A clear-eyed guide to Android's actual security risks
- 09 December, 2013 14:35
If you're an Android user -- or want to be -- you've likely heard about all the security risks of Google's mobile operating system. But how real are these threats, and how much damage can they do? Despite the fears, are Android devices actually a safe bet for an enterprise mobility strategy?
These are key questions for any organization thinking about a broad Android rollout or even simple acceptance of Android devices in a BYOD context. The answers may not be what you expect.
[ Mobile security: iOS vs. Android vs. Samsung SAFE vs. BlackBerry vs. Windows Phone. | The truth about Samsung's Knox for Android security. | Bob Violino and Robert Scheier show how businesses today are successfully taking advantage of mobile tech, in InfoWorld's Mobile Enablement Digital Spotlight PDF special report. ]
Depending on whom you talk to, you might hear horror stories about Android security that "prove" the need for multiple solutions to address. Or you might be advised that buying a single tool will obliterate all your Android fears.
The truth is somewhere in between, and before making a serious commitment to Android as a mobile platform, it's important to determine where Android's relevant security issues are and how you can assess their actual risk and remediation.
Android's two fundamental risks
The Android ecosystem has two main security risks, according to mobile security experts:
The Google Play Store
The fragmentation of devices and OS versions
The Google Play Store's risks. Android is a truly open OS, and that makes it risky, says Andrew Borg, research director for enterprise mobility and collaboration at research firm Aberdeen. "Unlike Microsoft Windows Phone or Apple iOS, there is no walled garden, and this leads to potential security vulnerabilities when not managed coherently," Borg says.
Google Play (formerly called the Android Market), the digital distribution platform for applications for Android devices, is itself a source of potential security risks. "With Google Play, there is a higher percentage of apps that contain malware, or social engineering to connect to malware, than any other app store by an order of magnitude," Borg says. "It's not a well-policed environment, and these factors continue to create friction or resistance toward greater adoption of Android in the enterprise."
When users download apps from Google Play, they often don't pay attention to the extent of permissions an app can have on their device, says Chandra Sekar, senior director of the Mobile Platforms Group at Citrix Systems, a provider of cloud-based mobility and collaboration products. "They usually just accept the permission during installation," he says. "And more often than not, apps ask for more permissions than they really need."
The security vulnerabilities affecting Android devices can cause actual performance issues and data loss -- not just minor inconveniences.
Borg tells of a demonstration he saw at a conference that gave him the "willies." The demonstrator, a white hat hacker, took an out-of-the-box Android device and downloaded a game called Very Angry Birds, basically a clone of the popular Angry Birds game, from an app store. "The device had the latest McAfee and Symantec security for Android, but the game contained malware that neither solution flagged," Borg says.
Everything looked fine, and once the game opened nothing changed on the device. "Then the demonstrator took out a laptop and was able to bring up a control stream where he could see all the smartphones that had downloaded the game and could inspect them and see all the emails they had downloaded."
He then put the Android device to sleep and took a picture from the device remotely using the laptop. "Normally, you hear a shutter sound, but this [malware] had turned off the audio," Borg says. "It took pictures and video, and all along it looked like the device was asleep."
For Borg, such examples justify IT's strong aversion to Android, despite its huge popularity among users. "This is a clarion call that security cannot be taken for granted. I don't think these [Android security] issues are overblown."
The risks of Android's fragmentation. The Android platform also suffers the issue of fragmentation -- there are multiple versions of Android in the market, even on current devices. Manufacturers often make their own changes to Android, so they could be behind Google's current reference release. In addition, carriers and manufacturers may not update their devices' Android version when Google does, or they take months or even years to do so.
As a result, many people within the same organization might be using outdated versions that could be riddled with security vulnerabilities. "People focus on malware risks of Android, but arguably the greater risk is that fragmentation creates different user experiences," says Ojas Rege, vice president of strategy at MobileIron, a provider of enterprise mobility management products. "This variety of user experiences makes it hard to educate your employees about how to take security measures, because the experience on each device is different."
Research shows that a majority of Android device users worldwide have devices with noncurrent versions of the OS, says Bob Egan, chief analyst at consulting firm Sepharim Group. "Some of the phones and OSes have very public weaknesses on security," he says.
If users have older versions of Android, that could mean vulnerabilities are left unpatched and new features of the OS won't reach them. "Maybe you can address the security holes for the HTC One, for example, but that might not apply to an older Samsung device," Borg says. The fragmentation issue multiplies the attack surface; thus, there's no single security solution that will fit all of Android's variations, he says.
Some Android risks are overstated -- and others are underestimated
Experts note that some Android risks are overstated, while others don't get enough attention.
Although Citrix's Sekar says fragmentation doesn't receive enough focus in security assessments, he considers Android malware fears overblown. "Traditional antivirus software vendors often hype up the threat of Android malware," he says. While these threats exist in isolated scenarios where users access apps from untrusted, private stores, the threat to enterprises from malware is overstated, he says.
Another Android risk that's overstated is tapjacking -- when an invisible application on top of an app manipulates key gestures to make purchases without the user's knowledge, says Scott Kelley, Android product manager at AirWatch, a provider of mobile device management (MDM) products.
But one risk that's often overlooked, Kelley says, is users' willingness to tap the Accept button for whatever permissions an app requests. "This is compounded by developers' often overzealous permission requests, due to a lack of understanding of which permissions an app needs," he says. "Apps should request the least number of permissions possible to function appropriately, and users should be in the habit of not automatically granting permissions to apps whose functions wouldn't seem to need them."
How to build a secure Android environment
If your organization is preparing a significant rollout of Android devices or a BYOD program that includes devices running the OS, it needs to develop a strategy to keep the company protected from the known security risks and vulnerabilities. Here are the key components of that strategy.
Develop a trust model. Part of this involves identifying what the real risks of data loss are, says MobileIron's Rege. Based on those risks, you determine what level of enterprise content should be made available on the devices.
"We call this developing a trust model that establishes which users are trusted with which data or apps under what circumstances," Rege says. "Every major organization has gone through data classification to establish this underpinning for its security policies." But he notes, "This will take longer for Android because the Android fragmentation makes the process more complicated."
Designate an Android expert in IT. A key best practice is to designate an individual in the organization to be the Android expert, Rege says. "More and more of the overall IT team should gain Android familiarity, but our customers have found that they need one point-person who is chartered to keep up with the rapid pace of the Android ecosystem," he says. Otherwise, IT's Android knowledge base quickly becomes obsolete.
Use an app reputation service. Another good practice is to use a third-party app reputation service that evaluates apps and assigns them a risk score. "Then you can use these risk scores to set policies" in an MDM tool, Rege says. For example, you could set a policy that if an employee installs an app with a high risk score, his or her email is blocked and that user can't access corporate resources until the app is removed.
"With mobile, you have to assume the environment changes all the time as apps are installed and operating systems versions change," Rege says.
Layer your security. As with other IT security strategies, layering security makes sense for the Android environment. If you look at the mobile security stack in layers (starting from the bottom up) as network/carrier layer, hardware layer, operating system layer, and application layer, the chances of exploits increase as you climb the ladder, says Tyler Shields, a senior analyst for mobile and application security at Forrester Research. "Enterprises also have less control the lower we go in the stack," Shields says.
To try to mitigate the risk at each layer, Shields recommends a combination of mobile security technologies each specifically aimed at a different security layer. "The baseline security requirement is to have [an MDM] system managing every device in your environment," he says. "This will help with the remote-wipe capabilities, tracking lost devices, and general management and baseline security requirements."
Deploy MDM. Companies that have rolled out Android broadly agree with the MDM recommendation. "Android devices should not be deployed in any enterprise without robust MDM," says Abhi Beniwal, senior vice president of global IT at Daymon Worldwide's Interactions subsidiary, a provider of in-store product demonstrations for retailers and manufacturers. With an MDM platform in place, enterprise IT has the visibility it needs into mobile devices and can proactively manage security vulnerabilities and threats, Beniwal says.
Interactions has deployed Android-based tablets and mobile apps in more than 1,000 stores in North America. Most of its workforce is field-based, and mobile technology allows users to share real-time information, Beniwal says.
The company implemented an MDM platform from AirWatch before deploying any Android device in the company, and it hasn't experienced any security-related problems with the devices, Beniwal says. "At the same time, we take it very seriously and are always monitoring and proactively managing any potential security threat to our devices," he adds.
Also relying heavily on MDM is the Center for Young Professionals in Banking (CYP), a training center in Zurich that has rolled out 1,400 Android tablets that students use to access CYP's learning management system. CYP uses MobileIron's platform for enterprise mobility management. The platform ensures that only approved apps are installed on devices, and it reports any breaches.
Among CYP's concerns about Android security and management are data loss prevention, malware, OS version control, and data on lost devices. The MobileIron platform addresses each of these and other concerns, says Thomas Fahrni, deputy general manager of CYP, as do most serious MDM systems.
Create a compliance policy. Aberdeen strongly recommends that companies create a compliance policy for BYOD units, so that not every smartphone or tablet is acceptable for use within the work environment.
"Organizations should test the vulnerability of the most popular platforms and versions and verify that they can be managed securely" before granting those devices access to the corporate network, Aberdeen's Borg says. "This is a BYOD policy with constraints. An unbridled BYOD policy is very problematic" because it invites access to the network by devices that might not be secure.
This effort shouldn't be too much of a hindrance for many organizations, Borg says, because many of the latest versions of Samsung Android smartphones are likely to be compliant with a company's security requirements. "If you stay in the Samsung universe, there are viable, robust security solutions [that] work with the MDM tools," he says.
Stop supporting old Android versions. Enterprises should set a specific stop date for older OS support, to ensure that users have up-to-date versions of Android, Sepharim Group's Egan says. He also recommends that companies not use Android for much more than email, "and then only on 'safe' devices."
New security efforts will make Android more secure
Within the Android ecosystem, efforts are being made to improve Android security.
For example, Samsung offers Knox, a containerization technology for higher-end Samsung Android devices that's designed to create a virtual partition on the devices that would insulate corporate-managed apps and data from attack. "Samsung Knox is the first real security solution coming out for Android," Egan says. However, Knox is no cure-all, given several limitations: It currently works with just a handful of Samsung devices and only a small number of MDM tools, and it requires a monthly per-user fee in addition to the normal MDM fees.
Still, the container approach looks promising for delivering the kind of security enterprises will need with Android devices. "Containering or sandboxing can protect data files or applications [within the container], so that container can be used for corporate communications and file storage," Borg says. "A phone could have no other security [provisions], but as long as there is a secured container then the overall security of the device is less important."
Another potentially effective approach is the use of "multiple persona," where there can be distinct identities that go all way to the kernel of the OS, Borg says, so you can have multiple instances of the OS running concurrently on the same device. "You can have one persona for work and one for personal use; it's like a firewall within the device," he says. "From IT's perspective that's probably the ideal solution."
But this type of solution hasn't seen wide adoption. There's a lot of resistance on the part of users, Borg says, because it gets in the way of using the device. BlackBerry 10 OS supports this capability when used with BlackBerry's Enterprise Service 10 server, and a few multiple-persona options for Android devices are available from companies such as Divide and General Dynamics, though they work only a subset of current devices.
Don't let security fears thwart Android adoption
Although security concerns about Android are justified, companies need to avoid taking an extremely restrictive approach and damaging the user experience, says MobileIron's Rege. "The risk that is underrated is that creating on overly restrictive environment will drive employees to unsafe behaviors," he says.
When enterprise employees have a bad experience on their device, such as due to security-justified restrictions, they look elsewhere for enterprise productivity tools -- and this can drive them to take risky actions such as using unauthorized file-sharing apps, Rege says.
"If you approach Android with a mindset of fear, you will create an experience users hate and one that ultimately undermines your security policies," Rege says. "However, if you approach Android with a productivity mindset, you will create a great user experience while keeping data secure."
The strategies and tools are there today to let at least current and recent Android devices be productive additions to your technology portfolio, joining your iOS and BlackBerry devices.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
Thanks a million, Drupal
Optus goes over the top with VoIP service
Turnbull asks how the NBN got that way
U.S. retailers insist on PIN requirement in smartcard rules
Yelp speeds database access with flash storage