Editor's note: This article has been updated to include new information provided by Amazon regarding Fire Phone's WPA2-Enterprise and parental control support, as well as mobile app control capabilities.
Just as companies were adjusting to Amazon's Kindle Fire tablets, along came Amazon's new Fire Phone. Amazon is touting this new AT&T-exclusive smartphone as enterprise-friendly, easier to use than Android, and less exposed to the Wild West of Google's Play store. However, it's clear -- for a few reasons -- that the initial version of Fire Phone may cause a few brushfires for security teams.
In this tip, we'll review the Amazon Fire Phone's security features and implications in order to help enterprise infosec teams prepare for the arrival of these new devices.
Fire phone security features
First, the Fire Phone runs Fire OS 3.5, an operating system derivative of Android 4.2. This means Fire Phone security is similar to the security offered by Android Jelly Bean, a platform known to have several serious vulnerabilities. That said, the Fire Phone supports Jelly Bean-standard device-lock and remote-wipe options, along with built-in stored data encryption. The Fire Phone also lacks removable Secure Digital (SD) storage, which eliminates possible SD data leakage.
Like other Jelly Bean-based devices, the Fire Phone supports remote device administration through an application program interface used by third-party mobile device management (MDM) vendors. At this time, MDM vendors with agents that run on the Fire Phone include AirWatch LLC (owned by VMware Inc.), Fiberlink Communications Corp. (owned by IBM), Citrix Systems Inc., Mobile Iron Inc. and SOTI Inc. Settings that can be monitored or configured by such MDM agents include:
- Device inventory: Model, operating system and version, app versions and sizes, device restrictions and installed security policies.
- Device security: Configure device policies (including passcode requirements, device encryption, email, network and proxy settings), locate and lock phone, reset passcode, send message to phone, and full or selective data wipe.
- Device restrictions: Configure device features such as data roaming, camera, Bluetooth, tethering and non-Amazon AppStore app installation.
- Application management: Remotely install, enable and disable private apps and public apps downloaded from Amazon's AppStore, and delete previously installed apps and their data.
However, unlike Jelly Bean-based devices, the Fire Phone does not yet support Android native virtual private network (VPN) clients. For now, enterprises are limited to third-party VPNs such as OpenVPN. Amazon promises to support network and link layer VPNs (IPsec, L2TP, PPTP) in a future release.
The Fire Phone also supports only the Amazon Silk Web browser. From a security perspective, this reduces exposure to malware that preys on more common browsers. Amazon also promises to add a Web app single sign-on feature to Fire Phone in the near future, based on Kerberos tokens.
As of its July launch, the Fire Phone can be outfitted with roughly 70 third-party security apps available from the Amazon AppStore, including Citrix Receiver, NitroDesk Touchdown and a slew of antimalware apps from major vendors.
Amazon Fire Phone security shortcomings
The first thing to notice, as alluded to above, is the Fire OS lags behind Google's Android OS. Amazon is reportedly working to upgrade the Fire Phone to run a Fire OS based on its newest platform, Android 4.4 -- or Kit Kat, as it's known -- but for now, the Fire Phone lacks newer security features found in Kit Kat, including SELinux mandatory access controls and restricted profiles. However, Amazon has added WPA2-Enterprise and parental control support to Fire OS; the latter can be used by enterprises to restrict purchases and block browser, app or content access via password protection.
Furthermore, as an Android derivative, the Fire OS will inevitably be slower to incorporate security patches and new OS features, including Samsung SAFE-based security improvements coming in the yet-to-be-nicknamed Android L.
In addition to the VPN limitation, one of the biggest security considerations associated with the Fire Phone is its dependence on the Amazon Appstore. Google Play currently supports roughly 1.2 million apps; Amazon currently offers about 185,000 for the Fire Phone. That might sound like a large number, but enterprises and users alike will find some of their favorite apps missing -- currently absent apps include Google Maps, Google Drive and YouTube, to name a few.
The Fire Phone can be configured to allow sideloading, so users can try to load their favorite application package files with less than positive results. Users may also be tempted to try to root the Fire Phone to install unsupported apps, although early indications suggest Amazon Fire devices are harder to root than Android devices, so it may be awhile before rooting becomes a significant risk for the Fire Phone.
Furthermore, applications supported by the Fire OS must be purchased and downloaded from the Amazon Appstore, not Google Play. For enterprises that have already invested in security tools to support users' use of Google Play, this is bad news indeed. However, enterprises can work around this restriction by using an MDM to push apps purchased from Google Play onto Fire Phones or add those APKs to enterprise app catalogs.
Fire Phone in the enterprise: How to prepare
In today's bring your own device world, enterprise security teams will have to face the Fire Phone, whether they like it or not. Here are some tips to help prepare for the appearance of these phones in the workplace:
- Organizations that don't have an application or content management product in place should take a look at Amazon's Whispercast, a free Web-based management tool that can be used to distribute Amazon apps, e-books and documents to Fire OS devices.
- Shops that prefer to manage Android devices using Exchange ActiveSync will be pleased to hear the Fire Phone supports ActiveSync-based administration, similar to any Jelly Bean phone.
- Companies that use a third-party MDM technology will have a relatively easy time enrolling and managing the Fire Phone. However, if a company uses another technology, it should contact its MDM vendor to determine a timeline for Fire Phone support.
- Ordinary Android Security, Device and Application profiles will need to be tweaked for the Fire Phone. In particular, companies that make use of Samsung for Enterprise (SAFE) will have to live without those Samsung extensions when configuring the Fire Phone.
Additionally, the Fire Phone offers several "hot" new features that Amazon hopes will lure users into ditching their older Android devices. Reaction to these features has been mixed thus far, but it is important for enterprise security teams to be aware of them.
For example, reviewers reported that 3-D Dynamic Perspective, a motion-based user interface, has not yet been perfected, resulting in plenty of unintended inputs. From a security perspective, one wonders how many undiscovered vulnerabilities might lurk inside this feature. Prudent security teams should keep a close eye on Fire OS security bugs and patches.
A bigger concern is the Fire Phone's new Firefly image recognition feature, which can snap a photo of any product or object and attempt to identify it through cloud-driven pattern matching. Unfortunately, Firefly can be initiated on a locked Fire Phone, resulting in possible malicious actions on an unattended or lost device.
Finally, all those photos taken by Firefly -- along with every photo the user takes on a Fire Phone -- are automatically synchronized to the Amazon cloud. Similarly, the Fire Phone's Silk browser relies on the Amazon cloud for content processing. This tight integration raises privacy concerns, as many images of private environments and their location will by default end up in a third-party-managed cloud that's beyond enterprise purview or control. Companies should consider the need for new policies covering Firefly, Silk proxy and Fire Phone backup, and should maintain awareness of private data being stored in Amazon's cloud.
Ultimately, the marketplace will determine how important it is for enterprise security teams to understand and support the Amazon Fire Phone. If the Fire Phone ignites real interest, it will make sense to examine the device's features, differences and limitations. However, if the Fire Phone's hottest new features fizzle, so may enterprise-grade MDM and app support.
About the author:
Lisa Phifer owns Core Competence, a consulting firm specializing in business use of emerging network and security technology. She has been involved in the design, implementation and evaluation of internetworking, security and management products for over 25 years. Send comments on this article to firstname.lastname@example.org.
To learn about Amazon's Kindle Fire tablet security, check out some expert advice from Michael Cobb.