NSA's Secure Android Spec
The NSA has released its specification for a secure Android.
One of the interesting things it’s requiring is that all data be tunneled through a secure VPN:
Inter-relationship to Other Elements of the Secure VoIP System
The phone must be a commercial device that supports the ability to pass data over a commercial cellular network. Standard voice phone calls, with the exception of emergency 911 calls, shall not be allowed. The phone must function on US CDMA & GSM networks and OCONUS on GSM networks with the same functionality.
All data communications to/from the mobile device must go through the VPN tunnel to the VPN gateway in the infrastructure; no other communications in or out of the mobile device are permitted.
Applications on the phone additionally encrypt their communications to servers in infrastructure, or to other phones; all those communications must be tunneled through the VPN.
The more I look at mobile security, the more I think a secure tunnel is essential.
Raouf • March 7, 2012 2:05 PM
This can only work if you have complete control on your trusted certificates or static keys.
So far I don’t see that anyone has solved that problem on cell phones.
This requires a hardware and firmware infrastructure to protect the keys or the certificates with control and access only by the phone user.
Such solution do exist today on the market, why are they not being adopted?