Charles Brookson - one question
Was he approached to weaken GSM encryption, or told to make it 'easier for spooks' in the first place?
The mobile malware landscape is changing. Standardisation might be a good thing for building ecosystems and making phones more useful, but the emergence of Android and iOS as leaders in the operating-system wars makes life easier for those who would target the data on your corporate devices. It also means there is more to …
"it is reasonable to enforce a company policy of not allowing rooted or jail-broken phones onto work premises."
A) Why is it reasonable?
B) What risks does it prevent? (in particular, risks that are not present with a factory-original phone?)
C) How do you expect it to be enforced?
D) How significant is the risk?
There'll often be easier options anyway. At a secure (UK MoD secrets onsite) establishment I'm familiar with, you just have to come in looking like a plausible printer/copier technician. No one will know or care who you really are (neither IT nor Facilities maintain the printers, it's outsourced), no one will be able to check who called you in, there will always be kit needing attention, and of course it will be networked and you will be allowed in with a laptop which you can plug in to the networked printer. And printers are full of nice dark corners where you could easily hide something the size of a Raspberry Pi.
The "security" people on that site have been notified of this hole. Apparently they get quite upset if you don't provide their required four weeks notice for the usual class of visitor, but have no suggestions or concerns when there's a gaping hole in the organisation's procedures. They will, one day.
Some time ago I worked as a member of a 'tiger team'. It was ridiculous at where you can get if you walk in wearing an HP polo shirt, carrying a laptop and some boxes with an HP logo on them (The polo shirt I got from a training class I attended, the box was from a spare part I ordered from HP).
One of the jobs I'd done was at the datacenter of a major international bank where that tricked worked far too well; I was able to get to touch their root CA servers, plug in a USB drive and access it from a crash cart. I could have grabbed all their private keys if I was so inclined (Disk wasn't encrypted)
"B) What risks does it prevent?"
Given a lot of "stock" phones will have an OS that is old, unpatched and vulnerable, the only reason I can see is to prevent users from having loaded un-vetted apps from dodgy sites.
However, there appear to be enough dodgy apps from the official site to limit that aspect as well...