igor - Fotolia
I heard about the recent release of the Blackphone, and I'm considering investing in the technology for a handful of high-risk mobile phone users, mainly executives and members of the legal team. Though it's not available everywhere yet, when it is, does it raise the mobile security bar enough to justify purchasing it for this use case?
President Obama uses a unique NSA-approved BlackBerry One phone to ensure his mobile communications remain confidential, but what can the rest of us use?
Concerns over mobile device security has increased dramatically following revelations by Edward Snowden of the extent of NSA snooping. These concerns have translated into an "overwhelming demand" for the newly available anti-eavesdropping Blackphone device from SGP Technologies. Swiss-based SGP Technologies is a joint venture between Spanish smartphone maker Geeksphone and Silent Circle, a secure communications firm founded by Phil Zimmermann, creator of PGP; Mike Janke, a former U.S. Navy SEAL and security specialist; and Jon Callas, creator of Apple's Whole Disk Encryption. A recent round of fundraising saw other quality individuals come on board, giving this business an even stronger base -- an important consideration when investing in any new technology.
The Blackphone promises to be carrier- and vendor-independent, and it runs on a hardened version of Android called PrivatOS, an open source project. It also comes with a suite of apps and other privacy tools optimized for security. Those lucky enough to have already bought one get encrypted voice, video and SMS communications; secure file transfer; anonymous Web browsing; smart disabling of Wi-Fi; remote wipe; and other antitheft features. Blackphone users also have fine-grained control over how installed applications access data and the phone's functions. For organizations that have employees who need to store and communicate highly sensitive information, this product is worth reviewing.
As we've seen with the Heartbleed flaw, even heavily scrutinized code can contain serious vulnerabilities, so security teams should complete a risk assessment on the Blackphone and test whether it performs as expected and meets enterprise security policy requirements. Time should be spent checking incoming and outgoing traffic using a tool such as Wireshark to understand how secure communications are in real-life scenarios. Blackphone's developers admit it's not "NSA-proof," and those being called from a Blackphone will clearly need to have the same sort of precautions in place for complete end-to-end security. (Silent Circle apps are available separately for both iOS and Android phones to encrypt calls and texts.)
If the strong initial demand for Blackphone continues, it may help raise the bar in mobile device security as other vendors will be forced to offer similar or better security and privacy features to avoid losing market share. Another secure phone already on the market is Sectéra Edge from General Dynamics, which is certified to protect wireless voice communications classified "Top Secret," as well as access email and websites classified as "Secret." If this type of product is above your budget, Cellcrypt Mobile is an application that provides end-to-end real-time encryption for Android, BlackBerry, iPhone and Nokia smartphones without the need for specialized equipment.
A new device like the Blackphone will require security awareness training so users know how to maximize its features to keep data and communications safe and secure, especially since the main threat to smartphone security remains the user himself. Enforce acceptable usage policies, particularly when it comes to preventing eavesdropping at the endpoint. Also note that sensitive conversations should not be allowed in public places where they can be overheard. An information classification policy should also be created to state how certain types of information can be exchanged to prevent careless talk leaking information.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Learn more smartphone security best practices and get help protecting sensitive data in the mobile enterprise.
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading