Summary Bullets:
- New vulnerability exposures highlight the continuing riskiness of enabling the use of Android devices within the enterprise, but carefully crafted BYOD policies can reduce that risk.
- Google needs to step up its mobile security practices if it truly wants to be an enterprise player.
The steady drumbeat of news regarding Android security weaknesses – whether in the OS or the applications that run on it – does not seem to be having much of an impact on Google’s security practices. It should be well known by now that the vast majority of mobile malware targets Android devices. Earlier this year, endpoint security firm F-Secure found that 99% of new mobile malware targeted Android. This week, it was revealed that most versions of Android in use today include a vulnerability that enables rogue apps to make unauthorized calls or disrupt ongoing legitimate calls. Although Google fixed the flaw in the Android version 4.4.4 that it released last month, very few Android devices run that version. Moreover, given the slow rate at which Android devices are patched or upgraded to the latest version of the OS, the vulnerability could continue to haunt the vast majority of Android smartphones for some time to come. IT, as it crafts its policies for personal smartphone use in the enterprise, can address that issue by requiring users to keep their device OS up to date in order to gain access to the enterprise network from their smartphones. IT can also investigate which handset makers are faster at upgrading their Android device’s mobile OS and put those devices on a list of acceptable smartphones for use within the enterprise. My colleague and mobile device maven Avi Greengart tells me that both Motorola and HTC have formal pledges to rapidly update Android. Other IT folks may go so far as to allow only Apple iOS devices to access corporate networks in their BYOD policies.
Last month, another new, potentially wide-ranging Android security risk came to light when Columbia University researchers revealed that many apps in the Google Play store can be easily compromised to enable cyber criminals to steal corporate and personal data. The researchers found that many Android developers store the secret authentication key for their apps within the app itself. Since the apps can be fairly easily decompiled using commonly available tools, cyber criminals could easily steal the keys and use them to decrypt data that the application stores on a remote server, including servers used as part of a cloud service such as Amazon Web Services or Dropbox, for example. IT may want to ban the use of any Google Play personal productivity apps in which users would store corporate data and provide safer alternatives.
Google’s security screening of apps it allows in Google Play apparently is not up to snuff in weeding out such risky applications. That needs to change if Google truly wants to expand its reach into the enterprise. Android phone use within the workplace is a reality today, but there is no guarantee that it will grow. One or two high-profile breaches enabled through Android devices could cause IT to tighten controls over which devices are allowed in the enterprise. Google needs to step up its mobile security game if it wants to be more than a consumer company. The good news is that the upcoming Android L release, due late this year, includes more security controls, such as the use of the Samsung Knox container technology and management APIs that will be part of Google’s Android for Work developments. Now, let’s see what Google can do to better filter out insecure or malicious apps from Google Play.
IT Connection 