Is having an Android phone on your corporate network going to cause any substantial security risks? Well let me give you some information that can calm the waters a bit.
Spike in Malware -
A recent report showed a 400% annual growth in Android malware. This stat is a bit misleading though considering that it started from near zero. A group of anti-malware vendors have reported a rapid rise in Android malware a fast moving upward trend is clear. What most people don't know is that the hundreds of Android apps infected by malware is dwarfed by the millions of PC infections.
Upon doing some research of my own I noticed that the reports I was reading pointed out that most of the Android malware being downloaded was actually coming form third party markets rather than Googles Android Market. Most people in the industry know that Apples market is much more stringent on the applications that are published. Users that download from a reputable source are far less likely to download infected applications.
Making Mountains out of Mole Hills?
To put this all into perspective let me start with the fact that Enterprises have used Anti-malware for years because of the immense number of worm, trojans, and other viruses threatening PC's. These PC malwares were pervasive and damaging enough that risk management was warranted. The time has come for to take these Android threats seriously, but remember the focus should be on the biggest business risk.
Malware seems to make juicy headlines and the reports identify other aspects of android security that pose a more significant threat. McAfee's report notes that " Android provides a small set of API's to administer the device; the OS controls the password/PIN policies and can remote wipe the phone. This is fairly limited and not much help when performing network security assessments building a security product. This is exactly why IT departments are resorting to encrypted containers and third party MDM agents to protect corporate data and asserting more extensive policies.
One other important issue is to note that when Google fixes vulnerabilities within days of discovery, it's up to the manufacturers to produce the firmware updates applying the fixes. This process has been complicated by the fact that a single device model may have many updates to support carrier specific customizations. Once the manufacturer produces an update its up to each carrier to test it and deploy it to the users. This all means time to patch can be very lengthy and enterprises have no way to control or speed up vulnerability management.
What does all this mean?
Market fragmentation makes it difficult for enterprises and vendors to apply consistently-strong controls.
Spike in Malware -
A recent report showed a 400% annual growth in Android malware. This stat is a bit misleading though considering that it started from near zero. A group of anti-malware vendors have reported a rapid rise in Android malware a fast moving upward trend is clear. What most people don't know is that the hundreds of Android apps infected by malware is dwarfed by the millions of PC infections.
Upon doing some research of my own I noticed that the reports I was reading pointed out that most of the Android malware being downloaded was actually coming form third party markets rather than Googles Android Market. Most people in the industry know that Apples market is much more stringent on the applications that are published. Users that download from a reputable source are far less likely to download infected applications.
Making Mountains out of Mole Hills?
To put this all into perspective let me start with the fact that Enterprises have used Anti-malware for years because of the immense number of worm, trojans, and other viruses threatening PC's. These PC malwares were pervasive and damaging enough that risk management was warranted. The time has come for to take these Android threats seriously, but remember the focus should be on the biggest business risk.
Malware seems to make juicy headlines and the reports identify other aspects of android security that pose a more significant threat. McAfee's report notes that " Android provides a small set of API's to administer the device; the OS controls the password/PIN policies and can remote wipe the phone. This is fairly limited and not much help when performing network security assessments building a security product. This is exactly why IT departments are resorting to encrypted containers and third party MDM agents to protect corporate data and asserting more extensive policies.
One other important issue is to note that when Google fixes vulnerabilities within days of discovery, it's up to the manufacturers to produce the firmware updates applying the fixes. This process has been complicated by the fact that a single device model may have many updates to support carrier specific customizations. Once the manufacturer produces an update its up to each carrier to test it and deploy it to the users. This all means time to patch can be very lengthy and enterprises have no way to control or speed up vulnerability management.
What does all this mean?
Market fragmentation makes it difficult for enterprises and vendors to apply consistently-strong controls.
- Android 3.0 (Honeycomb) made hardware encryption possible for manufacturers.
- Android 4.0 (Ice Cream Sandwich) will further raise that bar.
Powered by Compendium
Comments for Android OS Enterprise Security Considerations - Are you at risk?