Good Technology–whose solutions can be found in some of the most sensitive government and business settings–needed a portable, universal crypto solution and the proven expertise of a smart device security leader. They chose Mocana. NanoCrypto is Mocana’s super-fast, super-small, government-certified cryptographic engine, purpose-built for the entire ecosystem of smart devices, of which smartphones are just one category.

Click here to view the full press release.

As reported by Venturebeat, the new Droid phone contains “eFuse” technology designed to render itself inoperable, should the smartphone be user-modified.

[eFuse] runs when the phone boots up, and it checks to make sure that the phone’s firmware, kernel information, and bootloader are legit before it actually lets you use the device….If the eFuse failes [sic] to verify this information then the eFuse receives a command to “blow the fuse” or “trip the fuse”. This results in the booting process becoming corrupted and resulting in a permanent bricking of the Phone. This FailSafe is activated anytime the bootloader is tampered with or any of the above three parts of the phone has been tampered with.

Motorola insists that eFuse is a customer-focused security measure that helps to protect user data.

A new report from VisionMobile aims to demystify the current mobile development landscape, with a comprehensive study based on research conducted with over 400 developers for various platforms such as iPhone, Symbian, Android and Windows Mobile. According to the report,

Android stands out as the platform most popular among mobile developers. Survey results suggest nearly 60 percent of all mobile developers recently developed on Android, assuming an equal number of respondents with experience across each of eight major platforms. Second in terms of developer mindshare is iOS (iPhone), outranking Symbian and Java ME, which were in pole position in 2008.

In addition, the research document contains data regarding:

• the number of apps available for various platforms and in various markets
• the differences in the learning curves that developers face for different platforms
• the effect of app stores and advertising on sales and revenue

Among the suspects apprehended are several government officials, reportedly including a police officer, judge and a former member of Parliament. Other suspects include businessmen, doctors and engineers who used the spying software for a variety of purposes including the real-time monitoring of phone calls, retrieval of SMS text logs and even transforming the affected phone into a remote bugging device. While the FlexiSPY software suite was still being offered online as of this writing, it is unclear whether other countries will pursue measures against sellers of this questionable application.

CNET News also reports:

…[S]ome of the apps were found to have the ability to do things like make calls and send text messages without requiring interaction from the mobile user. For instance, 5 percent of the apps can place calls to any number and 2 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges, security firm SMobile Systems concluded in its Android market threat report. [...]

The report found that dozens of apps have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location….

But CNET notes that these apps aren’t necessarily malicious or suspect. Additionally, Google has responded that Android users are specifically advised what access permissions they are granting an app when they install it, giving the user control over the visibility of their data. However, users are still being advised to be aware of the potential vulnerability of their personal data when installing any kind of app.

Using Android software tools, Raytheon engineers built a basic application for military personnel that combines maps with a buddy list. Raytheon calls the entire framework the Raytheon Android Tactical System, or RATS for short. [...]

Every part of RATS is tailored for use on a battlefield. A soldier could make an unmanned plane a “buddy,” for instance, and track its progress on a map using his phone. He could then access streaming video from the plane, giving him a bird’s eye view of the area. Soldiers could also use the buddy list to trace the locations of other members of their squad.

According to an executive at Raytheon, the US Department of Defense, the Department of Homeland Security as well as law enforcement agencies could possibly adopt this technology as well.

We announced earlier this month that Mocana has earned the government’s first FIPS 140-2 level one validation for Android crypto software with NSA Suite B cryptography.

4G makes the situation more accelerated…. And what will really accelerate the growth of mobile malware and spyware will be the volume of traffic that people will be able to use. Data usage will increase and there are going to be more places that will get infected.

This is expected to become a serious concern for enterprise IT, as more executives use smartphones — and the various apps downloaded to these phones — to access corporate data in and out of the workplace. The Network World article describes a number of tactics integral to protecting enterprise security in the presence of mobile devices, including:

• remote wipe functionality on all mobile devices, (in the event that a device is lost or stolen)
• native application control capabilities allowing IT to specify which apps are and aren’t permitted on a company network-connected device

Network World also notes that anti-malware technology specifically designed for these high-powered mobile devices is still in its infancy.

“Mobile phones are a huge source of vulnerability,” said Gordon Snow, assistant director of the Federal Bureau of Investigation’s Cyber Division. “We are definitely seeing an increase in criminal activity.”

The FBI’s Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile “malware” used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.

The article points out that while some believe Google’s Android Market to be less secure than other mobile app stores, (due to its apparently less strenuous vetting process for new apps), even apps from Apple’s iPhone App Store could pose potentially harmful security threats to users.

We’ve entered this really problematic situation where we have insecure infrastructure everywhere, communications being broadcast in the air around us, and anyone with a bit of radio equipment can reach out and intercept communications…. Individuals need to start taking steps to protect their privacy and the confidence of their communications.

According to the article, the number of wiretaps made legally has “exploded” since the passage of the Communications Assistance for Law Enforcement act of 1994, which required developers to include backdoors for law enforcement in their products.

Marlinspike plans to submit his apps to Apple for use on the tightly-controlled iPhone as well, though the company’s strict review process may present a challenge.

As reported on The New York Times,

The new tablets will offer a bevy of high-tech parts, including a full high-definition video encoder and 3-D graphics chip, which will enable them to interact with software like Adobe Flash. In addition, the tablet will have a built-in video and still camera, a multitouch display and a soft keyboard similar to that of the Apple iPad. [Project founder Nicholas Negroponte] said the new keyboard would also have haptic feedback so users will feel the keys vibrate on the screen as they type.

The new model tablets will emphasize open source technology, while they could ship initially with Android, Windows Mobile or Ubuntu operating systems. One of Marvell’s founders, Weili Dai, has stated her company’s intent to show the first version of the tablet at January’s Consumer Electronics show in Las Vegas.

Official FIPS 140-2 Validation for Mocana NanoCrypto Android Should Make it Easier for Military, Government and Contractors to Specify Android Devices

San Francisco, CA (PRWEB) June 2, 2010 — Mocana Corporation, a company that focuses on securing non-PC connected devices, today announced that it has earned the government’s first FIPS 140-2 level one validation for a binary cryptographic module with Suite B cryptography running on the Android™ platform.

Mocana was in the news last week after receiving a significant strategic investment from Symantec. The resulting technology partnership will help Symantec expand its offerings from the PC into the faster-growing “smart device” market.

The 140-2 FIPS (Federal Information Processing Standards) are used to accredit the cryptographic “engines” that drive secure software or hardware implementations, and most federal agencies and contractors working on sensitive government projects are prohibited from buying products containing security software that is not officially FIPS-validated. Up until now, FIPS-validated security hasn’t been commercially available for Android devices. Today’s announcement clears an important obstacle to the more widespread use of these devices in the federal government.

NIST, the National Institute of Standards and Technology, wrote the FIPS 140 Publication Series to standardize federal cryptography requirements. Most federal agencies and departments require that any computer security implementations contain only FIPS-certified cryptographic modules. The FIPS 140-2 program tests security software and hardware approved for government “sensitive, but un-classified” information. The application and testing process is rigorous and non-trivial, but for companies selling security products to the federal government, their contractors or allies overseas, formal FIPS validations are a prerequisite to eligibility for government contracts.

Mocana applied for and received FIPS 140-2 Level 1 validation for its NanoCrypto Android product compiled for Linux on ARM-based CPUs; the FIPS-validated NanoCrypto binary will run on all current Android phones and devices. NanoCrypto is a sophisticated cryptographic engine designed for device developers. It’s purpose-built for non-PC devices and resource-constrained embedded systems. It is one of the smallest, fastest and most comprehensive cryptographic cores on the market, in addition to being one of the most popular: the cryptographic engine that drives NanoCrypto is already installed on millions of devices from hundreds of device OEMs worldwide, on everything from networked medical devices to unmanned military drones (“UAVs”). With built-in support for over 30 operating systems, NanoCrypto enables device OEMs and ISVs to add sophisticated cryptographic security features to almost any type of device or application.

“This makes it easier for developers to start building cost-effective, security-oriented commercial Android apps for use in federal and military settings,” said Adrian Turner, CEO of Mocana. “Many government buyers couldn’t purchase Android phones ‘off the shelf’, because FIPS 140-2 validated solutions weren’t available. Now this incredibly popular platform is a more viable, cost-effective option for sensitive federal and military applications that need strong cryptography.”

FIPS certification should make it easier for Android to penetrate the medical market, too – another device ecosystem where security is key. Specifying FIPS 140-2 validated encryption software in purchasing contracts is an easy, “best practices” way for hospitals and health networks to take a high assurance approach to data confidentiality and integrity protection, especially as it relates to the security and privacy of patient records. Mocana’s CEO, Adrian Turner, was interviewed recently by Maria Bartiromo on CNBC regarding the state of medical device security, and interested parties can view that video at http://www.mocana.com/video-cnbc-040110.html.

NanoCrypto, like every Mocana product, is available as a FIPS-validated binary for specific platforms or as platform-independent ANSI C source code. Designed exclusively for developers; NanoCrypto is not a “finished app” or utility for end-users. Developers can request a free trial of the NanoCrypto product at http://mocana.com/nanocrypto.html

About Mocana
Mocana secures the “Internet of Things” – the 20 billion datacom, smartgrid, federal, consumer, industrial and medical devices that connect across every sector of our economy. These devices already outnumber PC’s on the Internet by five to one, representing a $900 billion market that’s growing twice as fast as the PC market. Every day, millions of people use products sold by over 100 companies that leverage Mocana’s Device Integrity software, including Dell, Cisco, Honeywell, General Electric, General Dynamics, Avaya, Nortel Networks, Harris and Radvision, among others. Mocana won Frost & Sullivan’s Technology Innovation of the Year award for 2008 for Device Security, and was named to the Red Herring Global 100 as one of the “top 100 privately-held technology companies in the world” in January 2009.

Some of the highlights include:

• How the IoT–through the smart grid and other eco-initiatives–will encourage a greener planet
• The creation of entirely new industries from relatively simple, novel tech ideas
• The potential for connected technologies such as RFID and GPS to threaten personal privacy and security

As the Internet of Things continues its rapid expansion, the need to ensure device integrity and security–as an integral part of the design–will become increasingly critical.

But with an already established list of security breaches and weaknesses,

-“Security Flaws in Google Android”
-“Security…practically nonexistent with Google”
-“Android Security Vulnerability Discovered”
-Android 2.0.1 Security Flaw Allows Screen Lock Bypass

concerns remain about the rapid spread of a device platform that still functions without a developed, comprehensive security architecture.

The solution will be based on the reputation-based security algorithm already used by the Norton 360 security suite to build a live database of reputable mobile apps. The database will be housed in the cloud and will be customisable according to corporate policy.

Users will then be able to download and use applications knowing they have a high reputation score. Apps already downloaded may show a warning or be centrally disabled by an IT department if their reputation score changes.

According to Symantec Research Labs vice president Joe Pasqua, “In the Android world anyone can sign their own application. Google has taken an approach that says we’ll be completely open. And what is Apple vetting for? APIs, network bandwidth use, copyright, but not necessarily from a security perspective. Even if they are, we’ve already seen how badly-developed apps for phones have brought down mobile phone towers, not intentionally, but it happened…”

Additionally, a hacker was recently able to post his phishing app–which attempted to trick users into submitting their banking details–to Google’s Android Market.

The rogue Android application posed as a legitimate banking applet, but was actually designed to trick marks into handing over bank login details to fraudsters….

The malicious app was identified and Android users who downloaded this, or any other, app created by the now banned user known as “Droid09″ were notified and advised to delete the apps.

“Spying on BlackBerry users for Fun.”

“Clobbering the Cloud.”

These are the titles of two of the presentations scheduled for this year’s “Hack In The Box” (HITB) security conference in Kuala Lumpur, Malaysia. As mobile devices and smartphones continue to proliferate, “the cloud” — the term for services and applications hosted on the internet — is becoming the target of choice for hackers and the new focus for security experts.

According to a recent PC World article, HITB is one of Asia’s most prominent security conferences, bringing together hackers and security experts alike. And according to conference host and organizer Dhillon Andrew Kannabhiran, mobile technology and “the cloud” are among this year’s hot topics:

The focus [of security] is definitely moving towards “the cloud” and to the security of embedded devices (Android, iPhone) to more advanced client-side attacks which leverage Web 2.0 technologies, such as attacks on Facebook, Twitter and other popular sites.

DSF for Android is Mocana’s comprehensive, open standard’s-based security suite for developers building in the Android™ Mobile Platform.

The iPhone, Android and the Palm Pre have made it abundantly clear that the future of the Internet lies in devices that travel with us, not in the box and screen on our office desktops,” said Adrian Turner, President and CEO of Mocana. “LTE/3GPP standards documents are quite specific about the device integrity and communications security measures needed for these next-generation infrastructure appliances. But implementing those security specifications was non-trivial, to say the least, and represented a significant time and cash expense to LTE and 4G development teams. NanoCert LTE was built to make securing these new platforms quick, painless and cheap, so that businesses and consumers everywhere can start doing more — with confidence — with these revolutionary new platforms.

NanoCert LTE’s announcement further asserts Mocana’s leadership in the fast-growing cellular security market, following last year’s release of NanoPhone (now marketed as DSF for Android), the first comprehensive security suite designed for Google’s Android platform.

NanoCert LTE is available now. Developers working on LTE or 4G eNodeB or Serving Gateway devices can request free trial of NanoCert LTE here.

The NanoSec source code is available now for a 90-day free trial at www.mocana.com/evaluate.html.

“This new version of NanoSec includes a number of features and policies that can be switched on and off as needed, without needing to completely recode the product. For device makers, this provides greater flexibility in terms of application development and provides a competitive advantage when selling into the enterprise.” James Blaisdell, CTO for Mocana

“Openness is good, but it needs to be controlled and balanced,” said James Blaisdell, CTO of Mocana. “Unfortunately, there are always going to be bad characters who will target vulnerabilities, bake vulnerabilities into devices, and write legitimate looking Trojan horse applications,” he said, adding that “without balance we end up with several security problems.”

The G1 and Security: A Paradox in Play? internetnews.com >
Android Gets Security Suite, EE Times >
Mocana Launches Security Suite for Android Platform, CBR mobility >
FIPS-Vetted NanoPhone Suite Pushes Android Adoption, TelecomWeb news break >