App Ops or App Oops!?

Was it a mistake to include it in the first place, or to remove it after it was "accidentally released"? In this article (http://www.theverge.com/2013/12/13/5207892/eff-criticizes-google-for-android-app-ops-removal) the Electronic Frontier Foundation (EFF) criticizes Google for the removal of a hidden permissions management tool from the latest builds of Android. App Ops was first introduced in the Android 4.3 releases and continued into the Android 4.4 release. But now in 4.4.2 App Ops has disappeared.

Wait, what is App Ops? You know when you are about to download an app from the Google Play store and you are prompted to accept a variety of permissions that the app is requesting like, access to your network, your contacts, your phone calls? App Ops is (was) a tool that let you review and change the app permissions after the app had been installed on your device.

The reality is that most apps do not need all the permissions they ask for.  This is the biggest Android security issue today and is exactly what the EFF says – apps that are in Google Play are compromising your personal data and your privacy. This may be counter to the scare tactics of the AV vendors, but viruses are not a big issue on Android for the typical user (e.g. those who do not side-load nefarious apps from dodgy websites).

There have been a number of attempts at restricting permissions, including extensions to SE Android promoted by the NSA. App Ops allows a device owner to rethink their decision to allow access and "un-approve" certain permissions without having to delete the entire app. But like earlier solutions, App Ops could break some apps by removing permissions that the app needed, or because the app did not gracefully handle the lack of permissions. And this is Google's argument for removing App Ops. (Similar to why SE Android is running mostly in permissive mode, but that is another topic.)

So, do you read the permissions, or do you simply say "ok" and start downloading your app? Unfortunately, most users click “ok”. And most do not even read what permissions are requested.  And most do not understand the potential implications of granting such permissions.

And this where we differ with the EFF. We do not need a solution for a small group of power users and privacy geeks (like us at Graphite Software). If most users ignore the permissions in the first place, then what makes you think they can/will navigate App Ops?

Our product, Secure Spaces, allows you to put apps into “Spaces” or different buckets, or different rooms – whatever physical analogy works best for you. Each Space is isolated from the other. The user can broadly control the permissions on the Space, rather than per app. If your contacts are not in the Space with Angry Birds, then the game can’t access your contacts. Simple. We need simple.

Restoring Trust in Your Technology

Monday brought quite the stir in the consumer technology space. Joining forces in an open letter to President Barack Obama, eight of the largest technology companies proposed principles for reforming government surveillance laws and practices, pointing to the summer revelations about data collection by the National Security Agency (NSA) to highlight the urgent need to reform government surveillance practices worldwide.

The letter concludes with eight strong voices for reform signed on with quotes of support behind these principles. One quote in particular caught my eye. Brad Smith, General Counsel and Executive Vice President, Legal and Corporate Affairs, Microsoft said, “People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it.”

In this simple statement, Mr. Smith has brought forth an important issue that goes beyond NSA surveillance, but includes any technology whether a server, software or device. This is very relevant to mobile devices, which are extremely personal. They are with us all the time and loaded with personal information and sensors measuring precisely what we are up to.

Just as the government has to collect personal data in exchange for security, we are often asked on personal devices to allow access to personal data in exchange for free apps or services. And just like the government, in many cases the apps go too far. Last week I read yet another story about a medical app that sends your personal information to three different ad networks, including “your phone number, your device's IMEI number, your exact geo-location, the Wi-Fi access points currently in use (and used in the past)” and more.

And BYOD is another example where consumers want one device to use for home and work, yet many do not trust their companies to respect the privacy of their personal data. What some employees have found are heavy and unwieldy MDM solutions imposed by the IT department that annoy the user and handicap productivity. Such enterprise centric solutions also beg the question to the user, who is looking at my data?

When we developed Secure Spaces, we wanted to give the consumer privacy options while also meeting corporate IT security. But we did it by making the IT department a guest on your device – not the other way around. Ensuring trust is the foundation of our product, because it opens up significant new use cases even beyond consumer privacy and BYOD. With simple, easy to create and “disposable” Secure Spaces, there is a whole new world of apps to download and safely segregate. App aggregation and services, guest mode, secure banking spaces, themed spaces and distributed mobile computing are all possible when there is trust in the underlying technology. We are re-thinking not only mobile security, but fundamentally how we use and interact with these amazing devices.

Brad Smith from Microsoft is right in saying “people won’t use technology they don’t trust,” but this doesn’t mean we have to settle for a lack of trust in our technology. Let’s give users control of their devices, control of their data and perhaps a better way to model their use of mobile devices around their real lives.

Alec Main, CEO of Graphite Software 

Mobile threats - hype vs. reality

A few weeks ago Graphite Software attended CounterMeasure2013 in Ottawa. The keynote by Charlie Miller, "Mobile Threats: Hype vs. Reality" - thus the title of this blog - was excellent. Not only does Charlie have the cred - he is a relaxed and entertaining speaker. Download his presentation here.

In the security field, we often get caught up reading our own press releases. Charlie is often creating such headlines, which is what made his "reality check" so refreshing. The best part for us personally at Graphite was that the presentation was a clear affirmation of what we are doing. Here is my summary as it pertains to mobile device and specifically Android security:

1. Android has the advantages of the PC - freedom to innovate, customize and large developer community - and has addressed many of the security issues of the PC - sandboxes, permissions and an app store. Android is not perfect from a security perspective, but in the end Android will win - which is why Android is our focus.

2. Mobile Device Challenge #1: Malware and viruses are not a huge issue, compared to basic issues particular to mobile devices - they are lost and stolen. This is exactly the threat model we address with our product - Secure Spaces. (While also isolating and limiting malware.)

3. Mobile Device Challenge #2: Users vs. BYOD. Users modify and root their devices. They can unintentionally, or intentionally, download code that can access personal and work data on the device. How do you secure both personal and work data on such devices, especially when most MDM software is trivial to break? Again this is where our engineers have developed a very elegant solution - Secure Spaces.

4. The Operating System is the only place for improvement. Application-level solutions can not make a difference. Server side scanning and controls have already been largely put in place. In order to address the mobile threats above, Graphite has developed some secure and fast extensions to Android, that leverage the existing code and security mechanisms, such as SE Android. This is where the next innovation will be.

See you at CounterMeasure 2014 (or before that at CES in January)!

Graphite Software announces the general availability (GA) of Secure Spaces 1.0 for Android.

Read the full Press Release

Mobile Device Management (MDM) products designed to satisfy the security and control requirements of Enterprise IT, continue to fail when addressing the issues of BYOD environments. Enterprise IT understands the productivity improvements to be realized by enabling workers with mobility solutions however they struggle to maintain control over data security while allowing employees to have their choice of devices and apps. Today's MDM tools are myopically one-sided in favour of the IT department and are receiving push-back from device owners who do not want their IT departments to have ultimate control over their personal devices. BYOD is increasing and solutions must provide a balance of needs for both the IT department and the device owner without compromising any of the security, control, convenience or flexibility for either party. For most MDM products this will mean a complete redesign or overhaul.

Secure Space is designed from the ground up to appeal to the consumer/device owner while providing the controls required by IT. The consumer is now very aware of the range of mobile devices available and their capabilities and is expressing strong opinions for choice of device. The consumer has become the channel to the Enterprise.

Secure Spaces includes an Android client that provides the navigation between and control over "isolated domains", or what we call "Secure Spaces". The apps and data in one Secure Space cannot gain access to the apps and data in another Secure Space on the device. Secure Spaces is not constrained to only two Spaces, as some other approaches are, but rather provides the consumer with the capability to create multiple Spaces on their device. In addition, unlike other approaches, Secure Spaces supports any and all native Android apps ... even MDM apps that may be required by the Enterprise. Also included with Secure Spaces is a Web-based management console for Work Spaces or registered Personal Spaces to allow for the setting of device policies such as password length and expiry, allowed apps, wallpapers, and more. The management console is also used to lock and/or wipe Spaces on the device ... yes, it is possible to lock or wipe individual Spaces on a device while leaving others intact which is a failing of most MDM products that will wipe an entire device of work and personal data.

With Secure Spaces the device owner retains ultimate control of their mobile devices while IT remains an invited guest onto the devices but with delegated control over the Work Space on the device that is of concern to the Enterprise. Secure Spaces provides a balanced approach to BYOD environments.

Win the Consumer and You Win the Enterprise

Secure Spaces By Graphite Software When it comes to mobile devices, the Consumer is in the driver’s seat and Enterprise IT is being forced to adapt. Android OEMs recognize that the Consumer is the new channel to the Enterprise. Consumers are demanding a single device for work and personal use, choice of devices and personal privacy which is driving the BYOD phenomenon. MDM and device security products that appeal only to the Enterprise IT group are failing in the market. Secure Spaces is designed with the Consumer in mind offering multiple Spaces, compatibility with all Android apps, privacy through Space isolation, and the features required by the Enterprise including administrative control, app and data security, choice of apps, and a native Android user experience. OEM's & Mobile Operators: Get Secure Spaces Multiple Spaces Dual persona solutions limit customers to a secure work persona and a personal persona that is exposed to all Android threats  Secure Spaces enables consumers to to create as many Spaces as they need to address their security and usability concerns. One for Work, one for family, one for banking, one for sports, one for gaming. Let them decide. There is no limit. Native apps Unlike application containers or application wrappers that support a small fraction of the one million Android apps available, Secure Spaces doesn’t require you to modify apps. Give your customers access to the full list of native Android apps Great performance Unlike Hypervisor based products, Secure Spaces does not duplicate the operating system and apps. Deliver the performance that your customers have come to expect from your devices, but with all the benefits of Secure Spaces. More Features • Easy navigation using Android gestures. • Create new Spaces  from the device as needed. • Remotely lock & wipe Spaces from the Web. • Maintain separate policies per Space • Securely share your device with the Open Space. • Delegate administration of the Work Space to your IT group. Specifications • Android 4.3+ • Leverages SE Android • AES-256  data encryption • Anti-debug support One Device - Multiple Spaces: Android Screenshots

Secure Spaces ready for product trials. Read the press news.

On Monday, October 28th Graphite Software announces the availability of Secure Spaces for OEM and Mobile Operator trials. Read about it here: http://www.prnewswire.com/news-releases/secure-spaces-for-android-in-product-trials-229520771.html

Product News! Secure Spaces shipped to major OEM for trials!

Graphite Software achieves another major milestone this week by shipping Secure Spaces to a major Android device manufacturer for trials.Equipment manufacturers (OEMs) acknowledge the requirements for security, but are most interested in the adoption of their devices and so are looking for solutions that appeal to both the consumer and the corporation. The OEMs recognize that heavy-handed security and device management approaches diminish the user experience and create user frustration that can reflect negatively on their brand. They want intuitive solutions that are effective, secure and easy to integrate.This trial is with a leading OEM that understands that embedding security within the device (at the system level), delivers the most robust approach to the separation and security of apps and data. They also recognize, with Secure Spaces, a different design approach that is built around the way that consumers want to use their devices while offering corporate IT departments the controls that they are after.Secure Spaces allows you to create areas (Spaces) on your Android device to keep your work and personal accounts, apps and data separate. Quick access to apps, or sharing of apps, is made possible with an Open Space on the device. Work Spaces are managed by a device owner's corporate IT group while Personal Spaces are locally or remotely managed by the device owner. The  IT group cannot see any other Spaces on the device.  Apps and data in one Space are completely isolated from the apps and data in another Space.Graphite Software is excited by this achievement but remains "heads down" working on the next major milestone! This is getting exciting. Stay tuned!


For more information visit: www.securespaces.com or "like" us at www.facebook.com/securespaces

Screen locks are a key to success

Here is a good blog on how a screen lock can make or break a BYOD program. We agree completely, but want to take it one step further. Like Enterproid, our multi-persona solution allows Enterprise IT to set their own password strength without encumbering the device owner. But we also enable different passwords for Personal Spaces. We really need a better solution than all-or-nothing device locks. With Enterproid's application containerization, you have either (i) their password and no device lock, or (ii) two passwords (theirs plus yours). With system level containerization we allow multiple personas - or what we call "Spaces". The Device Owner can have an Open Space without a password for quick access and sharing of some apps without security concerns should the device be lost or stolen. They can have a Work Space with a password that is directly accessible - not just after unlocking the device. And they can have a Personal Space (or many) with a PIN, face-lock, or nothing.  Only Graphite's system-level containerization and security enables this. For true adoption of BYOD there has to be benefit to the device owner. A really good screen lock can make or break your solution.

Open House! Friday, September 13th, 2013

Please join us as we open the doors to our new office location to celebrate the next stage in our growth. On Friday, September 13th at 4:00 pm the entire Graphite Software team will be stepping back from their keyboards for a brief pause to welcome you to their work place, share a few drinks and snacks and to tell you the Graphite story. 

We are located at 555 Legget Drive, Tower B, Suite 740 in Kanata (next to the Brookstreet Hotel)

We hope that you will be able to join us to help us celebrate!

The Graphite Software Team

Ottawa is a great place to start a company

There have been recent articles in the Ottawa Citizen and the Ottawa Business Journal mentioning the recent funding of Graphite Software among other Ottawa start-ups. Without a doubt the Ottawa tech sector been struggling to grow after the regrettable demise of Nortel Networks. Investment and employment in tech is down.

The good news is that there are many quality, highly experienced engineers in the Ottawa area. Graphite Software is building a rock-star R&D team and we can't be more happy to help the Ottawa tech sector reach new heights.  We are up to the job!

Is tech up to the job? 
As the federal government trims staff, can high-tech firms pick up the slack?

Halogen IPO, equity deals create momentum

Graphite Software raises $4.4M from Celtic House

The office of local security firm Graphite Software is filled with excitement and echoes after securing a $4.4 million series-A financing round from Kanata-based Celtic House Venture Partners.

The echoes come from...                      read the full article at the OBJ

Kanata startup Graphite Software lands venture capital in less than a year

OTTAWA — The usual progression for a startup is to raise a little seed money from family and friends, move on to angel investors, then tap venture capital. But that’s not the route picked by Graphite Software, a Kanata startup less than a year old. It was to announce on Wednesday that it has landed $4.4 million in venture financing....

Read more: http://www.ottawacitizen.com/Kanata+startup+Graphite+Software+lands+venture+capital+less+than+year/8546628/story.html#ixzz2WgTPgQO2

New location

We are moving into our new offices at 555 Legget Drive in Ottawa. It is the tower on the right. There are shops and restaurants, plus the Brookstreet hotel and gym next door. We now have room to grow properly.