Whisper Systems' WhisperCore could be just the right elixir for businesses looking to allow employees to connect their personal Android devices to network resources (eg: email) without risking the safety of corporate digital assets. While at the Black Hat USA 2011 security conference in Las Vegas, BYTE had a chance to videotape an interview with the security startup's CTO and co-founder Moxie Marlinspike. [Disclosure: Black Hat is owned by UBM TechWeb which is also parent to BYTE]. That interview includes a look at some of WhisperCore's features and is embedded below.
Unlike the way Research In Motion has ensured the business-readiness of its BlackBerries with enterprise-grade security, Google has yet to give IT professionals the tools they need to secure Android devices that employees are trying to connect to corporate resources. According to Marlinspike, this is where WhisperCore enters the picture. Much the same way RIM's BlackBerry Enterprise Server allows IT pros to enforce digital security policies on BlackBerries, WhisperCore rounds out Android with a complete suite of centrally administered security options.
As can be seen in the video, WhisperCore includes many of the features that most IT pros would come to expect in a centrally-managed enterprise mobile security solution. For example, WhisperCore administrators can remotely wipe out the data on a device that's no longer authorized for access to corporate resources (like when an employee leaves the company or loses their smartphone).
From a digital security policy point of view, one of biggest shortcomings of Android is its inability to encrypt any data it houses -- either in the device's on-board memory or on any removable memory cards (eg: a MicroSD card). Through WhisperCore, network administrators can require that the data stored on one or both be encrypted. In cases where WhisperCore-encrypted memory cards must be opened on the PCs they're "transferred" to, WhisperCore also includes PC-based utilities for decrypting and opening the files found on those cards.
Like other mobile security solutions, WhisperCore can be used to remotely enable or disable any application on an Android device. This feature could be used to prevent end-users from using applications that represent a potential digital security risk to the device or the network resources it connects to. The solution includes three related features; the ability to centrally provision and de-provision software to and from Android devices, a software-based firewall that can restrict any application's communications capabilities, and a code-signing feature that can double-check an application's digital signature before allowing it to run.
Businesses concerned about the backup and recovery of mobile data might take solace in WhisperCore's FlashBack; a cloud-based backup and restore utility. Through central policy administration, Android devices can be automatically backed-up to (and restored from) WhisperCore's Amazon S3-driven cloud. Businesses not wanting to use WhisperCore's cloud can substitute their own storage infrastructure for keeping files backed-up. Data that's sent to and from a "backup cloud" can be encrypted to ensure its safety from sniffers and the like. FlashBack allows data to be restored to a device other than the one that it was backed-up from. This would come in handy when a device needs to be replaced; either due to damage or loss.
In the video, Marlinspike shows BYTE the lengths to which WhisperCore has gone to defeat the possibility of a smudge attack. This is where overuse of the same "password pattern" leaves an oily finger trail on the surface of an Android-device -- a finger-trail that's easily reproduced in unauthorized attempts to unlock the device. As can be seen in the video, WhisperCore has several features that force the obfuscation of any existing finger trails.
Though Marlinspike wouldn't be specific about the cost of WhisperCore to businesses (he said "call for pricing"), he said that any user can download and use the personal (non-centrally administered version) for free from Whisper Systems' Web site. Here's the video: