Application Security Risks
Although the operating system and application distribution does have a few built in security measures to make it more difficult for malignant programs to process and assimilate information, some malware designers have already found ways around the basic sandboxing security of Android, such as the recent Droiddream Malware which works by rooting the phone and sending IMEI/IMSI and OS versions back to a command-and-control server.
According to traffic analysis by AdaptiveMobile, Android malware distribution was up by nearly 400 percent last year. While this number is still fairly small compared to other platforms, more malware is likely to be around to target users as Android popularity increases. One thing to remember, however, is that anything a user downloads and installs will display a dialogue box showing exactly what “permissions” the app can use.
The problem is that many users do not pay any attention to the permissions and allow the programs to access their email, user level controls and areas of their device that could compromise their security. Often, apps will ask permissions that they actually don’t need which is usually the fault of the app designer. While many of these apps are harmless, owing to app designers simply asking for more permissions than they need, some of these apps can pose a very serious security risk.
“Apps should request the least number of permissions possible to function appropriately, and users should be in the habit of not automatically granting permissions to apps whose functions wouldn’t seem to need them,” says Scott Kelly, Product Manager at AirWatch (a provider of mobile device management (MDM) products).
Android OS Version Fragmentation
While malware may seem like the greatest risk to Android users in the business environment, an even greater risk might be to do to fragmentation. With different devices having different versions of Android, many users are still using older, less secure versions of Android without even knowing it. Users of older versions are much more vulnerable to security issues than those running the latest versions, as many newer versions take into account security holes found in older versions. It’s hard for a company to keep up with security issues within the android pool where you might have three or four different versions of Android floating around the company.
“People focus on malware risks of Android, but arguably the greater risk is that fragmentation creates different user experiences,” says Ojas Rege, vice president of strategy at MobileIron, a provider of enterprise mobility management products.
While it may be nearly impossible to keep up with all the versions of Android running on all of your employees Android capable devices, you can set up a cut-off point of which versions are allowed in your company, such as cutting it off at Froyo or Gingerbread and above or even Kit-Kat. By establishing a minimum Android version requirement you can minimize fragmentation while still allowing a greater latitude on the number of devices and versions your employees can safely use.
The Best Way to Minimize Your Risk
If your company plans to use Android in its IT structure, you will need to have at least one go-to person who is an expert in Android security. Usually, you can designate a single member of your IT team to oversee the implementation and security of Android in your company’s workplace. This user will have to be well educated in Android technology and trained to recognize and fix any security holes that might arise from its use. He or she will also be responsible for implementing an MDM (Mobile Device Manager) system that will allow IT to track usage and implement strategies over all androids that are allowed access to the company’s servers.
Another way to minimize the security risks inherent to Android is to create a comprehensive compliance policy that spells out what is acceptable and what is not for use on your company’s network. This policy will probably change as Android is updated and new tools are available to combat malware and other security risks, but should be based on your Android expert’s research on current vulnerabilities. Your company has to set a strict standard on what is and is not allowed, and stick to it. Be sure to include in the policy any mandatory software (such as anti-malware programs) you require your employees to have installed, as well any Device Policy App’s (such as the DPA available from Google).
If you take the time to assess the risks and set in place a good MDM, as well as having a single go-to Android expert on top of the latest security and versions available, with a good policy in place to minimize fragmentation and third party downloads, your risks in allowing Android in your work environment are minimal. There is always risk involved in any phase of IT, but with the proper planning and policies in place, you should be able to utilize Android in your company without worrying too much about security being compromised.