO Critera" - and we have implemented Android. Tracking etc. is forbidden in Germany anyway - so we use Meraki mainly to wipe if lost and to check if someone goes against policy.
What is still open:
- I am still working on a way to have the user enter his credentials and automatically enter These in all respective config files. (haven't had much luck - with the absense of SU obviously.
- a Little cosmetics still open (I am still trying to figure out how the theming really works ... I usually f**k up the Pictures and sounds.... but so far making Progress
- with less and less good Android devices coming out (now, I am probably beeing flamed now ) that suits our needs (open bootloader, known/supported CPUs, removable battery, SD Card Slot) - I think we might Switch by Q4/2016.
netsyd said:
My guess is I'll get flamed for saying this - but here goes.
Android corporate (MDM) leaves a lot to be desired next to iOS, at least as far as I've been able to find. We manage a lot of iPads and obviously minus the custom ROM we've been able to do it all for little to no cost. We've shied away from Android a lot because of the limited MDM control.
But, since you asked:
1. Meraki Systems Manager (and the accompanying app from Google Play)
2. Good luck with that
3. See number 2
I think the reality is you're going to need to do something to the effect of either cook your own ROM and deploy it or use a tool like CWM to create an "image" that you would then restore to the devices. I did that with a batch of 60+ Nexus 7s and it worked out pretty well.
Edit:
With all that said - I would urge your management to reconsider their approach as the world has changed since Blackberry was the only game in town. Yes, still stick with MDM, device location, remote wipe etc. But unless you're dealing with highly sensitive information (exp banking), let people actually USE the device you're giving them. Don't lock it down to where its basically a first generation iPhone. I'm a big fan of giving someone a good tool and letting them use it the way that works best for them, while still keeping the device and more importantly the data under corporate control.
Click to expand...
Click to collapse

[HOWTO] Stop Automatic Updates And Other Microsoft Nonsense in Windows 10

*deleted*
Just what I was looking for thank you Who needs updates anyhow
FYI, if you disable the Windows Update service you will lose the ability to use the Windows Store.
I didn't know that. But I don't really use the windows store.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
@feherneoh
First Microsoft has no right to disable hardware. What if someone makes a game controller at home(which is possible thanks to 3D printing) and just because it isn't authorized by MS it stops working.
Not everyone can afford fancy peripherals and have to use lesser known manufacturers.
Also during the updates MS collects some amount of usage data which most people don't want to provide. Remember the backdoor happily left open by MS? Enjoy being spied on?
What about people with limited internet data? I don't want MS pushing stuff I don't want on my PC. Security updates are important so it is good practice to keep receiving them. But using a third party firewall and antivirus will allow to you keep your security up to date without the other stuff MS bundles in with the updates.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
@feherneoh
Thanks for the info on the hardware. I was under the impression that hardware from manufacturers not recognized by MS would stop working.
And I did upgrade to Win10 on the third or fourth day.
The problem with data is that you can no longer choose what updates to install. So I'm forced to download ALL updates that I may not want. For example "Get Skype".
With third party security suites you get only new virus definitions, etc. Also automatically checking for and downloading updates hogs bandwidth. I barely get my promised 512kBps downspeed and now I have Windows Update slowing down all my devices on Wi-Fi.
After following the method above, you can always start the process again and install updates at your convince. Only the enterprise edition lets you delay updates. Now you can do it on your home edition as well.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
Man windows 10 sounds promising, but I hate how they force things on you.. I don't want a Windows store, I don't want Xbox, I want to modify windows to my liking, Cortana would be great on mobile, not at my desktop PC. I bought RAM to handle my applications, but my OS..
I appreciate them trying to stop piracy, but that seems so intrusive, what if I but DRM free games? Does it detect Windows store games only?
Man until they get their **** together I'll stick with Linux /win 7
Sent from my SCH-I545 using Tapatalk
feherneoh said:
I have no idea what your problem with RAM is... I used XP, 7, 8, 8.1, 10 on the same notebook with 2GB of RAM, and the only one that used less RAM than Win10 is XP
Click to expand...
Click to collapse
Oh really, it takes less? I had so many issues when I tried running Windows 8/8.1 on my old PC, only had 4GB of RAM, the OS itself seemed to take 1.8 of my RAM, perhaps it was some harddrive issue, I just switched to Linux Mint and then it ran smooth. Figured it was the OS, never looked too much into that. I know Vista was worse than XP and the newer the OS the more memory consuming it was, 8/8.1 being the most consuming. I'd assumed Win10 was going to be better than 8 but worse than 7.
ah well.
There is SO much rubbish on the internet about W10 'privacy' problems, little is really true.
OS updates are a GOOD thing, why do you want to disable them? No one has yet given a truly good reason for doing so. Its mostly paranoia. I find it funny that for the most part those moaning about Windows updates are those crying out for Android updates, even though Android updates usually introduce a whole boatload of bugs and problems!
Windows has only 1 mechanism for disabling, or scanning anything, the Defender and malware detection software. Defender is designed to look for cracks, hacks and keygens (as is most AV software). If it finds them it will remove them and that may break the pirated software. It does so because a lot of those cracks carry malware and viruses.
It wont disable your hardware because it randomly decides it hates it, it does so because its fake, dangerous, or infringing. It wont disable your cheap games controller as long as its a legally sold product from a reputable source. If you buy from a known manufacturer there should be no problem. Buying from a nameless Chinese manufacturer is always a risk, especially cheap USB memory sticks which often carry viruses and hacked firmwares.
Nah I'm gonna keep it off anyways. I can't afford all that bandwidth being hogged. When Google Fiber comes to my country then I'll sleep good.
Anyways when you want to get updates just start the service again!
Windows is going to be constantly updated now with little or no chance of going back to old versions. Its better to be more informed on what changes the updates brings than automatically installing them.
The basic thing here is that people don't want Microsoft dictating how we use our OS.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
Anyways I was hoping this forum would help us share other OS tweaks to getting the most our of Win10. Like of you notice a change that's not for the better (in your opinion) you can share how to fix it.
AqdhdZwty said:
Nah I'm gonna keep it off anyways. I can't afford all that bandwidth being hogged. When Google Fiber comes to my country then I'll sleep good.
Anyways when you want to get updates just start the service again!
Windows is going to be constantly updated now with little or no chance of going back to old versions. Its better to be more informed on what changes the updates brings than automatically installing them.
The basic thing here is that people don't want Microsoft dictating how we use our OS.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
Click to expand...
Click to collapse
I understand the problem with limited data allowances etc, but thats why there is a setting for metered connections.
As for it being 'your' OS, its not its Microsofts OS, want your own OS, make your own Linux Build.
@ChrisM75
Yeah but since I own a hardware tied/retail licence its up to me how to use my OS within the EULA set my MS. I shouldn't be forced to update my OS if I don't want the changes it brings. Moreover at the cost of limited data.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
Thats just your opinion, its not the actual situation. If you agree with the EULA (which if you install W10 then you do) then you have to do what they say, if you dont then you have one choice, dont use the OS.
@ChrisM75
Incorrect. The EULA says nothing about disabling updates.
If that was the case then it would violate the EULA to use the OS without an internet connection.
OS updates are a good thing.
Its just that MS forces you install them ALL including completely useless things like Get Skype and Get Office which are basically just advertisements.
[Moto E 2nd Gen 3G running CyanogenMod 12.1]
Greetings Everyone;
Among everything being said, there's more (or way more " Dark Microsoft Abuses" - I do consider so. Callmit speculation if you
prefer).
No disrespect for any of you nor to Microsoft... As Windows was my Favourite OS since v3.1 - Even MS-Dos)...
I rather don't use Windows 10 at all (Problem Fixed!).
People should consider keeping their privacy Safe.
I disagree a little with most of that anti-piracy protection. And see no reasons for the "Hardware" Part. It's just like saying: "We Own You!".
If that "Untrusted Hardware" is true... You cannot build your own Hardware. Wich doesn't make any sense.
Well... In any case if you feel like being a slave, monopolised, morganized, controlled, etc isn't good for you... Then I guess one should stop supporting such things.
Finally: Honesty and Freedom is one thing. Being a puppet in a greedy world is another.
Of course it's just my opinion. You are free to do as "they" tell you...
A lot has changed since I posted this originally.
Windows 10 now can uninstall your software during major updates(compatibility issues) and I've already seen people who have lost office licences because of this.
It started automatically installing itself over old versions without consent and if you lost power then say goodbye to all your data.
Its pretty sad. I was so hyped for win10 but now have rolled back to 8.1.
I've been on windows since windows 2000 to ME then vista and now 8.1. So I'm a dedicated user, but not a fanboy. If a company does shady stuff don't stick up for them man.
feherneoh said:
The only thing I have seen that it has ever "uninstalled" (Nope, just did not migrate it) was Avast
About the stupidity: The update keeps EVERY SINGLE FILE even if it fails, unless the partition itself is destroyed, but that can happen any time when power randomly goes out.
If you cannot find something after update, go and check it in Windows.old, it will be there, be it a file, an "uninstalled" application, a license key stored in registry, or anything else.
Stop being stupid. Read, don't blame. Don't sue MS for things they did not do. Sue them for the things they DID
---------- Post added at 09:34 AM ---------- Previous post was at 09:29 AM ----------
I cannot understand how you people still cannot get that untrusted HW part.....
It's not about custom devices, it's about clones, those identify themselves as the original piece of hardware
You can build your own hardware, just use an unique HWID, not one already in use
Build a controller, but don't set it to emulate XBOX controller, just use it as a standard HID device, or something
Click to expand...
Click to collapse
Gretings;
Oh.. Ok, maybe i got it the wrong way then.
I was thinking way ahead, and probably missed out some info on the way.
My idea behind it was: not only custom hardware, but also 2nd hand (maybe stolen) hardware, and harware "clones" (i.e: WiFi Cloned MAC).
For stolen hardware it would make some sense that every piece of hardware would have their ID registered to prevent piracy or theft, yet if someone buys used Hardware (let's say: on Ebay); there's just no way to verify its origin.
Furtherwards..
I decided to upgrade my own System to Windows10 (32 Bit) on a 64 Bit Machine.
Honestly i'm not happy with it.
Those Auto (Hidden) Updates are really terrible..
I'm sure that there is a way to stop & control them.
(Besides Disconnecting the Internet Completely).
About Tthe Privacy related options: so far; those have been a pain to set up properly, and i believe i haven't checked everything. I'll have to dig even deeper.
Aditionally (apart from this thread topic): My System heats up considerably; the Start Menu is really bugged. I have to press "50" times to open it.. Wich is annoying. It feels like the system is trying to prevent click mistakes... But it requires at least 4 or 5 clicks to open it.
I thought it could be some delay, but doesn't seem to be the case.
Overall: Windows 10 was meant for
Performance... but it is kinda slow.
I thing i will Downgrade to the best Windows version ever done (v6.x a.k.a Windows 7").
Now that there's little time left for the free update, how many of you guys have updated? I rolled back 3 months after the initial update, but is it worth it now. Like improved.
Sent from my ONE A2003 using XDA-Developers mobile app
I'm running build 14342 and it is pretty smooth for me, plus I don't have to install the ram hog skype just for a few friends who only use that
Sent from my iPhone using Tapatalk

Categories

Resources