Android BYOD Security based on Trusted Network Connect » History » Version 21

« Previous - Version 21/32 (diff) - Next » - Current version
Andreas Steffen, 08.04.2013 15:50

Android BYOD Security based on Trusted Network Connect

An experimental BYOD version of the popular strongSwan Android VPN Client allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.

VPN Client Configuration

Android VPN client configuration

The Android VPN client profile BYOD has the following properties:

  • The hostname of the VPN gateway is
  • The user authentication is based on IKEv2 EAP-MD5.
  • Possible user names are john or jane and the user password is byod-test.
  • The server certificate is issued by the strongSwan 2009 certification authority.

Therefore the strongSwan 2009 CA certificate must be imported into the Android certificate trust store before the first connection can be attempted.

Unrestricted Access (TNC recommendation is allow)

Successful connection

If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.

Restricted Access (TNC recommendation is isolate)

User John now makes the following changes on his Android phone:

Allow non-market Apps from unknown sources Download and install Android Web server

  • If the Unknown sources flag is activated in the Settings/Security configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
  • The user also decides to download and install an Android Web Server from the official Google play store.

The next time John tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.

Blocked Access (TNC recommendation is block)

Failed Connection Remediation Instructions for Failed Connection Remediation Instruction Details for Failed Connection