To Embrace Mobile, Agencies Need Control
Originally published in SIGNAL, March 2021, Special Interest Editorial by Shaun Waterman. https://www.afcea.org/content/embrace-mobile-agencies-need-control-sponsored-content
When it comes to insider threats, defense and intelligence agencies shouldn’t worry so much about the next Edward Snowden. The biggest internal attack vector is the spy in your pocket: “You may think of it as a smartphone,” warns Bill Anderson, president of CIS Mobile, “but it’s really a portable surveillance device.”
“Defense and intelligence agencies need a solution that puts them in charge of the smartphones their people are using,” says Anderson. “Their people need the chance to enjoy the productivity gains those smartphones can bring.”
Consumer phones, even ones modified for government use, hoover up all kinds of potentially sensitive data — location, browsing history, communication channels used — and send it to the manufacturer, the network provider and any other companies whose apps may be installed.
The information is collected to help target advertising and provide metrics to guide performance improvements, but the vast databases it creates are commercially available on the open market, and can easily be repurposed.
An investigation by The New York Times revealed how individuals working for defense and security agencies could easily be identified and tracked by analyzing a database of consumer phone information and pairing it with public records.
And when national security employees are involved, Anderson notes, “it’s not just their data that’s endangered, they themselves might be at risk.”
Consumer phones “create this trail of breadcrumbs about the user — where they work, where they live, about their spending habits, their travel habits,” he says. Data might show a user was hav- ing an affair, was a frequent visitor tocasinos, or was spending beyond their means. “It provides a foreign intelligence service with a very low risk way of identifying government employees that they can pressure to try to subvert, to try to recruit as sources and agents and spies for them. It’s human intelligence on an industrial scale.”
And there are other issues, too. Most consumer phone software is closed source, and all of it is updateable over the air—completely outside the control of the agency.
“Security-conscious agencies need something the consumer phone eco- system simply cannot provide,” says Anderson, noting that custom hardware solutions have proved too expensive and custom software defeats the object. “If users can’t access the services and apps they want to, they’ll just use personal devices, and then you have the bread- crumb problem again.”
Enter altOS, a variant of the Android Operating System, completely compatible with the consumer apps users love and capable of running securely on off- the-shelf hardware, but modified to add a host of government specific security controls and features.
What’s wrong with consumer OSs?
Google invests hundreds of millions of dollars of engineering work every year into the Android operating system and then gives it away for free, Anderson notes. Why? Because it’s a huge part of their $160 billion a year data and advertising business. A 2018 Vanderbilt University study found that an idle, stationary Android phone running Chrome browser communicated with Google’s servers as many as 14 times every hour.
And it’s not just Google. The entire consumer mobile ecosystem is powered by apps designed to collect data about users. When users can control these capabilities, it’s often difficult to do so — they might have to negotiate several pages of options. And in any case, the data collection enables the functionality users crave. Try using any app with your phone’s location data turned off.
“Apple have a different business model from Google,” observes Anderson, “To their credit they are working to differentiate their products as more protective of user privacy.” But Apple is still part of the data-fueled mobile ecosystem—a Chrome browser or Google Maps app sends data back to Google whether it’s running on an iPhone or an Android handset. And the apps iPhone users install can still collect all the data they want, if the users allow it.
“It’s good to enforce more transparency about these data collection capabilities as Apple is doing, but the capabilities are still there.”
And there’s a similar issue with Mobile Device Management products. MDM software can control only the set of features that the operating system chooses to expose via its API. “MDMs are fine for many businesses, but when the stakes are this high they are not enough,” says Anderson. “They rely on the OS to grant them access, and they don’t control features the OEMs want to use to collect data for themselves.”
And there are other problems with iOS, for security-conscious agencies. “The iOS is closed source. Government customers can’t review it. They’re good people at Apple, doing good, secure design. But that doesn’t mean they don’t make mistakes.”
It’s not just Apple: Android is open source, but the implementation of it by major consumer phone manufacturers is not. And all consumer phones are updated over the air in a way that’s completely nontransparent to the user. “It wouldn’t matter if you could inspect the source code,” says Anderson, “It can all change with the next update.”
“There’s a big issue with the absence of transparency. In government, they like to say, ‘Trust, but verify.’ But with consumer smartphones, you can’t verify.”
Giving the government control
AltOS allows agencies to trust, and to verify. “We let our customers at the source code. We let them pen test it,” says Anderson “They have the most skilled penetration testers in the world, and the resources to do it well,” says Anderson.
The altOS package puts the agency in control in three important ways:
The operating system itself—verifiable source code, designed with government security requirements in mind. “AltOS puts the government in complete control of their smartphones,” says Anderson, “Agencies can strike whatever balance they need between high security and user convenience.”
Management server with a console—setting the capabilities of every single device.
Their own OTA update server. “Again, the customer is in control,” stresses Anderson, “They get to update the software on their own devices when and how they choose. No third party, including CIS Mobile, can go ‘over the top’ to push unapproved updates onto the phones.”
AltOS leverages security features offered by the Android OS and by off-the-shelf phone hardware. “We are standing on the shoulders of multibillion-dollar investments,” says Anderson. “We don’t have to make the hardware, because the OEMs have an architecture that allows us to flash our finished product onto their phones and run it securely. And we don’t have to write the operating system, because we use Android.”
As each new version of Android is released, CIS engineers go to work, analyzing the changes implemented and assessing their impact on the most security critical elements of the OS.
Once the analysis is complete, they can begin to merge the changes into altOS, modifying them where necessary. “It’s typically a three- or four-month process,” says Anderson.
Containers provide security
AltOS creates separate containers on the smartphone, so it can have a personal identity, as well as a work identity—a concept familiar in bring your own device, or BYOD approaches to network management. But unlike in BYOD approaches, in altOS the personal container is managed by the agency customer, not by the user.
“We use the account management feature Android offers—the ability to have different users log in to the same device—to make switching between the containers as easy and simple as possible,” Anderson says. And because the account separation is enforced by process isolation in the kernel, the personal container can be configured to enable all the data-collection driven functionality users want.
“You can have all the apps you want in the personal container and then, when it’s time to go work, and you switch to the work container, you can impose different limits. We want to get past the two-phone syndrome,” he says.
Users will enjoy having a personal container that behaves just like a regular smartphone, but there are other reasons why it’s a good thing, too.
“For some of our agency customers, it’s important that these phones should appear to be regular Android devices—whether inspected physically or on the network,” says Anderson. A smartphone that can pass as a con- sumer handset under close physical inspection—for instance at a border— has advantages for some customers. “For them, a personal identity is a cover identity,” he says.
And that’s just one of the many operational security pluses altOS offers. “The platform incorporates powerful anti-forensics tools,” Anderson adds, including traffic shaping and IP obfuscation.
In the room: The holy grail of secure mobility for agencies
As anyone whose work involves meeting in classified spaces can attest, the holy grail of mobility would be to allow smartphones into the room.
AltOS enables a secure mode, a state defined by the government customer and visually checkable by on site security personnel. Secure mode:
Turns off all RF communications (Wifi, cellular, bluetooth) at the hardware/OS level
Turns off cameras and microphones at the hardware/OS level Enables connection through a cradle or USB cord to the wired network, using the device to do email, calendar, contacts. Messages can get through.
Geofences the device. Won’t let it out of secure mode unless the device is outside of the boundary.
There are approaches to this issue that involve special hardware sleds, but these immediately identify their users.
“That kind of hardware solution sticks out like a sore thumb if you’re traveling,” says Anderson. “AltOS protects its users as well as their data.”
That ethos has won altOS customers in the UK Ministry of Defense, Canada’s DND and Public Safety Canada, and among the most security conscious of U.S. three letter agencies.
Anderson says CIS is embarking on a National Information Assurance Partnership, or NIAP, evaluation of altOS, “That will make some people more comfortable with the platform,” he says.
But what should give them confidence, is CIS’s 20 year record as a contractor focused solely and exclusively on the government security sector. “We put our government customers first, that’s what we’ve always done, that’s our business model.”