App Gives Android a Split Personality
Allowing a phone to flip between two modes could help keep company data safe.
A new Android app allows a smart phone to behave as if it were two separate devices. It lets a person use their phone as normal to install apps or play games and then flip into a second, walled-off environment in which it acts like a different device. That second environment offers heightened security to protect data from malicious apps.
“It looks like a completely different device, but it is actually running side by side on your own phone,” says Andrew Toy, CEO of startup Enterproid, which is beginning a closed trial of the software today (sign up for the beta program).
The new app, called Divide, is intended to enable people to separate work and play—to use their phones however they wish and still meet the demands of IT departments worried about security. Employees who want mobile access to e-mail and other work content typically receive BlackBerries or are required to comply with policies that, for example, prevent them from installing new apps or give IT staff the power to wipe the phone remotely.
“In the post-iPhone world people are no longer happy with just a BlackBerry because they perceive their personal device as more advanced,” says Toy. “But they don’t like giving up control of that device, and who would want a smart phone without apps?” Some people carry two phones, says Toy—one belonging to the company and another for personal use.
When a user installs the Divide app, it registers with the user’s work e-mail account and takes on that employer’s security policy. This might mean a password is required when flipping into work mode or that e-mail cannot be retrieved while roaming internationally.
When users do flip into work mode, they find a conventional Android home screen with stock apps for Web browsing, e-mail, a calendar, contacts, SMS, and making calls. Divide stores all its data—for example contacts and e-mails—in an encrypted storage area on the phone. It also acts as a kind of firewall between apps that run inside the work mode and the others the user has installed.
“The default attack on Android is for an app to just ask the operating system for your data—for example, your phone book,” says Toy. Android allows apps that use sensitive information such as your location or contact list, but some apps have been found to abuse this capability, sending data such as e-mail addresses to criminals.
Apps that run inside Divide do not communicate with the Android system, so they can’t access this kind of data directly. When they want access to information such as a person’s contact list, they ask Divide, which acts as an intermediary. It won’t send data in the other direction, from inside Divide to outside it, and its encrypted data store is not part of the operating system’s own stores.
Despite this arrangement, it is still possible to develop new apps that run inside Divide, says Toy, although typically they will have to be approved by the employer’s IT department before someone can install them. “Divide essentially masks the Android API [which apps use to plug into the operating system],” he says. Modifying a new or existing Android app to plug into Divide rather than the Android system is relatively simple, he says. An app that manages to take full control of the phone could gain access to Divide’s data, Toy admits, but the data would still be encrypted—and besides, it is very difficult to do this.
William Enck, a researcher at Penn State University who helped develop software that traces how Android apps share user information, points out that in that scenario “there isn’t a whole lot you can do to protect data, because the system has to be able to decrypt it for the apps to work.” Decryption keys must be hidden somewhere inside Divide, so a malicious program could search for them to unlock the data, explains Enck.
However, he says, Enterproid’s approach does make it significantly more difficult for an attacker to access users’ work data, without compromising their freedom to do as they wish with their phones. “The enhancements it makes are very practical,” he says, pointing out that, for example, a person could lend the phone to a friend without having to provide the password that protects work e-mail.
Enterproid say the basic architecture of its system should be applicable to Apple devices, albeit with tweaks to meet the company’s stringent App Store rules. Enterproid is not alone in wanting to help IT departments monitor Android devices, which cannot be controlled remotely to the extent that BlackBerries can, making them out of the question for many companies. Motorola recently acquired a small startup, 3LM, with technology that offers remote control of Android devices.
Toy also think apps that split a phone’s personality could be used by content providers to deliver people video and other media in a way that prevents copying. “You could imagine an app you open to see movies and that the movies available change every day,” he says.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today