FIPS 140-2 device encryption for Android?
104 views
Skip to first unread message
Colin Rowat
Sep 18, 2012, 11:53:51 AM9/18/12
to london-h...@googlegroups.com
Hi again,
Does anyone know:
1. whether there are any good apps that perform FIPS 140-2 encryption for a whole Android device?
2. if not, how expensive/difficult it might be to develop such?
As background, my employer is using a FIPS 140-2 app that runs a set of secure applications within it. Thus, accessing the secure applications requires two passwords (first into Android, second into the app) and provides less capable functions within the app when compared to standard Android e-mail, etc. apps. The licenses are expensive, and Google Play users don't rate the app highly (although it may be true that most of those rating it are frustrated users rather than IT managers).
When I've asked why it's not possible to provide a FIPS 140-2 compliant app that secures the whole device, I've been told that Apple and Samsung haven't done it, that Windows 8 might - in short, that this is really difficult.
Thanks,
Colin / Espero
David Murphy
Sep 18, 2012, 12:12:30 PM9/18/12
to london-h...@googlegroups.com
I'm no expert but some discussion of the issue here:
http://gcn.com/Articles/2010/12/23/Android-FIPS-Security.aspx?Page=1
http://gcn.com/Articles/2010/12/23/Android-FIPS-Security.aspx?Page=1
Colin Rowat
Sep 19, 2012, 4:50:30 PM9/19/12
to london-h...@googlegroups.com
Thank you David. That was useful - especially the observation about the fundamental problem being Android's OS status.
Best,
Colin
Anish Mohammed
Sep 19, 2012, 5:46:50 PM9/19/12
to london-h...@googlegroups.com
Hi Colin,
i think i joined the conversation late. Thought of putting in my two cents worth of opinion in ;) ( i have more than a decade of experience in the space almost half of it as crytpo/security researcher). In my opinion with current Android model this would be a challenge, btw as someone who has in the past written arbitrary precision number theortic libraries, getting these and making it work ( optimised) for the plaform ( securely) would be a real challenge. Have a quick peek at openssl.org to get an idea of what i am talking about.
regards
Anish--
Anish Mohammed
http://uk.linkedin.com/in/anishmohammed
@anishmohammed
i think i joined the conversation late. Thought of putting in my two cents worth of opinion in ;) ( i have more than a decade of experience in the space almost half of it as crytpo/security researcher). In my opinion with current Android model this would be a challenge, btw as someone who has in the past written arbitrary precision number theortic libraries, getting these and making it work ( optimised) for the plaform ( securely) would be a real challenge. Have a quick peek at openssl.org to get an idea of what i am talking about.
regards
Anish
Anish Mohammed
http://uk.linkedin.com/in/anishmohammed
@anishmohammed
Colin Rowat
Sep 20, 2012, 1:45:21 PM9/20/12
to london-h...@googlegroups.com
Thank you Anish.
Presumably, even FIPS 140-2 can be defeated by a keystroke logger? (I'm asking out of curiousity now: I think that I'm convinced that this is hard.)
Best,
Colin
Reply all
Reply to author
Forward
0 new messages