Securing your Email with S/MIME

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

IMG_0007
The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

IMG_0008
Choose Import for Both.

A password prompt appears.

IMG_0009
Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

IMG_0010
Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

IMG_0011
Tools icon to enable encryption signing.

IMG_0012
Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

IMG_0016
Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

IMG_0017
Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

IMG_0018

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

IMG_0020

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

What Technologies are Enterprises investing in?

Great Infographic from the Economist (Economist Intelligence Unit, June 2013)  indicating what type of technologies Enterprises are investing in….kind of speaks for itself, doesn’t it?  (We love our TouchDown Email). Very interesting what the forecast is for the next three years. But wait, there is no mention of MDM’s… 😉Unknown

 

 

 

Is your Smart Phone Too Smart?

Did you know that your phone works even when “at rest?”  Indeed, no matter whether you just let it “fall sleep” or actively put it to rest, your smart phone will continue to send data, and sometimes to surprising locations.   Certain apps (Foursquare, Talking Tom) have even been found to send your personal data like your address book, and sometimes even your phones exact location and your IMEI (Your phone’s unique identifier).  Now, I don’t know about you, but I don’t want my phone broadcasting anything about me, my data usage or my location without my specific knowledge and consent.  And I certainly don’t want my teenagers location and private information being sent out to advertisers when they use the popular app “Talking Tom”, which was found by Channel 4 news to be sending such private data through Talking Tom to advertising company mopub.com (read more here).  Looks like I’m taking that app off my kids phone when I get home.

Then there’s Google, the beloved (and brilliant) search engine. We’ve known for awhile now  that Google actively mines users’s email when using Gmail, but it makes you wonder  – is it safe to use Google Hangouts as a text messaging service, or Waze, the awesome social sharing traffic App, without fearing your personal information will be shared with someone looking to benefit from such information?  Personally, I’ve stopped using Google + and have even given up my beloved Waze.  Although I have always applauded Google for their search engine’s capabilities, I hesitate to give full access of all my data, whether through Gmail, Google+ or apps like Waze.  One of the reasons I love TouchDown is because I know where my email is going, and where it is being stored.  I know my address book isn’t being shared.  While I knowingly give up some privacy when I use Facebook, I would never “Sign in with Facebook” because I don’t want to to look up my forgotten password…

In short – be wary, be careful and be smart.  Your data should stay YOURS – and you should know where it is going.

Android Security issues – but not for TouchDown!

Yesterday developer Sebastian Guerrero Selma was able to use Firefox to lift data from the local storage on an Android device – and even to access stored data within the browser itself.  As Androidcummunity.com described in a blog article yesterday, passwords and other private information can be taken using file:// syntax.  If a user visits a site that has potent javascript code, their password and other information will be sent on to the hacker who created the code – without the user ever being aware of their loss of privacy. The article cites SD Card files, like your pictures and documents, to be the kind of personal information you would not want anyone to get a hold of – I can’t imagine someone having access to photos of my kids! Other apps also store information on one’s device, so this could potentially allow hackers entry on to all the information on your device.  Luckily, TouchDown doesn’t allow any access from anywhere.  That’s right, TouchDown does not allow any other App to access information stored within TouchDown.  (We love that!)  And while that means you can’t instantly post a picture from an email to Facebook, it DOES mean that your information is safe.   I prefer my email, contacts, calendar and to-do list PRIVATE.

Why TouchDown will never be Fingerprint Scan Enabled

Those who know TouchDown, NitroDesk’s secure email and productivity client, know that we are obsessed with the security of your data – both corporate and personal.  With the new shiny iPhone5S coming out, a lot of users have asked us if we’ll incorporate the new fingerprint scan measures into our iOS app.  (Disclaimer – I do use an iPhone  as one of my devices, and love it, so I’m not just hating on the iPhone.)

Currently, Apple has not released any of its information to developers, so development of apps to include this technology is not possible , our developer says, until Apple decides to let developers in on its new feature.  For us at TouchDown however, there are more security-related issues to be concerned about.

Security usually works in two ways:  to protect your data, you either utilize something you know in your head, like a pin or password for example, or something you have – like a card that needs to be scanned, or in this case, your finger.  But what happens when the item is out of the control of the user? In the case of biometrics, specifically a user’s finger, there are several thoughts that come to mind..

Lets say you are just a bit too drunk at a corporate dinner, on a fabulous first date, or at that fabulous party sponsored by one of the tech companies after a long conference.  If you’re drunk enough it is not too difficult to ‘help you’ place your finger on your device.  Don’t drink too much, you say? There are plenty of substances out there meant to incapacitate you mentally by dropping a little something in said beverage.

Perhaps you are walking down the street with your new biometrically secured phone and “slam!” you are rendered unconscious by a blow to the head by a mugger.  Now that you are no longer in control of your finger, it is incredibly easy for said mugger to utilize your digit to unlock all your data.

Even if you are just in a super deep sleep, it would not take much to pick up the ever-present finger and touch it to your device with a bit of pressure.

So you see, the inherent problem lies in utilizing a security measure that is not in your head, but is instead something you have, especially when that something is attached to your body and fairly easy to get to (versus your pupil, for example).  As soon as you are mentally incapacitated, your fingerprint is just to easy to use. So, while we don’t think evil-doers will start cutting off fingers, it’s not to hard to imagine owners of high-in-demand fingerprint-secured devices being drugged, encouraged to inebriate themselves, knocked unconscious or otherwise forced to lose control over their digits.

Which all boils down to the fact that information in your head is still just safer.  Especially when unconscious.  Now, I did read somewhere that the fingerprint technology in the 5s is designed to detect a live finger from a dead one… If that technology gets to a point where it can detect an inebriated finger, it would be a completely different story of course. Until then…

 

Dr. Ferdico