Handset cohabitation: Ubuntu for Android
Posted Mar 7, 2012 8:46 UTC (Wed) by khim
In reply to: Handset cohabitation: Ubuntu for Android
Parent article: Handset cohabitation: Ubuntu for Android
Encryption is barely used in real-life on laptops
All company-ensued laptops are encrypted here. Encryption of phones is “strongly encouraged” (required by people in some sensitive positions).
people just _like_ it when they can pop open the laptop lid and start typing without bothering to enter a password.
It's their choice. BTW you do understand that even if phone is protected by strong password when it click the “power” button you are presented with usual “draw a pattern on a grid” screen, right? You only need to enter password if you tried to “draw a pattern” three times incorrectly or if your phone run out of juice and was powered off totally (not just went to sleep, but was fully powered off).
Banks use HSMs to protect transactions.
Yup. I'm talking about these. As someone who participated in creation of HSMs (albeit few years ago) I can assure you: they are made using the same principles as SIM card. If you want to stuff HSM in SIM, it's easy to do. Or you can embed it in phone SOC.
So "what the banks use" is not a good indicator of security.
It is. Security is not binary, it's a continuous scale. If you need security higher then “what's the banks use” then you probably need military grade security and in this realm you can just order people to use password of certain quality.
So you only need to pack a nonce (128 bits), an unlock PIN (128 bits should be enough), encrypt it with your shared secret and send as an SMS.
This scheme is quite vulnerable to MITM attack. Just catch first request, allow the next one (user will just assume first request was lost), then play it when the phone is in your possession. This is essentially the same level of protecting as HSM in SIM but with much larger infrastructure.
How about "if a security feature is hard to use then it won't be used"?
It depends on how much people value their information. Security and convenience are always at odds: you can try to improve security without adding “hard to use” steps, but you can only do so much.
to post comments)