Parallels Mobile Security

I am looking for more information about Parallels Mobile function security and its assurance level. The feature allows remote access to my computers and their virtual machines. Not only that, it also uses 3rd party equipment (Parallels Desktop servers) and Internet connection with machine's username and password.

My questions:
1) Are there any documents that explain the security and protection from using Parallels Desktop Mobile?
2) What kind of encryption is being used to secure communication from iDevice to Parallels Servers to computers?
3) Is my username/password stored in other devices other than my iDevice and computers e.g. Parallels Servers?
4) Does my username and password used as-is or it is transmitted as a hash?
5) What kind of protocol is being used for remote desktop e.g. VNC?
6) Does direct connection method transmit any data other than between my iDevice to my computers (outside of my local network)?

This is a great feature but I would like to be assured that it is secured before using it on daily basis.

 

According to their FAQ, Mobile does not (currently) work with encrypted VMs. So, in order to achieve encrypted use (e.g., for remote access), you would have to establish a VPN connection. I have not tested this, so I can't speak to impact on performance, but I'm sure it will slow it down. Just not sure to what extent.

 

Does anyone have an answer to question #2? Is the communication between the iDevice and computer encrypted? What if you do a direct connection only? How is the Mobile Server secured?

 

I haven't used this feature but I think there's some misunderstanding about encrypted VMs and and encrypted communication.

The fact that the FAQ says encrypted VMs are not currently supported this is only relevant to the way the virtual hard disk is stored and accessed on the local computer, this is not relevant, nor it has any implication on the security of the connection and remote access. It's not supported probably because the this module cannot (yet) read the encrypted information from the virtual hd.

As to your various questions, Parallels doesn't have any public documentation detailing that, unfortunately. Only a Parallels spoke person can answer that, or someone that has sniffed the connection being made.

 

Thanks for clarification and I understand the distinction. As you identified, I am more concerned with the communication (data sent between VM and iDevice) and the role played by the Parallels Mobile Server.

Anyone from Parallels willing to shed some light?

 

Bumping Post.

I have not seen the answer to this anywhere as of yet. Has any further information been discovered about this?

Paul
Adelos

 

Any further info?

I was happily working on my iPad when the question of security reared its ugly head. I am not comfortable without the precise knowledge of how secure this connection is. As long as my logon info for Mobile is my Parallels account info, I feel that it it potentially leaving my Mac/Pc open to invasion. I hope that some official word from Parallels is forthcoming.

 

I have briefly loaded and reviewed wireshark to look at the network traffic. It appears to be creating a SSL tunnel to relay the traffic through. However, I was seeing my device iPad name showing in the traffic before the SSL traffic initiated. I would have to review it further before I would say it is encrypting the authentication. It looks like it is, but it has been a long time since I studied packet analysis. The screen refreshing to the device is going through SSL and the response time is pretty good. I also do not know what strength the encryption is since Parallels does not list it anywhere and I am a novice at packet review.

Personally, from what I have reviewed, I would use is for personal task but not for business. Even if I knew what level of encryption was being used for the authentication and traffic, I would not use it for business tasks until Parallels states the tech specs on the security of encryption.

It is also odd that the mobile app can not open an encrypted virtual disk, but I can live with that. My next attempt will be to go through 4g on the iPad vs wifi to really take a look at the network path the traffics goes through.

Paul

 

no official word yet?

Since I am only using Parallels mobile as an experiment, I've made sure to log out on the desktop each time. It's obviously not convenient nor conducive to working spontaneously on the go. In addition, I had previously set up my Parallels to access my entire Mac drive. I've set it now to limit access to 2 particular folders from within Parallels - not all that inconvenient since I can still have access to my entire Mac drive anyway by 'switching'.

Using Mobile really slows down the graphic based application I'm experimenting with, but it has potential, but unless we are guaranteed a secure connection, many of the potential customers using that app won't touch Mobile.

So I take it that there has been no official word from Parallels on what level of security they have employed?

 

Tech Support Loop

Interesting for sure. Emails are always returned by tech support suggesting I discover my answers on their forum, and as we all know, they at least never answer the many requests that they may or may not read at all. Seems like the only answer to this tech support loop is RSTP.

-------------

Well, I had filed a tech support request and just received their answer below:


> [shanawaz.khan1 - Sun Jul 08 01:16:18 2012]:
>
>
> Hello Terrence,
>
> Thank you for your response.
>
> I understand that you need to know about the Encryption of Parallels
> Mobiles.
>
> The Encryption is your Email Address and Password of your Parallels
> Account.
>
> Based on the resolution that has been sent to you, this ticket will be
> placed in the Resolved – Pending for Customer Confirmation queue.
>
> If this ticket has not been resolved to your satisfaction, please feel
> free to reply to this ticket within the next 14 days and we will
> reopen it for you.
>
> Your opinion is valuable to us, please fill in the survey which will
> be sent to you automatically as I change the status of your ticket
> to "Resolved". Parallels takes your feedback very seriously and
> each survey is reviewed carefully to identify and act on
> opportunities for improvement.
>
> We appreciate your time and consideration.
>
> Thanks,
> --
> Shanawaz Khan
> Technical Support Engineer
> Parallels.
--------------------


Whatever I had hoped to receive, I certainly didn't expect this response …… I think it speaks for itself.