If you're an Android user — or want to be — you've likely heard about all the security risks of Google's mobile operating system. But how real are these threats, and how much damage can they do? Despite the fears, are Android devices actually a safe bet for an enterprise mobility strategy?
These are key questions for any organization thinking about a broad Android rollout or even simple acceptance of Android devices in a BYOD context. The answers may not be what you expect.
Depending on whom you talk to, you might hear horror stories about Android security that "prove" the need for multiple solutions to address. Or you might be advised that buying a single tool will obliterate all your Android fears.
The truth is somewhere in between, and before making a serious commitment to Android as a mobile platform, it's important to determine where Android's relevant security issues are and how you can assess their actual risk and remediation.
Android's two fundamental risks
The Android ecosystem has two main security risks, according to mobile security experts:
- The Google Play Store
- The fragmentation of devices and OS versions
The Google Play Store's risks. Android is a truly open OS, and that makes it risky, says Andrew Borg, research director for enterprise mobility and collaboration at research firm Aberdeen. "Unlike Microsoft Windows Phone or Apple iOS, there is no walled garden, and this leads to potential security vulnerabilities when not managed coherently," Borg says.
Google Play (formerly called the Android Market), the digital distribution platform for applications for Android devices, is itself a source of potential security risks. "With Google Play, there is a higher percentage of apps that contain malware, or social engineering to connect to malware, than any other app store by an order of magnitude," Borg says. "It's not a well-policed environment, and these factors continue to create friction or resistance toward greater adoption of Android in the enterprise."
When users download apps from Google Play, they often don't pay attention to the extent of permissions an app can have on their device, says Chandra Sekar, senior director of the Mobile Platforms Group at Citrix Systems, a provider of cloud-based mobility and collaboration products. "They usually just accept the permission during installation," he says. "And more often than not, apps ask for more permissions than they really need."
The security vulnerabilities affecting Android devices can cause actual performance issues and data loss -- not just minor inconveniences.
Borg tells of a demonstration he saw at a conference that gave him the "willies." The demonstrator, a white hat hacker, took an out-of-the-box Android device and downloaded a game called Very Angry Birds, basically a clone of the popular Angry Birds game, from an app store. "The device had the latest McAfee and Symantec security for Android, but the game contained malware that neither solution flagged," Borg says.
Sign up for CIO Asia eNewsletters.