Business smartphone, personal smartphone: One device

Maybe you can have your cake and eat it too. The bring-your-own-device (BYOD) phenomenon has caused significant consternation among IT and security pros, as it commingles personal and work information on a single device managed mainly by users. This reality is now accepted, if not loved, as first iPhones, then iPads, and now Android become standard portable computing tools, supplanting the old-guard Windows Mobile and BlackBerry devices.

Although heavily regulated industries such as financial services have made their peace with Apple’s iOS devices, some users still need more information security than iOS and third-party mobile device management (MDM) tools can provide. In government, many employees are simply not permitted to use consumer-oriented devices such as iPhones and Androids for work purposes. Many of these people carry both a government-issued BlackBerry or Windows Mobile device and a personal iPhone or Android. But later this year, they may not need to juggle two smartphones any more.

Parallel operating systems separate virtual smartphones This spring, Korean manufacturer LG — not a device maker known for security-savvy smartphones — will deploy Android smartphone prototypes for U.S. federal government testing that run two separate operating systems, one managed by the user and one by the government. The secret sauce is the use of Open Kernel Labs’ OKL4 microkernel hypervisor (what OK Labs calls a “microvisor”), which runs directly on a smartphone’s or tablet’s processor and has one or more operating systems run on top of it. Each operating system is thus its own environment, across which apps, content, and so forth are separated.

It’s not the same as desktop virtualization, where you run a “guest” operating system in a virtual machine that resides in a “host” operating system, thus opening the possibility of interaction between the guest and host. In the OK Labs approach, you have, for all intents and purposes, several virtual devices running in parallel from the same device’s core processor.

LG won’t be the only device maker using the technology, notes Steve Subar, OK Labs’ CEO, though he can’t yet comment on the others. But Subar does say devices running OKL4 will ship this year, aimed initially at government customers who need more separation between business and personal usage than is available now. He expects device makers to offer the same separated-OS functionality to corporate customer as well.

By separating the OSes from each other but providing access to the same underlying hardware, Subar says users won’t experience the slowdown common to traditional desktop virtualization approaches. Thus, device makers will be able to use widely available, low-power ARM and Intel processors. Supported ARM designs include Cortex-8, Cortex-9, ARM 9, and ARM 11, whereas just Intel Atom processors are supported from the x86 universe.

The hypervisor-based approach also means that any mobile operating systems can be run in parallel, as there’s no need to have a VM compatible with a host OS. The LG devices will likely run a commercial version of Android for the personal environment and the government version will likely run a secured version of Android developed by the National Security Agency. But Subar expects device makers to offer devices that run Android and Windows Mobile, which is widely used in government and has more security capabilities than most other mobile OSes, except Research in Motion’s BlackBerry. He expects Microsoft’s Windows Compact Embedded, Windows Phone 7, or Windows Phone 8 to be available, though it’s up to device makers and Microsoft to deliver.

The OK Labs technology is OS-neutral, so device makers and OS makers could partner to create devices that also run any of iOS, BlackBerry, Symbian, Linux, and RTOS (a real-time operating system used in embedded devices). But that doesn’t mean all these OSes will find their way onto OKL4-based devices. For example, I can’t see Apple supporting devices that run non-Apple operating systems. RIM has its hands full right now trying to reinvent its fading BlackBerry OS, and although its security capabilities are the only one trusted for the most-sensitive government communications, RIM’s focus on moving into the consumer market may make the notion of being the secured OS on a multi-OS device a low priority in the foreseeable future.

Whatever OSes run on an OKL4-based device, they’ll have all the capabilities, security, and features those same OSes run on other devices. The management tools a company uses for, say, Android 4 “Ice Cream Sandwich” would be the same on an Android 4 “partition” on an OKL4-based device as it would be on, say, a Galaxy Nexus. Users could have two phone numbers, with the corporate number billed to the agency or business, Subar says. The devices would not have separate radios, but instead use existing carrier technology to partition to communications across two identities, such as using VoIP on one partition.

The less-separate separation options There are other ways to separate user environments, at least on Android. Companies such as Enterproid and Cellrox are working on apps that create a common sandbox for corporate apps and data, so users switch between two Android environment whose apps cannot communicate across that divide. This approach runs one version of Android but makes it appear to be two parallel versions.

Antenna Software and Fixmo take a similar approach. Both place the secured apps in a common application “folder,” rather than in what appears to be a separate environment the user must switch to. Both containers are available for iOS and Android devices, and they include separate email and contact management apps. For Fixmo on iOS, you can install native homegrown apps, as well as third-party apps modified to support the Fixmo container; on Android, the container is currently limited to homegrown apps using the Fixmo APIs. Antenna’s container is limited to installing homegrown HTML5 apps that use the Antenna APIs.

That constrained application set helps tools such as Antenna’s and Fixmo’s ensure security, but it also means users can take advantage of only a fraction of the software capabilities a smartphone offers, generally just standard email, contacts, calendaring, and homegrown dashboard-style apps.

Another approach is to bake application security and information management into apps themselves. AppCentral offers such capabilities for enterprises’ homegrown apps, and three of the major MDM providers — Good Technology, MobileIron, and SAP Sybase — offer technology to commercial developers that let apps be managed by their MDM tools. In this case, there’s not so much separation as there is application-level management that can include rules that disallow information sharing or limit corporate network access to secured apps.

MDM tools can also be used with iOS’s native sandboxing to manage corporate-provisioned apps, though Apple does not let apps peer into other apps; that’s a security measure that has the consequence of restricting the ability of third-party tools to control others’ apps. RIM has a similar capability in BlackBerry OS 7 when managed through BlackBerry Enterprise Server (BES) 5.03.

IT has several options to separate corporate and personal information on smartphones and other mobile devices. But for the ultimate separation — and the ability to have different OSes, not just environments, on one mobile device — the OK Labs technology is, for now at least, the only game in town.

This article, “Business smartphone, personal smartphone: One device,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.