Every time I hear the doom and gloom story about companies looking to replace their enterprise BlackBerrys with iPhone and Android devices I wonder if I have stepped into an alternate dimension. I can understand smaller companies and companies that have lax security but this would be a ridiculous decision for finance, law, or any other professional company. The reason can be summed up into one techy term “Rooting.” (Also known as JailBreaking)
In case you are not familiar with rooting a device here is a brief explanation. Rooting a phone gives you “root” or super user privileges on a device where you were never intended to have it. On the current batch of iPhone and Android devices this can be done as easily as opening the right image file or PDF, using a utility, or following a simple walkthrough. Many savvy iPhone and Android users have rooted their devices to take advantage of the control it gives them to do things the device creators never wanted them to be able to do.
So you may ask yourself why is this a bad thing? For regular consumers this is actually brilliant. It allows them to unlock functionality like multi tasking, wifi hotspots, and loads of other homebrew features that could not be done otherwise due to manufacturer limitations. For businesses “rooting” is bad bad bad bad bad news…
Let met give you a perfect example. The team at AndroidCentral found that ALL stock Android phone OS versions store usernames and passwords for things like your email in CLEAR TEXT. This is utterly idiotic on Google’s part but even Apple was guilty of this a year or two ago. Supposedly Google’s reasoning is that when the device is not rooted no one has access to this clear text database of sensitive information. Once you root a Android phone that is no longer the case…
Now think of this example from an enterprise angle. If somebody gets a hold of your lost device they can now root that device and have access to all your usernames and passwords in clear text. For regular consumers that might just mean their email account is compromised but for enterprise users that username is usually also their enterprise login. The irony is that this is a known issue with an issue ticket given a “Medium” priority by Google… Oh and don’t forget even after Apple fixed the last super easy jailbreak for the iPhone iOS4 they now have another one coming. They also have issues like backups that even when encrypted can be brute forced and are regularly performed by iTunes.
So I have to ask. What exactly is assuring these companies that the iPhone and Android are “Enterprise Ready?” Where are the certifications that back up the security offered by Apple and Google? I can tell you where to find the BlackBerry Security Certifications, RIM has a whole wall of them. I concede that not all companies need government level security but is it really worth lowering a companies security posture for games and apps which have little to no business use?
PS: Bonus points if you can name the movie referenced in the picture above