As a security company, Good Technology takes the security of our products and the security of our customers very seriously.
As with many software companies, we occasionally get approaches from security researchers who have founds issues in our products and who wish to discuss them. We have a process in place for getting back to researchers, working with them to assess the issues, identifying immediate mitigations and longer-term fixes, notifying customers and rolling out updates. In general most researchers work well with this process and once we have fixes in place they put out their disclosure statements. Sadly, not all researchers are so cooperative.
Recently the security research group ModZero put out a disclosure of an issue regarding the way that Android's lack of authentication of application IDs interacts with Good's "Easy Activation" feature. They did so without disclosing the issue to us in advance and in their release they accused Good of being uncooperative. Good strongly denies the assertion that we were uncooperative and we would like to put forward the facts and set the record straight.
Over the last three years ModZero have raised two issues regarding Good products. The first time was in June 2013 when, as part of a penetration test that they performed on behalf of one of our customers, they discovered a cross-site scripting issue in one of our consoles. At the time they said that they would like to disclose the issue and our security team asked if they would hold off any disclosure an additional 45 to 60 days in order to ensure that not only had we released the fix but that our customers would have the opportunity to deploy the update. Our security team also noted they were concerned that since the work was performed on behalf of a customer and the customer was subject to an NDA that they would need permission to disclose.
The second interaction Good had with ModZero was on September 9th this year, when they contacted Good indicating that they had discovered another issue but provided no detail. They asked us if we wanted them to (a) abide by their "Responsible Disclosure" policy, (b) just release the issue or (c) do nothing. We replied the same day offering "our security experts will be more than happy to either discuss newly discovered vulnerabilities with your Team over the phone or review the report of findings should you decide to share it with us (which will be very much appreciated)." They replied the following day saying "Ok," further asking if we were OK with them releasing the details of the previous issue and asking when the previous issue had been fixed. That same day we replied that we were happy for them to release the details of the XSS bug. We also provided details of the release in which it was fixed, a link to the latest version of the effected software so that they could test it and closed "Let me know if you have any other questions."
ModZero never replied to this email. Instead, two weeks later, they released the details of their recent findings without any prior disclosure of the details to us and they accused Good of being uncooperative. We do not believe that this is in any way a fair assessment.
ModZero did not follow their own "Responsible Disclosure" policy. They ignored offers by Good to discuss their findings with us and they went ahead and released the details before we had any chance to assess the issue. At all times we were responsive to their requests and the implication that we were uncooperative is without foundation.
Last week, after they released these findings and wrote a blog post about Good not being cooperative, I emailed Max Moser, one of the founders and author of some of the messages in the discussion thread, asking him what he thought was uncooperative and what he would have liked us to do differently. I have still not had a reply.
As I mentioned before, we take the security of our products and of our customers very seriously. We do our best to cooperate fully with researchers who bring issues to our attention. Sadly, some of them are quite uncooperative.
Good would like to alert customers to a security vulnerability advisory that was released September 25th, 2015 by a security researcher, which can be found here: http://www.securityfocus.com/archive/1/536543
Customers are advised that the underlying issue disclosed by the researcher is not unique to Good. The vulnerability relies on tricking users into installing malicious android applications. These applications could be designed to appear as official versions of other generally available commercial apps.
The vulnerability described uses the Good Dynamic Easy Activation feature (https://community.good.com/docs/DOC-3115). To be clear, the publication from the researcher does not describe a weakness in the Easy Activation itself. The example provided suggests tricking the user into downloading and installing a malicious version of Good application.
In summarizing the steps needed for the attack to work the user would need to:
It should be noted that the issue identified does not impact devices running Good apps on the Samsung KNOX platform since this platform deploys additional controls to prevent the execution of untrusted applications.
Good is reviewing the technical details of the issue reported by the security researcher and is exploring possible solutions. We will update this advisory should we decide to implement a fix or provide additional mitigating controls to the customers.
While Good continues to review and improve, we recommend following these steps for better protection:
Good has reviewed the technical details of this issue and we have identified a potential enhancement to the validation checks in the GD application activation process that may enable us to detect malicious activation attempts. If successful, this enhancement will be made available in the next release.
Meanwhile, customers are advised to ensure all users are warned against installing any applications that are from untrusted sources.
Oct 2, 2015 | John Britton, Office of the CTO Director
In my last two blogs I highlighted the new Gartner Critical Capabilities for High Security Mobility Management use cases for Bring Your Own Device (BYOD) and High-Security Commercial. Today we are going to discuss the High-Security Government Grade use case with a special guest, Jeff Miller, Director of US Federal Sales for Good.
First, let’s take a look at the results in the High-Security Government use case scores (you can view the entire report here):
Good Technology scored highest of the 19 vendors considered. For those familiar with Good this is probably not surprising as we recently announced that the US Navy has chosen Good to secure their cross platform mobile device program. Previously, Good had announced a similar win with the Air Force. Rather than quote the report, I have asked Jeff Miller to discuss what mobility trends he sees in the US Federal Government and why Good has had success supporting the military as they move to new iOS, Android, and Windows devices.
Q. What mobility trends do you observe in the Federal government?
A. The federal government is embracing the consumerization of IT, but at their own pace. This of course includes adopting iOS and Android devices. Many BlackBerrys are still in use, but the government is increasingly enamored with Apple and Android devices and are being pressured by users to support them. We’re also starting to see Windows in certain civilian agencies that like the dual use Microsoft Surface tablets. While I see more iOS devices deployed, the Android value proposition is very appealing as mobility spreads to all employees.
Unlike the private sector, the Federal Government has been slow to move beyond the corporate liable model, which they refer to as “government furnished equipment.” As a result they use full device management via MDM combined with secure email. The basics of managing devices with MDM have been solved, and Good is the solution of choice for secure email for many branches of the armed forces and civilian agencies.
Secure email can still be a struggle for some agencies because of their credential requirements to use Common Access Cards (CAC) or personal identification Verification (PIV) cards for access to government systems. This is driving discussion of moving beyond traditional desktop credentialing systems to newer “derived credentials” solutions for simpler access to government apps and data on mobile devices without having to force users to carry around bulky and expensive CAC/PIV card readers.
Q. So is security the main driver of mobility-related decisions?
A. Actually, it’s both security and compliance requirements that are the main drivers for federal agencies, and Good does mobile security better than anyone. Now the need for better usability and mission support on mobile are gaining importance. Federal employees in the field are demanding access to content and applications to get jobs done faster and easier on mobile. Good has taken a leadership position in mobile apps and productivity as well.
Q. Tell me about Good adoption by federal agencies.
A. While many agencies have been using Good for Enterprise for secure email for years, the Good Dynamics Platform is becoming the real accelerator of Good adoption because of its ability to mobilize workflows. The US Federal government is probably the largest Microsoft customer in the world, and Good’s mobilization of the Microsoft application stack is absolutely critical to our relationship. For example, using Good Share to access documents in SharePoint and other file shares and using Good Connect to enable secure messaging for Lync environments is hot right now. I am also beginning to see app development projects spin up in house as agencies are strategizing how to move internal applications to mobile.
In some cases it’s the Good Access secure browser providing mobile access to important web apps and content; in others it may be using Good Access to enable users to report in from the field via form-based web apps back to HQ. Often we overlook how powerful Good Access is for customers that have critical web applications protected by extensive security measures. The ability with Good Access to easily navigate internal proxies and support internal authentication systems like Kerberos provides the security the government requires without impacting the user experience with multiple login prompts.
Q. In all of these cases, it sounds like strong authentication is a critical requirement. And it also sounds like mobility is having a profound effect on how traditional 2-factor is implemented in the Federal Government.
A. Absolutely right. The CAC/PIV requirement can really ruin the mobile experience for users. With Good’s derived credential support, the required credentials are pushed or downloaded to the device, eliminating need for physical access to card readers. With Good, we store the derived credential at the container level and do not rely on the native device keystore so credentials are always under IT control and secured with Good app-level encryption. Remember, devices can be jailbroken or rooted so credential content stored in the keychain can be at risk. Good’s approach mitigates that risk.
Good also provides consistency across OS’s in the way it secures and enables credentials. Other solutions may widely vary in their 2-factor support by operating system. And it’s not just for secure email; it’s also for government controlled web sites and applications.
A. Yes. Good’s TAF partners are of real interest to the government. Partners that are existing credential providers to the government and already tie into existing authentication systems allows IT to leverage existing investments in identity infrastructure.
Q. Why in your opinion has Good had such documented success with the federal government?
A. Initially, Good was to first to market with a FIPS-validated cryptographic module as part of its secure email client. At that time, the devices themselves were not using a FIPS validated crypto, which gave Good a huge leg up. MDM alone relies on the security and underlying crypto of the devices. Good began the rigorous security testing and accreditation processes years ago. The effort to have the Good solution approved for use by various agencies was a lengthy process because mobile email and collaboration on consumer smartphones was a new solution for the government at the time.
The FIPS effort paled in comparison to the investment Good made to attain DISA STIG-SRG and Common Criteria certification, which took years and enormous investment in development, relationship management, technical support…you name it. But that investment has allowed us years later to really drive Good’s federal business and open the doors to governments around the world. I would say Good’s pedigree in security and our commitment to the certification and accreditation process is really a cornerstone of our deep relationships with Navy and Air Force.
Q. Can we talk about the Navy or Air Force?
A. Yes we can. The Navy decided to move away from BlackBerry devices to primarily iOS secured by Good, per our STIG. As you can imagine, all the EMM vendors competed for this business. Good’s differentiator in my opinion was the end-to-end total solution we brought to bear, including not just the products but the strategic focus on applications and the growth of the Good Dynamics ecosystem. The Navy uses our MDM for establishing basic configurations. Their strategic focus, however, is aligned with Good on enabling and securing apps and content.
The support for derived credentials in our platform was critical as well. In fact, recently Good has expanded our footprint in the Department of Homeland Security and other branches of the armed forces.
Q. Where do you see mobility going in the federal government in the next 3 to 5 years?
A. Mobilizing the Microsoft stack is a huge hurdle in terms of mission enablement. Another is the securing of secret information for access on mobile devices. I also see the likelihood of a large investment in Android because of the great value some of these lower priced Android devices offer.
The government is always going to be more cautious than consumers in adopting the newest technology trends, like Android. It takes a lot of time to approve consumer technologies that employees may be using at home for use at work. The interesting thing is the government is always one of the earliest adopters of these technologies for testing and piloting, and we learn a lot from them about what we can do to better enable mobility for all types of organizations. It’s a partnership that we value greatly.
Sep 22, 2015 | Jeff McGrath, Product Marketing Director