Security

White paper
April 2011

White paper | Security

This document
This Sony Ericsson White paper is intended to give enterprise users an overview of specific smartphone features and provide details in relevant areas of technology. This document contains specifications for Sony Ericsson smartphones launched on Android 2.3 or later.

Document history
Version
April 2011 First released version Version 1

Sony Ericsson website

For more information about Sony Ericsson business propositions, go to www.sonyericsson.com

This White paper is published by: Sony Ericsson Mobile Communications AB, SE-221 88 Lund, Sweden www.sonyericsson.com Sony Ericsson Mobile Communications AB, 2009-2011. All rights reserved. You are hereby granted a license to download and/or print a copy of this document. Any rights not expressly granted herein are reserved. First released version (April 2011) Publication number: 1252-4077

This document is published by Sony Ericsson Mobile Communications AB, without any warranty*. Improvements and changes to this text necessitated by typographical errors, inaccuracies of current information or improvements to programs and/or equipment may be made by Sony Ericsson Mobile Communications AB at any time and without notice. Such changes will, however, be incorporated into new editions of this document. Printed versions are to be regarded as temporary reference copies only. *All implied warranties, including without limitation the implied warranties of merchantability or fitness for a particular purpose, are excluded. In no event shall Sony Ericsson or its licensors be liable for incidental or consequential damages of any nature, including but not limited to lost profits or commercial loss, arising out of the use of the information in this document.

April 2011

White paper | Security

Table of contents
Introduction .................................................................................................................4 Feature overview ...................................................................................................4 ............................................................................................................................4 Device security ............................................................................................................5 IT policies ...............................................................................................................5 Specifications......................................................................................................5 Setup...................................................................................................................5 Enforce password ..................................................................................................6 Setup...................................................................................................................6 Application download restriction ...........................................................................6 Network security .........................................................................................................7 VPN ........................................................................................................................7 Specifications......................................................................................................7 Setup...................................................................................................................7 SSL/TLS .................................................................................................................8 Certificates .............................................................................................................8 Specifications......................................................................................................8 Setup...................................................................................................................8 Information security ....................................................................................................9 Remote wipe ..........................................................................................................9 Specifications......................................................................................................9 Setup...................................................................................................................9 Store information safely .......................................................................................10 Specifications....................................................................................................10 Copy contacts to a SIM card or memory card .................................................10 Copy to a computer ..........................................................................................10 Synchronise with a web service........................................................................11 Synchronise with Microsoft Exchange Server ...............................................11 Trademarks and acknowledgements .....................................................................12

April 2011

White paper | Security

Introduction
A phone for business must be secure since it may contain not only classified information, but also access to your corporate servers and networks. This document shows what features are available in the Sony Ericsson Android smartphones to protect your smartphone and its contents from unauthorised use and to ensure secure access to your corporate resources. For safe network access, the smartphone supports VPN, SSL/TLS encryption and client certificates. Protect the information in your smartphone by enforcing passwords and PIN codes. You can push your corporate IT policies to the smartphones and manage the security settings remotely from the server. If one of your corporate smartphones are stolen or lost, you can remotely wipe the information in the smartphone and reset it. Then restore all the information to a new smartphone by downloading your previously backed up or synchronised information. There are several options for safely storing and synchronising information. In order to meet the evolving threat landscape, Sony Ericsson is continuously working on improving the security of its products.

Feature overview

Device security
IT policies Enforce password Application download restriction

Network security
VPN SSL/TLS Certificates

Information security
Remote wipe Store information safely

April 2011

White paper | Security

Device security
To protect your Sony Ericsson Android smartphone from unauthorised use, you can push and deploy your corporate IT policies into the smartphone, and manage and administrate the settings remotely from the Exchange server. Depending on your corporate policies and needs, you can select different passcode options for your smartphone. Lower the risk of getting malware into your corporate smartphones by setting them to only accept downloads from Android Market.

IT policies
IT policies are set by an administrator in the Microsoft Exchange Server and dictate, for example, whether the user must enter a password to activate the smartphone, how long the password should be and rules for the combination of numbers and letters. When the smartphone connects to the Microsoft Exchange Server the user is asked to accept the IT policies. If the user accepts, and the smartphone is compliant to the IT policies, the user is permitted access to the server and its contents.

Specifications
Supported password/IT policies Require password Minimum password length Require alpha-numeric password Allow simple password (Microsoft Exchange Server 2007) Number of failed attempts Timeout without user input

Setup
Your Microsoft Exchange Server should have the option Allow non-provisioned device active for accessing the IT policies. Establish your preferred IT policies on the Exchange server. You can also use a Mobile Device Management solution to push the IT policies to the smartphone.

April 2011

White paper | Security

Enforce password
You can enforce passwords or PIN codes upon the users to secure that the smartphone is only used by the person intended. Set the requirements to suit your company security policy and needs.

Setup
Activate the Enforce password option on the Microsoft Exchange Server or manually in the smartphone. Then select if you want the users to authenticate themselves to the smartphone with a: password PIN code Passwords ensure a higher security than PIN codes. In the smartphone you can also define a screen unlock pattern. Once defined and set, this pattern must be drawn correctly on the screen by a finger to unlock the phone after an inactivity period.

Example of screen unlock pattern

Application download restriction

Certain downloadable applications can contain malware or other harmful components. You can manage this risk by configuring your smartphone to only accept downloads from Android Market.

April 2011

White paper | Security

Network security
The Sony Ericsson Android smartphone is an efficient work tool that enables you to access your corporate resources and information at any time and place. The smartphone offers secure connections and protected data transmission.

VPN
Your smartphone contains a VPN (Virtual Private Network) client that provides a secure remote connection to your corporate servers using industry-standard protocols and user authentication. This connection is Internet based.

Specifications
VPN PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) L2TP/IPSec PSK (Pre-shared key based L2TP/IPSec) L2TP/IPSec CRT (Certificate based L2TP/IPSec)

Setup
Your smartphone supports several standard VPN technologies. If your company supports at least one of them, the VPN setup requires no additional network configuration. But you still need to make sure your smartphone supports your specific corporate VPN protocols and authentication methods. Some corporate VPN networks require users to authenticate themselves with certificates before allowing access. Having set this up on the server side, you then need to enter your corporate VPN settings via the general settings in your smartphone.
Schematic overview of how a basic VPN connection works.

April 2011

White paper | Security

SSL/TLS
Your smartphone supports HTTPS data encryption over the Internet using the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols, protecting your information during transmission between your corporate server and your smartphone. SSL should be activated on your corporate server to ensure that the smartphones can be used safely in a corporate environment.

Certificates
A user certificate is a strong and secure authentication method containing information about the user and the certificate authority. Installed on your smartphone it authenticates you as a valid user towards your corporate network. The Sony Ericsson Android smartphones support certificate authentication for access to VPN and Wi-Fi networks. Note that Microsoft Exchange ActiveSync only supports basic authentication.

Specifications
Authentication certificates x.509 in .p12 or .crt formats

Setup
Ensure that you have your public key infrastructure configured to support device- and user-based certificates with the corresponding key distribution process. Push the user certificates from the corporate server to the individual smartphones. The user receives and installs it on the smartphone. Certificates can also be downloaded to smartphones, for example, from your corporate website or from prepared memory cards. Certificate-based VPN connections require certificates to be exported from the VPN server and copied to your smartphone.

April 2011

White paper | Security

Information security
Your corporate Sony Ericsson Android smartphone contains a lot of valuable and sometimes sensitive information. Passwords, PIN codes and screen unlock patterns prevent unauthorised use. But to further protect your information the smartphones can have their contents remotely wiped from phone if needed, and you can then use your back up or synchronisation features to restore the information in another smartphone.

Remote wipe
If a corporate smartphone is stolen or lost, you can initiate a remote wipe from the server and delete the smartphones contents to make sure important information does not fall into the wrong hands.

Consequences of a remote wipe

The smartphone is reset with the factory default settings Microsoft Exchange ActiveSync data is erased (email messages, calendar events, contacts) Remote wipe only affects the data in your smartphone. The corresponding data on the Microsoft Exchange Server remains safe and unaffected, as well as data on your memory card.

Specifications
Remote wipe options Remote wipe tools Remote-initiated data wipe Microsoft Exchange Active Sync Mobile Administration Web Tool Outlook Web Access (Microsoft Exchange Server 2007/2010) Exchange Management Console (Microsoft Exchange Server 2007/2010)

Setup
Remote wipe is part of the IT policies in your Microsoft Exchange Server. When a connection between your smartphone and your Exchange server is first set up, the IT policies are pushed to the smartphone and implemented if the smartphone is compliant. When the connection is established, you have the possibility to do a remote wipe from the Exchange server.

April 2011

White paper | Security

Store information safely

Its a good idea to have the information in your smartphone synchronised with other media or safely stored in another location as well. This way, the existence of your information is not dependent on a specific device. If you lose your smartphone or if you want to use several smartphones you can easily download your contacts, messages and other important information to a new smartphone. Depending on your needs and your company policies for backing up information, you can choose to store your corporate and personal information in different ways and in different media: Copy contacts to a SIM card or memory card Copy to a computer Synchronise with a web service Synchronise with Microsoft Exchange Server

Specifications
Computer storage Sony Ericsson PC Companion Requires Microsoft Windows 7, Vista, or XP (service pack 3 +) Microsoft Exchange Server via Microsoft Exchange ActiveSync Sony Ericsson Sync Google account

Online storage

Copy contacts to a SIM card or memory card

You can copy your contacts to the SIM card or to the memory card. If you switch to another phone but use the same cards, this is convenient. In your new phone you then select to copy contacts from a SIM card or memory card.

Copy to a computer
When connecting your smartphone to a computer with a USB cable you will be able to install and use the PC Companion application on your computer. With PC Companion you can access additional applications to transfer and organise contacts, calendar entries, files, media content and more.

10

April 2011

White paper | Security

Synchronise with a web service

If you want to back up and store your contacts outside the smartphone, you can use the Sony Ericsson Sync service. Your contacts are stored online, hosted by Sony Ericsson, and available on the web. This is convenient if you lose your smartphone, get a new one or if you want to use your contact list with several phones. After signing in to the designated Sony Ericsson website at www.sonyericsson.com/user, you can just download your list of contacts to any phone. The same principle is valid if you use the Google services for email, contacts and calendar. Then you sign in to your Google account in your smartphone, and the information in your smartphone is synchronised and stored with your Google service.

Synchronise with Microsoft Exchange Server

The Sony Ericsson Android smartphones use the Microsoft Exchange ActiveSync client to connect with your Microsoft Exchange Server and synchronise with your corporate email, calendar and contacts. Since its a two-way communication, actions and changes that you perform in the smartphone or on the computer are all immediately reflected in the other device. Your smartphone contains the same information as on your Microsoft Exchange Server, and the server is a safe storage for your corporate email, calendar and contacts.

11

April 2011

White paper | Security

Trademarks and acknowledgements

The Liquid Identity and Liquid Energy logos and Xperia are trademarks or registered trademarks of Sony Ericsson Mobile Communications AB. Sony, "make.believe" is a trademark or registered trademark of Sony Corporation. Google, Android and Android Market are trademarks or registered trademarks of Google, Inc. Wi-Fi is a trademark or registered trademark of the Wi-Fi Alliance. DLNA is a trademark or registered trademark of the Digital Living Network Alliance. XHTML is a registered trademark of the W3C. Microsoft, Windows, Microsoft Exchange Server, Microsoft Exchange ActiveSync are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks and copyrights are the property of their respective owners.

12

April 2011