Based upon both market trends and device usage on campus, the ISO has opted to specify approved methods for encrypting Apple, Blackberry, and Android based handheld devices.
Apple iOS devices
Supported devices include the iPhone (3GS or later), iPad, and iPod Touch (3rd generation or later) only, running iOS 4.x or above. Earlier versions of the hardware and operating system software do not support key security features, such as hardware encryption.
The only approved encryption method for iOS devices at this time is the built-in whole disk encryption that is provided with iOS 4 running on a supported device, with data protection enabled. Data protection allows for applications to protect application specific data with a unique encryption key derived from the user's passcode. Without this, application data could be accessed with a simple jailbreak. If the device originally shipped with iOS 3 (e.g. the iPhone 3GS, iPad, and iPod Touch), data protection will not be enabled until the device is restored after upgrading to iOS 4. Older devices, such as the iPhone 3G, do not support data protection or hardware encryption and as such, there is no approved encryption method for them.
To verify that data protection is enabled:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. "Data protection is enabled" should be displayed at the bottom of the screen.
If data protection is not enabled, enable it by setting a passcode on the device:
1. Tap Settings.
2. Tap General.
3. Tap Passcode Lock.
4. Tap in a passcode.
5. Tap in the same passcode.
It is important to understand that applications must be specifically designed to utilize data protection. Do not store or use sensitive data with applications that do not make use of data protection. More information regarding this feature is available on Apple's site at iOS 4: Understanding data protection.
It is strongly advised that, in addition to enabling data protection, all iOS users read the Apple iOS Hardening Checklist and follow all of the recommendations therein.
RIM BlackBerry OS devices
Devices using version 4.2 and later of BlackBerry OS are supported. Earlier versions of the operating system do not support all encryption options, such as encryption of media cards.
The only approved encryption method for BlackBerry devices is the native content protection. Content protection will encrypt data the operating system determines to be sensitive, such as emails, contacts, browser cache, and other user data. Encrypting the contact list will disable incoming caller identification.
To enable content protection:
1. Click Options.
2. Click Security Options.
3. Click General Settings.
4. Set Content Protection to Enabled.
To encrypt media cards:
1. Click Options.
2. Depending upon the version of the OS, click Media Card or click Advanced Options and then click Media Card.
3. Set Encryption Mode to one of the following: Device, Security Password, or Security Password & Device.
A BlackBerry Hardening Checklist is also available with recommendations for additional security practices.
Google Android devices
Android does not have any native tools to encrypt either user data or the device. Some third party applications and services, such as TouchDown, Good for Enterprise, and Trust Digital, can provide limited encryption functionality for Exchange data. Other applications can offer encrypted storage containers. This fragmented, piecemeal approach to data protection could be cumbersome for users and would be difficult to verify for audit and compliance purposes. At this time, due to the fact that there is no native device encryption available and that the ISO is unfamiliar with third party offerings, there are no approved encryption methods for Android devices. Departments wishing to support Android users should contact the ISO at security@utexas.edu to discuss their plans to protect university data that will be stored on or accessible with the devices.
Copyright © 2001-2011 Information Technology Services. All rights reserved.