Mobile OS- Features,

Concepts and
Challenges for
Enterprise
Environments
 Abstract
The impact of mobile devices in our life is increasing
continuously. Especially the integration of mobile devices into
an enterprise environment is a hot topic these days. The
following should give an overview about the state of the art of
features, concepts and challenges of mobile operating systems
to integrate them into an enterprise environment. Therefore it
is necessary to show what kind of policies are needed for using
a mobile device in an enterprise environment and to analyze
how currently available mobile operating systems and their
specific policies and security mechanisms can fulfill these
requirements.
1. INTRODUCTION:
The worldwide sales of mobile devices, especially for smart phones, grew by
an increasing rate over the last years. Gartner says that 304 millions of
mobile device units where sold in the year 2010, which is an increase of 72,1
percent in comparison to the year [Link] popularity and
capability of mobile devices and the confides of organization to integrate
them into their business processes represents an attractive target for
criminals to attack. As a consequence, organizations need to implement
policies to manage the risk of using mobile devices in an enterprise
environment, especially when the data that the mobile devices are handing
is sensitive and confidential. The following paper should give an overview
about features, concepts and challenges to ensure specific policies for a safe
integration of mobile devices into an enterprise environment.
2. ENTERPRISE POLICIES:
Camp bell defines Policies as “guidelines that regulate organizational action.
They control the conduct of people and the activities of systems” . This
regulation is necessary to specific how employees or applications have to
operate in situations to avoid the exposure of private or confidential
information due to unintended handling of a device or software.
To enforce policies for mobile devices in an enterprise environment, is a
complex, but also a required task for organizations. It can not be compared
with the enforcement of other usual items in the IT world, because of the
property of high portability of the mobile devices. The property portability
signifies, that the device is used anytime and -place and can easily get lost or
stolen, which describes a bad scenario.
For example stores sensitive corporate data locally . But the threat of losing a
device is not the only risk of using a mobile device in an enterprise
environment. Due to the fact that it is very portable and is used as a mobile
interface to enterprise communication backends, mobile devices
communicate via wireless networks, which are less secure than wired
networks
CHALLENGES POLICIES

A lost or stolen mobile device Implement a central management

console for device remote control -
i.e., location tracking, data wipe-
out, password/PIN change or user
strong authentication
Enforcing the enterprise policy for Gain visibility of all devices
standard devices connected to the infrastructure
Providing support for various Turn to cross-platform centrally
devices managed mobile device managers
Controlling data flow on multiple Secure the systems that are
devices accessed with authorization,
encryption and privileges control
Preventing data from being Monitor and restrict data transfers
synchronized onto mobile devices to hand held or removable storage
in an unauthorized way devices and media from a single,
centralized console
General threats and risks of using a mobile
device in an enterprise environment can be
summarized as following:
• Mixed private and sensitive corporate data stored on the
device
• Sensitive data stored locally on the device can be stolen, i. e.
though stealing the device
• Sensitive data exchange, i. e. e-mail, contacts and calendar
synchronization, can be read by 3rd persons through using
insecure technology
• Installing 3rd party code for private usage by the employee, i.
e. due using no or insufficient policy settings.

To control the shown challenges and develop suitable policies,

it is necessary to manage the mobile operating system, which
provides security mechanism and the ability to set security
settings on the mobile device via policies.
3. MOBILE OPERATING
SYSTEMS:
An operating system is a system software, that is
designed to operate and control the computer
hardware . The operating system operates on a
mobile device and is called mobile operating system.

A. Android
B. Blackberry OS
C. iOS
D. Windows Phone
Fig: Mobile Operating Systems Overview
YEAR SYMBIA ANDROI BLACKBERRR MICROSOF IOS OTHER
N D Y OS T OS
2010 37.6% 22.7% 16.0% 4.2% 15.7% 3.8%

2009 46.9% 3.9% 19.9% 8.7% 14.4% 6.1%

2008 52.4% 0.5% 16.6% 11.8% 8.2% 10.5%

2007 63.5% N/A 9.6% 12.0% 2.7% 12.1%

Table: Market Share of Mobile Operating

Systems
Despite the fact that the operating systems of Microsoft lost
market share in the last years, it will be part of the analyse in
this paper. The reason for that is the cooperation between
Microsoft and Nokia, the largest manufacturer for mobile
devices, which can be rated as a high potential for a market
share growth in the future. Furthermore Gartner predicts that
Windows Phone will be the mobile operating system with the
second most market-share behind Android in the year 2015.
A. Mobile OS: Android
Android is an open source operating system for mobile devices developed
by Google and the Open Handset Alliance. With 22,7% it is the second
most used operating system for mobile devices worldwide behind
Symbian. The system architecture consists of:
• a modified Linux Kernel
• open source Libraries coded in C and C++
• the Android Runtime, which considers core libraries that disposals the
most core functions of Java. As virtual machine it uses Dalvin, which
enables to execute Java applications.
• an Application Framework, which disposals services and libraries coded
in Java for the application development
• and the Applications, which operate on it
 Fig: Android, iOS ,
Windows Phone
Sandboxing Model

Fig: Android Versions Distribution

B. Mobile OS: BlackBerry OS
Blackberry OS is the proprietary mobile operating system,
developed by the Canadian company Research in Motion and
is used for Blackberry devices only. Instead of all the other
regarded mobile operating systems, it is mainly developed for
business usage. Gartner says that it is one of the most popular
mobile operating system today with 16,0% market share, but
they also predict a decreasing relevance in the future.
BlackBerry OS uses an older model for application
sandboxing, which can be seen in Fig. 4. It uses different trust
roles for assignments and applications have full access to the
complete device and data. It is also requiring to sign an
application via certificate Authorities (CA) or generated (self
signed) certificate to run code on the device.
Fig: BlackBerry OS Sandboxing
Modell
C. Mobile OS: iOS
The proprietary mobile operating system iOS is only used for Apple
devices like the iPhone and is a further development of the operating
system Mac OSX. Its market share grew continuously over the last year
to 15,7%. The system architecture is identical to the MacOSX
architecture and consists of the following components:
• Core OS: The kernel of the operating system
• Core Services: Fundamental system-services, which are subdivided in
different frameworks and based on C and Objective C. For example
offers the CF Network Framework the functionality to work with known
network protocols.
• Media: Considers the high-level frameworks, which are responsible
for using graphic-, audio- and video technologies.
• Coca Touch: Includes the UIKIT, which is an Objective C based
framework and provides a number of functionalities, which are
necessary for the development of an iOS Application like the User
Interface Management
D. Windows Phone:

Windows Phone is a successor of the operating system

Windows Mobile of the software developer Microsoft. By
comparison to the other discussed mobile operating systems,
the market share is low with only 4,2%. But like in the
previously chapter mentioned can the cooperation between
Nokia and Microsoft be rated as a high potential for a market
share growth [9]. Windows Phone uses technologies and tools,
which are also used in the station based application
development, like the development environment Visual Studio
and the Frameworks Silver light, XNA and .NET Compact. For
sandboxing Windows Phone uses the same model like Android
and iOS . Furthermore 3rd party applications can only be
signed with an official certification, like iOS Applications.
4. MOBILE OPERATING SYSTEM
POLICIES
Policies do ”control the conduct of people and the activities of systems”
and are necessary to specific how employees or applications have to
operate in situations to avoid the exposure of private or confidential
information due to unintended handling of a device or software. There is
different between native policies, policies that are provided by the
operating system and policies that are only work with a server solution.
The following subchapters will show up the policies of each specific
mobile operating system. Afterwards there will be a summarized
comparison of all offered mobile operating system policies.

A. Android Policies
B. Blackberry OS Policies
C. iOS Policies
D. Windows Phone Policies
E. Mobile OS Policies Comparison
A. Android Policies:
Since version 2.2 Android offers an Device Administration API, that
provides device administration and control features at the system level.
With this API, developers can write device management applications that
enforces policies. These policies could be hard-coded into the application,
or fetched dynamically from a third party server. The API supports
following native policies, which are segmented into needed platform
version for support.
Android 2.2 or higher:
• Password enabled
• Minimum password length
• Alphanumeric password required
• Maximum failed password attempts
• Maximum inactivity time lock
• Prompt user to set a new password
• Lock device immediately
• Wipe the device’s data (restore the device to its factory defaults)
Android 3.0 or higher:
• Complex password required
• Minimum letters required in password
• Minimum lowercase letters required in password
• Minimum non-letter characters required in password
• Minimum numerical digits required in password
• Minimum symbols required in password
• Password expiration timeout
• Password history restriction
• Maximum failed password attempts
• Maximum inactivity time lock
• Require storage encryption
The Device Administration API contains: ”If a device attempts to connect
to a server that requires policies not supported in the Device
Administration API, the connection will not be allowed”. This means, if a
device does not support the required policies, there is no way to ensure the
policies on the device. This is a huge disadvantage, because of the high
platform version fragmentation and the fact, that only 0,6% of all Android
devices run on version 3.0 or higher in June 2011.
B. Blackberry OS Policies:
Blackberry provides over 400 policies for their mobile operating system,
which can be used to control specific mobile IT policies in an enterprise
environment. The over 400 policies provided by BlackBerry offer everything
that is necessary to use a mobile device securely in an enterprise
environment and can be categorized into the following groups:
• Group IT Policies, simplifies the creation and modification of group
policies to ensure the data security and access in an organization.
• Default IT Policy, to ensure a minimum level of security the BlackBerry
OS uses a customizable base IT policy set. Administrators can create and
modify policies of users or groups to meet the security needs of the
organization by using the Blackberry Enterprise Server.
• Over the Air Enforcement, all policy settings are synchronized and
assigned to the BlackBerry device. So Administrators can easily change
policies without requiring the users acceptance or changes on the device
itself. As well, policies carry unique digital signatures to ensure that only the
BlackBerry Enterprise Server can send updates to a BlackBerry device.
• Malware Control, the BlackBerry Enterprise Server comes with 19
application policies, that allow the administrator to limit the resources and
user data available to a given application. For example, limitation can be
imposed on internal or external domains, the phone, Bluetooth and user
data such as email and Personal Information Management (PIM). Because
limitations can all be specified on a single application, administrators can
also grant elevated permissions to trusted applications, like a Customer
Relationship Management (CRM) application.
• Comprehensive Control over the Entire BlackBerry Enterprise
Solution, gives administrators the capabilities to: Forcing password use,
password complexity and timeouts, Application availability, policy change
notification and many more options to control the usage of a mobile device
in an enterprise environment.

BlackBerry provides a very considerable policy solution with the

disadvantage, that the Blackberry Enterprise Server is necessary to enforce
them. This means for an organization, that they have to use Research in
Motion devices and can not support a multiple solution with using different
mobile devices running on different mobile operating systems.
C. iOS Policies:
The iOS provides some policy protection that can be delivered and
enforced over the air or locally. This enforcement can be controlled and
configured by using 3rd party Mobile Device Management solutions,
wherefore Apple provides a separate API. After an iOS device is registered
with the Mobile Device Management Server, the device can be control
dynamically. Therefore the Server sends XML configuration profiles to the
device, which enables a secure use in an enterprise environment. The
configuration profile contains: device security policies and restrictions,
VPN configuration information, WiFi settings, email and calendar
accounts, and authentication information's, that permit to work with the
enterprise system.
Supported device security policies and restrictions are shown
in the flowing lists.

Policies :
• Require pass code
• Allow simple value
• Require alphanumeric value
• Pass code length
• Number of complex characters
• Maximum pass code age
• Time before auto-lock
• Number of unique pass codes before reuse
• Grace period for device lock
• Number of failed attempts before wipe
• Control Configuration Profile removal by user
Restrictions:
• Application installation
• Camera
• Screen capture
• Automatic sync of mail accounts while roaming
• Voice dialing when locked
• In-application purchasing
• Require encrypted backups to iTunes
• Explicit music and podcasts in iTunes
• Safari security preferences
• YouTube
• iTunes Store
• App Store
• Safari
Additionally the Mobile Device Management server can operate
some actions on the iOS device, like:

• Remote Wipe: A remotely delete of all data on the device, restoring to

factory settings
• Remote lock: The Server locks the device and requires the device pass code
to unlock it
• Clear pass code: Enables the user to create a new password, if he forgot the
old one.
• Configuration and Provisioning Profiles: Give the ability to add and
remove configuration profiles remotely.

An advantage of iOS is, that the it operates only on a few Apple devices,
which means that there is no high platform version distribution like on
Android. Unlike in Android, mobile operating system updates effect every
iOS device.
D. Windows Phone Policies:
The Windows Phone operating system was primarily designed for the
customer and not the enterprise market and provides no native policy
settings, like Android or iOS. But it provides support for ActiveSync policies,
which are policy settings used by an Microsoft Exchange Server, also a
Microsoft product. The Windows Phone successor Windows Mobile
supported all Exchange ActiveSync policies, whereby Windows Phone
supports only some basic policies like:
• Password Required
• Minimum Password Length
• Idle Timeout Frequency Value
• Allow Simple Password
• Password Expiration
• Password History
E. Mobile Operating System Polices
Comparison:
By comparing the policies of the different mobile operating systems to each
other, it is noticeable that the BlackBerry OS and iOs provides a larger
number than the other two, especially the BlackBerry OS with more than
400. This could justified because both are the oldest available on the market
and especially the Blackberry OS is developed for business cases. The
largest number of policies doesn’t mean the best solution for an enterprise
environment shows an scenario of the Deutsche Bank. ”We found
enterprise email on iPhone was a fantastic experience as it was easier and
faster to access data than on the Blackberry,” said Chris Whitmore, an
analyst at Deutsche Bank. ”It was also great to only have to carry one device
for personal and corporate email access”.
But a big problem for Android in the future will be the high distribution of
their platform versions, so that updates that effect policies will be not
available or with a long delay for Android devices.
Policy Android Android Blackberry IOS Windows
2.2 or 3.0 or OS Phone
higher higher
Enforce Yes Yes BES Yes EAS
Password
Complex No Yes BES Yes No
Password
Remote Yes Yes BES Yes EAS
Lock
Remote Yes Yes BES Yes EAS
Wipe
Storage No Yes BES Yes No
Encryption
Restriction No Yes BES Yes No

Manage Yes Yes BES Yes EAS

over Air
EAS num- 9 13 None 14 7
ber support
MOBILE OPERATING SYSTEM POLICIES
5. POLICY ENFORCEMENT:
A. Exchange Active Sync: Exchange ActiveSync is a Microsoft
product and a ”proprietary protocol that uses Extensible Markup
Language (XML) over Hypertext Transfer Protocol (HTTP) to
synchronize Microsoft Exchange data to clients”. It’s main function is it
to provide a secure synchronization for e-mails, contacts and calendars,
but it can also be used to monitor mobile devices. Therefore the
administrator can set up device policies, which are enforced and
synchronized over a network on the device.
B. BlackBerry Enterprise Server: Blackberry OS does not support
any Exchange ActiveSync Policies and uses his Blackberry Enterprise
Server solution for enforcing the over 400 policies on their devices. The
following paragraph will describe how the data exchange between the
mobile device and BlackBerry Server works, which is necessary to enforce
and synchronize the policies of an network connection. The data
exchange of the BlackBerry Enterprise Solution complies the strong
requirements of government authority and is certified by the NATO.
BlackBerry offers two transport encryption options, Advanced
Encryption Standard (AES) and Triple Data Encryption Standard (Triple
 DES), for data exchange between the BlackBerry Enterprise Server and the
BlackBerry device. Corporate data, like e-mails, sent to the BlackBerry
device is encrypted by the BlackBerry Enterprise Server using the private
key. The private encryption keys, who are necessary for the encryption, are
generated in a secure, two-way authentic environment and are assigned to
the Blackberry device. Each secret key is stored on the users secure
enterprise account and on the BlackBerry device. The encrypted data will be
transferred securely across the network to the device, where it is decrypted
with the other stored private key. Data remains encrypted in transit and is
never decrypted outside of the enterprise environment.
Fig: BlackBerry Enterprise Server and Device Data Exchange
Model
C. Apple Mobile Device Management Server: In contrast to the
BlackBerry solution, Apple provides an API for developer to create an own
solution for monitoring mobile devices and ensure policies.
1) A Configuration Profile containing mobile device management server
information is sent to the device. The user is presented with information
about what will be managed and queried by the server.
2) The user installs the profile, so that the device can be managed.
3) Device enrollment takes place as the profile is installed. The server
validates the device and allows access.
4) The server sends a push notification prompting the device to check in for
tasks or queries.
5) The device connects directly to the server over HTTPS. The server sends
commands or requests information.
Configuration profiles can be signed and encrypted. Signing a
configuration profile ensures that the settings it enforces cannot be
changed. Encrypting a configuration profile protects the profiles contents
and permits installation only on the device for which it was created. For an
protected exchange of corporate data the iOS provides technologies like:
VPN (IPSec, L2TP and PPP), SLL/TLS and WPA/WP2.
D. Visualization: Visualization means the ability to run multiple
instances of a operating system on a system, like a mobile device, by using
one modified system kernel. Every instance has it’s own environment with a
specified file system and applications and processes that are assigned to one
explicit instance. The main benefit of using visualization is, that malicious
or corrupt applications are isolated and have not effect to the other
operating system instance [38]. But it also opens new security capabilities
for using an mobile device in an enterprise environment. Visualization for
example could handle the problem of the mixed private and business
environment usage, by running one instance for enterprise purposes with
high policies and one instance for private purposes with no or low policies.
Both visualized instances run isolated from each and the user can switch
between them, without using a second mobile device.
Currently no mobile operating system does support visualization by default,
but because android is an open source operating system, there are projects
enabling it, like L4Android. Therefore the developers implement a
microkernel instead of the modified Linux kernel, which only provides the
necessary functionalities of a kernel.
The disadvantage of this solution is, that every mobile device needs to be
updated with these modificated software.
E. Application Signing: Application Signing ”ensures the integrity of
the code downloaded from the Internet. It enables the platform to verify that
the code has not been modified since it was signed by its creator”. Android
applications are signed with a certificate whose private key is held by their
developer. The certificate does not need to be signed by a certificate
authority, which means it is allowable and typical to use self-signed
certificates. So companies have the opportunity to use their own certificate
for their policy enforcement application. Ways to distribute the application
to the employees are the official Android market or non-marketing
installation via flash drive, email or a website. Apple’s iOS and Windows
Phone applications must also be signed, but with an issued certificate. This
ensures that application haven’t be manipulated and ensures the runtime to
check if an application hasn’t become untrusted since it was last used .
Uneven Android applications, iOS and Windows Phone applications can
official only be distributed over their specifically application market. The
disadvantage of this solution is, that updates on an self created policy
application can not be available in real time and must checked first by apple.
6. CONCLUSION
Every mobile operating system supports different policies and policies
enforcement, so it is necessary for a organization to choose the mobile
operating systems which they want to deploy. This is not an easy task, like
the example of the Deutsch Bank shows, because it is important for the user
to use the device in an enterprise and a private environment. In addition to
that, there is a high mobile device distribution, which means that every
employee has different device preferences. The high device and platform
fragmentation and mixed environment leads to an assumption, that a
multiple solution like using an Exchange ActiveSync is the best way to use
policies in an enterprise environment. It won’t be the best way for a small
organization to use a complex solution like Exchange ActiveSync. Smaller
organization are probably better advised to use a complete solution like an
3rd Party iOS Mobile Device Management Server, even if they are bound on
specific mobile devices. Like in the policies comparison in the fourth
chapter mentioned, Android 2.2 offers not so many policies like the
BlackBerry OS or iOS. If Android wants to take the advantage of their high
market share in the future, they have to find a solution for the high platform
fragmentation problem to enforce their policy improvement, which comes
with Android 3.0.