Another Android risk that's overstated is tapjacking -- when an invisible application on top of an app manipulates key gestures to make purchases without the user's knowledge, says Scott Kelley, Android product manager at AirWatch, a provider of mobile device management (MDM) products.
But one risk that's often overlooked, Kelley says, is users' willingness to tap the Accept button for whatever permissions an app requests. "This is compounded by developers' often overzealous permission requests, due to a lack of understanding of which permissions an app needs," he says. "Apps should request the least number of permissions possible to function appropriately, and users should be in the habit of not automatically granting permissions to apps whose functions wouldn't seem to need them."
How to build a secure Android environment
If your organization is preparing a significant rollout of Android devices or a BYOD program that includes devices running the OS, it needs to develop a strategy to keep the company protected from the known security risks and vulnerabilities. Here are the key components of that strategy.
Develop a trust model. Part of this involves identifying what the real risks of data loss are, says MobileIron's Rege. Based on those risks, you determine what level of enterprise content should be made available on the devices.
"We call this developing a trust model that establishes which users are trusted with which data or apps under what circumstances," Rege says. "Every major organization has gone through data classification to establish this underpinning for its security policies." But he notes, "This will take longer for Android because the Android fragmentation makes the process more complicated."
Designate an Android expert in IT. A key best practice is to designate an individual in the organization to be the Android expert, Rege says. "More and more of the overall IT team should gain Android familiarity, but our customers have found that they need one point-person who is chartered to keep up with the rapid pace of the Android ecosystem," he says. Otherwise, IT's Android knowledge base quickly becomes obsolete.
Use an app reputation service. Another good practice is to use a third-party app reputation service that evaluates apps and assigns them a risk score. "Then you can use these risk scores to set policies" in an MDM tool, Rege says. For example, you could set a policy that if an employee installs an app with a high risk score, his or her email is blocked and that user can't access corporate resources until the app is removed.
"With mobile, you have to assume the environment changes all the time as apps are installed and operating systems versions change," Rege says.
Sign up for CIO Asia eNewsletters.