Google Backs New Security Standard for Smartphone VPN Apps

The Internet of Secure Things Alliance, an IoT security certification body (a.k.a. ioXt), has launched a new security certification for mobile apps and VPNs. From a report: The new ioXt compliance program includes a 'mobile application profile' -- a set of security-related criteria against which apps can be certified. The profile or mobile app assessment includes additional requirements for virtual private network (VPN) applications. Google and Amazon had a hand in shaping the criteria, along with number of certified labs such as NCC Group and Dekra, and mobile app security testing vendors such as NowSecure. Google's VPN within the Google One service is one of the first to be certified against the criteria. Mobile app makers can get their apps certified against a set of security and privacy requirements. The ioXt Alliance has a broad cross-section of members from the tech industry, with its board comprising execs from Amazon, Comcast, Facebook, Google, Legrand, Resideo, Schneider Electric, T-Mobile, the Zigbee Alliance, and the Z-Wave Alliance. About 20 industry figures helped write the requirements for the mobile app profile, including Amit Agrawal, a principal security architect at Amazon, and Brooke Davis from the Strategic Partnerships team at Google Play. Both are vice-chairs of the mobile app profile group.

When an IOT device "phones home"

[Anonymous Coward]

It should do it over a VPN. Maybe this will help with that.

Re:

[BAReFO0t]

It should not phone home *at all*.
That should be literally a crime with a prison sentence.

So you're already implying assumptions that try to shift the discussion into us accepting that assumption too. (That phoning home would ever be acceptable.)

Re: When an IOT device "phones home"

[martynhare]

Phoning home is normal and acceptable to grab updates and provide valid diagnostic info. Users and industry alike agreed that this was fine at the turn of the millennium, very much predating IoT. It is through the cooperation of users in allowing diagnostic data to be collected that computing has become as reliable as it is today, despite more code churn than ever before. Letâ(TM)s not confuse the abhorrent actions of intelligence agencies and the invasive behaviour of scummy advertising companies wit

Useless without gov't buy-in

[sinij]

This certification is not going to be very popular unless government or PCI DSS makes it mandatory for procurement. Which they won't, because there is already FIPS, Common Criteria, and DoDIN APL certifications that cover VPNs.

No. No. No. Fuck no.

[lessSockMorePuppet]

Fuck you piece of shit Alphoogle.

No, I don't want you in the middle of my VPN. That's why I pay someone else. That's one of the reasons I HAVE a VPN.

FUCK. YOU.

I don't trust a single name I read

[mccalli]

Sorry - not a single corporation there is anything I trust. Far too many vested interests to come up with something like this.

Re:

[aaarrrgggh]

Google and Amazon do have interests in making secure VPNs for cloud and device purposes, but all parties do seem to have multiple conflicts of interest. I don’t worry as much about LeGrande, Schneider, zigbee or zwave as those parties need IoT to work and should favor a non-cloud approach.

What is really odd is everybody that is missing.

Re:

[Ostracus]

Considering VPNs are practically the keys to the kingdom, everyone needs to be on that list.

Google & Amazon had a hand in shaping the crit

[QuietLagoon]

... So, there's data slurping involved?

great starting point

[wap911]

I found this chart several years in my search the "the best" [for my needs]

Disclaimer: I am retired and do not receive any compensation from any one, this is my experience and opinion only.

Here is a link to LifeHacker article:
This Massive VPN Comparison Spreadsheet Helps You Choose the Best for You [lifehacker.com]
It is massive both service and width, goes out to column BC.
Price, "5 Eyes" and "3 eyes" - 3 if I remember is USA, England, Canada.

I chose Private Internet Access [privateinternetaccess.com]. good price

Re:

[BAReFO0t]

1. The page has moved.
2. The table is now well-hidden inside a massive page consisting mosly of "sponsored" VPNs (aka ads).
3. They recommend ExpressVPN for questionable reasons.
4. They still list IPredator, despite being superseeded by Njalla.
5. They ignore that IPredator/Njalla is run by the Pirate Bay guys and hence much more trustworthy than any normal business.

Re:

[wap911]

Sorry I had not reached Caffeine Saturation level 3 yet.

I was working from folder in 2017 which seems to be when That Guy sold out.

What ever it is that the link redirects to fits my view of US
We are not far from only 3 people owning everything
Moe, Larry & Curly and everything is upside down and backwards [for the youngsters that's the 3 Stooges]

I still support PIA and usually connected to US Texas in Dallas as I am about 330 miles south of there and
it is usually the best one "for me".
At times

*Which* requirements? *Which* criteria?

[BAReFO0t]

Stop the empty words! Name them!

Instead of trying to trick us with appeal to "authority" and to popularity fallacies.

Fake solution

[mrwireless]

The narrative around these VPN implementations is that they make it safer to move the data out of your home, to the cloud. However, in 99% of smart home use both the user and the targetted device are on the same local network.

What we really need is easy HTTPS inside the LAN. Then we could have encrypted communication between smart home devices and interfaces inside the home itself. For example, to use https on open source smart home controllers such as Home Assistant, users would see the same scary "this ce