L to R; Me, Mike Maddaloni, Craig Richards, Teemu Lehtonen.
At Microsoft Tech.Ed in Berlin last week, Mike Maddaloni (thehotiron.com), Craig Richards (geekcomputers.co.uk) and I sat down with Nokia’s Teemu Lehtonen. The topic was Symbian security, something Teemu knows a thing or two about having worked primarily in that area for most of the 12 years he’s been with Nokia.
Teemu outlined the Symbian security model which he called the most secure in the industry. It starts with the hardware. All modern Symbiam phones contain a chip level, hardware accelerated AES encryption engine which can encrypt and decrypt large data sets on the fly without impacting the user experience.
The Symbian boot loader is encrypted. As the device is powered up the hardware engine decrypts the boot loader and verifies that it has not been tampered with. Similarly, the Symbian OS image is encrypted and has to be decrypted and verified before the OS can be loaded.
The hardware encrypted boot loader and OS image mean we will probably never see an alternate OS like Linux or Android running on a Symbian device. While I’m a big fan of people hacking alternate OSs on to all sorts of devices, I’m sure corporate IT administrators sleep better knowing that they don’t have to worry about rouge operating systems on devices issued to employees accessing the enterprise network.
On top of hardware and OS security lies Platform Security. Symbian apps must be signed with an encrypted certificate and Java apps may be. Signing guarantees that the app has not been tampered with and there are different certificates that rant varied levels of access to device capabilities. The certificates that allow access to the most privileged APIs are only available to Nokia, device manufacturers, mobile operators and other trusted partners. While it’s true that Platform Security in older Symbian phones has been hacked to grant unsigned apps access to privileged capabilities, doing so has required physical access to the device.
Lost or stolen phones can also potentially result in identity theft and disclosure of personal, financial and corporate secrets. Symbian offers users and device administrators several ways to protect sensitive information if a device goes astray. All E-Series phones since the E71 let the user encrypt the contents of device memory and the SD card using the same hardware accelerated encryption engine that protects the OS and boot loader. Decryption of data of data occurs on the fly as needed and is transparent to applications and the user.
All E-Series and most N-Series phones also support remote device locking. Provided the user has enabled remote locking in advance, a lost or stolen can be locked by sending a text message containing the secret lock code.
Corporate IT administrators have a lot of options for managing device security in the field. Microsoft Exchange and Lotus Domino administrators can apply mailbox polices to E-Series phones that enforce things like requiring a device lock password, setting inactivity timeouts and password complexity and aging rules, automatically wiping the device after a specified number of failed password attempts and disallowing downloading attachements or limiting their size. Exchange and Domino administrators can also remotely wipe a device.
Symbian supports the Open Mobile Alliance Device Management (OMA DM) protocols that allow administrators to set password policies, remotely configure phone settings and remotely lock or wipe phones using 3rd party OMA DM products.
The Nokia Mobile VPN client, which is pre-installed on E-Series phones and is a free download for most Symbian phones, lets users to securely connect to corporate and personal Virtual Private Networks (VPNs) using the iPSec protocol. The client supports many enterprise features including custom digital certificates, password rules, and RSA SecurID or Active Directory /LDAP authentication. VPN security can be configured and updated over the air using OMA DM compatible tools.
Talking with Teemu was an eye opener for me. I worked as a developer at a large US based financial services company for many years and am familiar with the challenges that mobile computing brings to enterprise data security. Still, I was unaware, as I think many US IT professionals are, of the strength and depth of Symbian’s security model. RIM and Windows Mobile are the dominant choices for enterprise smartphones in this country but Symbian is a worthy and cost effective alternative that more businesses should consider.
Disclaimer: My expenses for the trip to Tech.Ed, including airfare, hotel, meals, drinks, and admission to the conference were paid for by the 1000heads agency on behalf of Nokia. However, the opinions expressed here are entirely my own.