Android has a bad reputation when it comes to security, which is unfortunate because it’s the biggest mobile platform around in terms of market share. Gartner says Android claimed 80.7% of the worldwide smartphone market in 2014. We know that the BYOD trend has sparked a dramatic rise in personal mobile devices being used for work, and the bulk of those devices are running Android.
As the most popular mobile platform around, it’s inevitable that Android is going to be targeted by cybercriminals. Cisco’s 2014 Annual Security Report found that 99% of mobile malware in 2013 targeted Android devices.
But beyond its ubiquity, there’s another reason that Android is such a common target for malware. The fact that it offers an open alternative to Apple’s walled garden is a double-edged sword. It allows users the freedom to customize and micro-manage permissions on their devices, but if you don’t know what you’re doing, it’s very easy to expose yourself to risk.
High-profile incidents and malware attacks are common. Just the other day, Palo Alto Networks highlighted a potential hijacking vulnerability which allows attackers to replace a seemingly legitimate app with malware without the user’s knowledge during the installation process. This could give them access to sensitive data, including usernames and passwords.
In some ways, the security threat with Android is overstated, and this incident is a good example of why. The exploit that Palo Alto Networks discovered requires users to install an app from outside the Google Play Store. In fact, the vast majority of malware found on Android, according to Cisco’s data, is found in third-party app stores. The bulk of malware is actually found in app stores predominantly serving Eastern Europe, the Middle East, and Asia, especially China, where Google doesn’t have an official presence.
An F-Secure whitepaper from 2013 found that the number of apps carrying malware in Google’s Play Store was just 0.1%, and that they have an extremely short shelf life, because they are removed as soon as they are discovered. Google has also tightened security significantly since then. But even though the risk may be exaggerated, that doesn’t mean there isn’t a risk.
Android defenders will point out that installing apps from outside the Play Store requires the user to tick a box in a menu in their Android settings, and that is true. The problem for IT departments sizing up the competition is that platforms like Apple’s iOS and BlackBerry don’t allow users that level of freedom. In theory, Android’s permission system shows users exactly what each app can do, but in practice users treat it like a Terms and Conditions page and just blindly accept most permissions.
Fragmentation is another headache for IT departments looking to manage mobile devices. There are lots of different flavors of Android, and a multitude of different devices with customized user interfaces and apps pre-installed by manufacturers and carriers. Because Google doesn’t exercise as much control over apps as Apple does, the chances are good that the mobile apps putting your data at risk are Android apps. It’s the low-hanging fruit for cybercriminals.
Traditionally, the mobile device market for the enterprise has been dominated by BlackBerry, but in the last couple of years Apple has made major gains by offering a good range of security capabilities. Google is relatively late to the market.
Samsung, the leading Android manufacturer, actually started targeting the enterprise security market with its Knox platform a couple of years ago. It offers cloud-based device and application management and secure workspaces, but despite working across Android and iOS devices, it hasn’t been widely adopted.
Now Google has stepped in with Android for Work, which allows users to partition Android devices so work apps and data are kept separately from personal apps and data. IT departments can control work apps and keep data secure without infringing on personal privacy. Since many startups also use Google’s web apps, this could prove to be a very popular service in the months to come.
There are also a number of third-party solutions out there from vendors like SOTI that go even further, offering deep levels of control and oversight for the security-conscious.
None of this means you can’t use Android in the enterprise. It just means that you need a solid MDM policy and you need to employ the right management tools. If you consider that Android devices are already in the enterprise through the BYOD trend, they can be significantly cheaper than the competition, and their security capabilities are improving all the time, it may be unwise to discount the platform out of hand.
Comparatively, it may still be easier for IT departments to securely manage devices running BlackBerry or iOS than Android, but that’s beginning to change.
This article was originally published in Network World.
Image credit Cutcaster.