DISA certifies Android mobile system for some DOD smart phones

The Defense Information Systems Agency has certified a secure Android-based mobile system for use by Defense Department agencies. The system allows DOD personnel to sign, encrypt and decrypt e-mail, and securely access data from a smart phone or tablet computer.

Developed by Good Technology for use on DOD-approved Dell Streak 5 smart phones, the capability meets DOD Directive 8100.2 that requires the use of secure, multipurpose Internet mail extension together with with a DOD common access card and interoperability with the DOD’s public-key infrastructure.

There has been much interest in Android open system, but commercially available devices lacked the necessary security, said Chris Roberts, Good’s vice president for public-sector business. Government customers wanted a version of Android that they could harden and manage.

Related coverage:

DOD faces new challenges in mobile enterprise deployment

DOD said on verge of authorizing Androids, iPhones

It was the Army’s interest in the Dell Streak and the need for it to meet security guidelines that led the company became involved in the process, he said. Good initially worked with Dell to augment the security of the Android operating system on the Streak 5 devices.

The secure Android platform allows military users to securely access data and applications such as command and control programs that are usually only accessible via laptop and desktop computers.

The capability allows warfighters to operate with desktop-like capabilities in a protected mobile environment, Roberts said. The secure Android capability also permits users to access important agency resources behind organizational firewalls, such as intranets or other Web-enabled applications via an integrated secure browser.

One of the major advantages behind the system is that it gives government CIOs the ability to allow personnel to bring devices into their organizations' networking environment that meet federal security guidelines. It will also give managers and employees a wider variety of mobile options for use at work.

“The promise of these mobile devices really begins to be delivered," Roberts said. "This gives both constituencies what they need to take advantage of" mobile devices running on Android.

The system uses the Good for Government mobility suite to wirelessly pass and manage sensitive data from Microsoft Exchange servers in DOD data centers via the firm’s email applications to end-point Android devices.

Security is provided by a FIPS 140-2 validated cryptographic module with AES encryption for both at-rest and in-transit data protection. A software data-container capability prevents sensitive data from leaking to non-secure applications.

Sensitive data protections

Because organizational data does not reside on the user’s device, it enables personnel to bring their own approved devices to work without worrying about losing personal data in the event of a wipe, Roberts said.

Administrators can use the system’s Web-based management console to simultaneously manage Dell Android devices and other platforms on the network. The management console can also be used to block access from potentially compromised devices that may have been hacked or infected as well as remotely wiping the data on lost, stolen or retired devices.

The secure Android capability also uses Biometric Associates, LP “baiMobile” technology, which allows network or client applications residing on an Android device to access credentials stored on smart cards to perform functions such as digitally signing and decrypting e-mails and authenticating to secure websites and network servers.

Developers can work with these security features by integrating and accessing BAL’s baiMobile middleware libraries, device drivers and APIs to build smart-card enabled applications.

Good is also introducing a Secure Android Partner Program, which is a joint development initiative that will allow device manufacturers to leverage Good’s capabilities in developing STIG-compliant systems. The program will provide manufacturers with API specifications to comply with STIG guidance, integration of each partners’ API with the Good for Government management console, and CAC reader integration in partnership with BAL Certification services.

These tools will make their solutions eligible for STIG approval and authorization for use in the DOD, Good officials said.