#1 2017-12-12 03:48:43

Demetris
Member
Registered: 2017-12-12
Posts: 2

Containerisation on devices

Currently,  calendars (and contacts) synced to Android devices are exposed to other apps - any calendar app could be used to access the calendar data (and similarly for contacts).
Suggestion: it would be nice to sync data so that it is not generally available to other apps, possibly "bundle" generalsync to a specific calendar app. This would ensure that the data are protected and "containerised" , an important issue for business customers and other people who use business-provided devices.

#2 2017-12-12 05:25:25

ds
Founder / Developer
From: Freiburg, Germany
Registered: 2016-06-15
Posts: 222

Re: Containerisation on devices

Demetris wrote:

Currently,  calendars (and contacts) synced to Android devices are exposed to other apps - any calendar app could be used to access the calendar data (and similarly for contacts).

Technically, calendars and contacts are managed by Android. GeneralSync cannot influence if or how other apps can access these calendars / address books.

Android will, by default, block apps from accessing your data unless the app has been granted a specific permission. Usually, these permissions are granted by installing the app – more recent versions of Android and some Custom-ROMs will (additionally) ask you the first time an app tries to access a calendar or contact, and permit to block the request. That way, you get the best of both worlds: you can still use any app you want, without permitting all apps to access your data.


Demetris wrote:

Suggestion: it would be nice to sync data so that it is not generally available to other apps, possibly "bundle" generalsync to a specific calendar app. This would ensure that the data are protected and "containerised" , an important issue for business customers and other people who use business-provided devices.

Did you have some specific usage scenario in mind?

As far as I know, business phones are either completely locked down or already have "containers" on the operating-system level. In the first case, any app on the device has been reviewed by the company's IT department, and is thus safe to use. In the second case, Android makes sure that any content within the "work"-container is invisible to apps installed by the user. If GeneralSync is, for example, installed in the "work"-container, its calendars and address books can only be accessed from other apps within the "work" container.

In both cases, I don't see any advantage in preventing Android from accessing GeneralSync's data. It would, however, affect many useful features: for example, the incoming call notification could no longer display the name of the caller.

#3 2017-12-12 05:55:49

Demetris
Member
Registered: 2017-12-12
Posts: 2

Re: Containerisation on devices

The general idea is to prevent sideways leakage of personal information - ideally, an app could encrypt data at the application level (as opposed to the device level), applying a separate layer of protection in the event that the device gets compromised. A possible scenario would be a simple calendar implementation which encrypts data at rest using a key based on a Passcode supplied by the user. Caller-ID could be provided by syncing selected contact fields to the device (EssentialPIM and BlackBerry Work operate on a similar sort basis).

GeneralSync is fantastic -  don't get me wrong! I am just looking ahead at possible extensions,  based on my experience with enterprise apps. Containers (e.g. AfW/Knox etc) can be difficult to work with, whereas app-level security has several advantages.

Many thanks again for all your help and comments.

#4 2017-12-12 07:01:11

ds
Founder / Developer
From: Freiburg, Germany
Registered: 2016-06-15
Posts: 222

Re: Containerisation on devices

Demetris wrote:

The general idea is to prevent sideways leakage of personal information - ideally, an app could encrypt data at the application level (as opposed to the device level), applying a separate layer of protection in the event that the device gets compromised. A possible scenario would be a simple calendar implementation which encrypts data at rest using a key based on a Passcode supplied by the user.

I'd consider being forced to use a specific app for calendars/contacts and having to enter a passcode for that app to be way more "difficult to work with" than a container solution, but I have to admit that I only read some technical documentation and never used these things in practice. Maybe the real world looks different. I'll keep that in mind.

Independently of that, I don't think application-level encryption has a big impact on security: most attackers that are able to circumvent device-level encryption and gain full access to the phone are also able to read decryption keys from memory or use a  keylogger to gain access to the passphrase. However, usability would be severely limited (for example, you'd need to re-enter the passphrase whenever Android restarts GeneralSync, for example due to a memory-intensive foreground activity).

Demetris wrote:

Many thanks again for all your help and comments.

Many thanks for participating in the beta and giving feedback!

Board footer