Today at the 2015 Good Exchange Cyber Security Summit in London, Good Technology unveiled its new enterprise mobility management (EMM) solutions for Windows. These new solutions enable organizations to enjoy the best-in-class, highly secure Good experience on laptops, desktops, Surface Pro and other tablets powered by Windows. With Microsoft’s goal of over a billion end points running Windows in two to three years, this represents a massive expansion in the number of supported devices that can run Good EMM suites.
Today’s announcement includes support for both the Good Access secure browser and the Good Work mobile collaboration app for Windows; giving users a secure way to access corporate Intranets and web based apps in addition to popular business productivity tools such as email, calendar and contacts. Good Access for Windows will begin beta end of October and general availability is anticipated later this year. Good Work for Windows beta will begin in later this year with general availability is anticipated early next year.
A number of recent trends have been influencing and shaping our product strategies for supporting Windows.
- A growing need for businesses to extend secure mobility solutions to temporary workers/contractors in a BYO device ownership model. The Good solution for Windows enables this capability in an elegant and simple fashion without requiring additional investment in device or network infrastructure
- A strong desire for IT for a secure BYO solution for Windows laptops, desktops and tablets.
- A growing frustration with traditional VPN and VDI solutions which have substantial shortcomings in an increasingly BYO world.
- A cloud economy that benefits from easy and secure browser based access from laptops and desktops
The Good solution for Windows also helps enterprise IT to leverage existing investments in the Good Dynamics Platform and enables IT to consolidate their EMM strategy, empowering organizations to manage all of their end points from within a single infrastructure.
However, the Good solution for Windows isn’t only for collaboration apps. It also provides an architectural approach to allow enterprises to pursue a bold strategy to transform their IT architectures with a “mobile first, cloud first and browser first” strategy. Good Access provides a secure environment for developing, deploying and managing HTML5 apps with support for essential capabilities like containerization and offline access. Good Work is built as a browser extension that runs inside of Good Access. This is going to open up some exciting possibilities for enterprise IT to securely extend a number of hybrid applications with offline storage capabilities.
The Good solution for Windows is built on top of the Good Dynamics Platform and automatically inherits all of its security and management fabric including support for NTLM Authentication, PAC Files and Routing Management among other things. The solution will also take advantage of the unique Good Launcher capability that provides an all-in-one, consolidated business desktop for users making it easy to switch between their apps and tasks.
We encourage our customers to participate in the beta program for Good Access for Windows. We believe that this is the beginning of a new journey in secure mobile computing and a superior and more modern alternative to VPN and VDI technologies.
On October 4, 2015 Palo Alto researchers published an article detailing a malware attack on non-jailbroken devices. The full article can be read here.
To summarize, the malware takes advantage of private APIs and tricks to hide the malicious applications from the end user to deliver content to a command and control server. These applications can be installed using both enterprise distribution certificates or through Apple’s app store.
Per Palo Alto, “the malware primarily affects iOS users in mainland China and Taiwan” and has been in the wild for approximately 10 months.
“This issue only impacts users on older versions of iOS who have also downloaded malware from untrusted sources. We addressed this specific issue in iOS 8.4 and we have also blocked the identified apps that distribute this malware. We encourage customers to stay current with the latest version of iOS for the latest security updates. We also encourage them to only download from trusted sources like the App Store and pay attention to any warnings as they download apps.”
Good is unaware of any specific attack against Good applications but customers are advised to upgrade to the latest generally available version of iOS, as of this writing 9.0.2.
As a security company, Good Technology takes the security of our products and the security of our customers very seriously.
As with many software companies, we occasionally get approaches from security researchers who have founds issues in our products and who wish to discuss them. We have a process in place for getting back to researchers, working with them to assess the issues, identifying immediate mitigations and longer-term fixes, notifying customers and rolling out updates. In general most researchers work well with this process and once we have fixes in place they put out their disclosure statements. Sadly, not all researchers are so cooperative.
Recently the security research group ModZero put out a disclosure of an issue regarding the way that Android's lack of authentication of application IDs interacts with Good's "Easy Activation" feature. They did so without disclosing the issue to us in advance and in their release they accused Good of being uncooperative. Good strongly denies the assertion that we were uncooperative and we would like to put forward the facts and set the record straight.
Over the last three years ModZero have raised two issues regarding Good products. The first time was in June 2013 when, as part of a penetration test that they performed on behalf of one of our customers, they discovered a cross-site scripting issue in one of our consoles. At the time they said that they would like to disclose the issue and our security team asked if they would hold off any disclosure an additional 45 to 60 days in order to ensure that not only had we released the fix but that our customers would have the opportunity to deploy the update. Our security team also noted they were concerned that since the work was performed on behalf of a customer and the customer was subject to an NDA that they would need permission to disclose.
The second interaction Good had with ModZero was on September 9th this year, when they contacted Good indicating that they had discovered another issue but provided no detail. They asked us if we wanted them to (a) abide by their "Responsible Disclosure" policy, (b) just release the issue or (c) do nothing. We replied the same day offering "our security experts will be more than happy to either discuss newly discovered vulnerabilities with your Team over the phone or review the report of findings should you decide to share it with us (which will be very much appreciated)." They replied the following day saying "Ok," further asking if we were OK with them releasing the details of the previous issue and asking when the previous issue had been fixed. That same day we replied that we were happy for them to release the details of the XSS bug. We also provided details of the release in which it was fixed, a link to the latest version of the effected software so that they could test it and closed "Let me know if you have any other questions."
ModZero never replied to this email. Instead, two weeks later, they released the details of their recent findings without any prior disclosure of the details to us and they accused Good of being uncooperative. We do not believe that this is in any way a fair assessment.
ModZero did not follow their own "Responsible Disclosure" policy. They ignored offers by Good to discuss their findings with us and they went ahead and released the details before we had any chance to assess the issue. At all times we were responsive to their requests and the implication that we were uncooperative is without foundation.
Last week, after they released these findings and wrote a blog post about Good not being cooperative, I emailed Max Moser, one of the founders and author of some of the messages in the discussion thread, asking him what he thought was uncooperative and what he would have liked us to do differently. I have still not had a reply.
As I mentioned before, we take the security of our products and of our customers very seriously. We do our best to cooperate fully with researchers who bring issues to our attention. Sadly, some of them are quite uncooperative.