When VMware announced its Mobile Virtualization Platform, virtualization admins were intrigued, but questions about mobile device security arose as time went on.
The idea behind VMware’s mobile virtualization technology is simple: Take an end user’s phone and add a virtualization layer to it, providing a personal and corporate phone all in one. VMware MVP consists of a single virtual machine (VM) running on top of a kernel with a special paravirtualziation driver, and leaves the standard mobile operating system unmodified. (At this time, VMware MVP is only supported on Android phones.)
But before you dive into VMware MVP, it’s important to understand mobile device security methods -- and where issues may crop up. The security capabilities provided by VMware MVP for corporate environments include:
Encryption. Both your personal and corporate VMs run within the same kernel as the Android OS, so some security professionals have questioned whether it’s possible to hop from the standard mobile OS into the corporate VM or even see traffic as it traverses into the VM.
To address this concern, VMware MVP encrypts the VM within the phone’s internal available memory. This VM and its mobile OS image can only be downloaded from Horizon Mobile, a VMware management portal that allows admins to provision and manage mobile devices, push applications to the devices, and recover corporate data when it gets lost. The Horizon Mobile requirement ensures that corporate VMs can only be deployed by the enterprise, boosting security.
Mobile device management. The corporate mobile device image includes software components and services that reside partly on the mobile device and partly on enterprise back-end servers. This software provides more secure device management, provisioning, tracking, locating and wiping of entire devices.
Application delivery. With VMware MVP, applications are also encrypted and securely delivered down to the corporate mobile device image. That means the data will reside partly on the phone and partly at the company’s data center. If the device is lost or stolen, administrators can use centralized management tools to wipe apps or even an entire VM from the phone.
Antivirus. To boost mobile device security, you can also integrate an OS antivirus tool into VMware MVP. Antivirus software monitors the onboard VM and prevents any unauthorized modification of data to fully protect the image from any rogue content. Administrators can manage antivirus clients from the data center.
Secure decryption. To improve VMware MVP security, the only way to decrypt a VM is to first be connected to the enterprise environment. That’s because access to the encrypted VM is not stored locally and is not directly tied to the user’s corporate password. Additionally, VMware imposes a time limit on how long a VM can be disconnected from the data center before it is wiped; this is a configurable VMware MVP setting. That said, it might be possible to grab the encrypted image before the time limit and decrypt the VM using phone forensic tools.
VMware MVP isn’t perfect however. For example, one remaining mobile device security concern is that VMware MVP still only supports a single SIM, forcing users with a different personal and corporate phone numbers to carry two smartphones. That leaves the user with more room for error and a wider attack surface for potential hackers.
This was first published in January 2012