Securing Android for the enterprise

The numbers speak for themselves – Android’s share of the worldwide smartphone market is 52.5 percent, more than double compared to a year ago, according to recent research from Gartner. Google’s operating system unmistakably leads the pack, followed by Nokia’s Symbian, Apple’s iOS and RIM’s BlackBerry.

With such rapid adoption, it’s no surprise that Android smartphones and tablet PCs are increasingly making their way into the enterprise. This is further amplified by the consumerization of IT trend, in which employees use their personal mobile devices for business. Companies often encourage this, since it lowers their IT costs and allows employees to use their preferred devices.

Integrated IPsec client lacking with Android
Android, however, brings some risk with it. For instance, one of the challenges enterprises face is securing communication between the mobile devices and the company network. VPNs are a tried-and-tested remote access technology designed to resolve this exact issue. Android’s VPN client, starting with version 1.6 (called “Donut”), is based on the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). It also supports L2TP with IPsec pre-shared keys and VPN connections via IPsec VPN, on the basis of certificates and an optional L2TP-“secret” mode.

And while many companies use IPsec for secure remote access to their networks, no integrated IPsec VPN client is available on Android – not even in the current version. Apple has already fixed this shortcoming in iOS, in part, because it wanted make the iPhone attractive for businesses. Since its third iteration, the iPhone has featured an integrated IPsec client that works with common VPN gateways.

Access to smartphone firmware necessary
The Android operating system doesn’t just lack an integrated IPsec VPN client; it also makes installing and configuring third-party VPN software quite complicated. IPsec VPN clients have to be integrated into the kernel of each device, and the client software has to be installed specifically for a memory area. This means that the firmware of each Android smartphone or tablet has to be modified accordingly.

IPsec VPN providers have to ask each vendor of Android systems, like HTC, Samsung or Sony Ericsson, for access to the system software of the devices. Considering how time-consuming and financially burdensome this process is, many vendors, justly, frown upon it. Vendors are particularly not fond of disclosing the details of their Android implementations to third parties.

Alternatives: PPTP and L2TP via IPsec
Until a “real” IPsec VPN client is available, Android users can use their devices’ integrated VPN clients based on PPTP or L2TP, which is deployed over IPsec. A “real” IPsec VPN connection, however, is more secure because it encrypts data prior to authentication.

NCP tested this on smartphones with Android 2.2 and found that with L2TP over IPsec, data is sometimes transmitted unencrypted due to the lack of implementation. The system interrupts transmission only after some time (about 180 seconds). In fact, we found that if the wrong pre-shared key is used, the IPsec VPN connection will not be configured properly. When L2TP is deployed over IPsec, certificates are used to carry out secure authentication. For this reason, the appropriate certificate has to be installed on the Android device. On top of this, a man-in-the-middle attack can lead to an L2TP transmission without encryption.

The standard Android client, however, does not function with all VPN servers and gateways. Sometimes even accessing the same VPN fails if Android smartphones of certain vendors are used. Developer and support forums have plenty of threads written by frustrated Android users looking for professional solutions to access company networks.

In fact, on one forum, a member complained that he successfully set up a connection to the corporate VPN from a Samsung Galaxy S via L2TP/IPsec—but he failed to do so with a Sony Ericsson Xperia smartphone and a different Android smartphone from Samsung. In each case, the configuration settings were the same, yet it was unfathomable as to why connection setup failed.

Even the IT department of a renowned German university has, in its intranet manual, called out Android for its poor VPN access, citing “the Android versions of the mobile phone vendors, unfortunately, seem to differ too much.” The manual said that “this inconsistency makes it difficult to configure appropriate settings on the systems, and that there will not be an IPsec client available for access to the university network until further notice.” Students and teaching staff will have to make do with L2TP or PPTP.

What about SSL?
If no IPsec VPN is available, it is possible to set up a VPN connection based on the SSL protocol. In this case, the user accesses the corporate network via a mobile browser. When it comes to the encryption of the transmitted data, this process does not provide the same security level as an IPsec VPN. Therefore, it is recommended that SSL only be used if no IPsec VPN client is available.

SSL VPNs can be considered if employees only require access to certain Web-based applications or documents within the company network, like e-mails, for example. VPN gateways and servers often support both protocols, IPsec and SSL. Depending on the need, businesses should be able to run both VPN technologies in parallel.

End in sight for IPsec VPN clients
But, the end is in sight. Over the course of 2012, VPN solution providers are likely to bring clients for Android devices to market. Until then, companies that prefer IPsec to other processes have to exercise patience.