"There just doesn't exist that level of control with Android manufacturers, and it's something we're very concerned about. Whether it's the integration of the operating system with the hardware, or the applications in the application stores. The concern is about data being siphoned off, having the microphone turned on remotely, or any number of other things that might transpire that the user is not aware is happening," Leek explains.
When it comes to security controls, both Android and iOS have made strides recently in the native security capabilities within their operating systems. For starters, iOS 7 enables enterprises to choose which apps must connect through the corporate VPN to gain access, provides enhanced MDM support, encrypts data held within third party apps, accepts single sign-on and provides built-in biometric authentication.
With Android 4.4 (aka KitKat), there is tighter access control built into the Linux kernel, increased support for digital certificate security warnings, Elliptic Curve Cryptography support, and automated help at identifying buffer overflows. Additionally, built on top of the Android operating system, are hardware vendor supported security capabilities, such as Samsung KNOX. KNOX purports to provide a more secure booting process, creates a trusted zone for enterprise-only applications, and has a security-enhanced kernel. KNOX also limits what features can run within the KNOX protected area of the device.
"The difference with Android devices is that each manufacturer has their own APIs and they're all managed differently," says Katz. "So there are different calls to get to these unique API's, which means you actually have to work with the different management vendors to make the APIs useful," Katz explains.
This can cause some levels of confusion among the different devices, as well as supporting complex APIs and security controls, says Katz.
The number of security controls, and their granularity, within KNOX is both a pro, as well as a con. They've done a very, very good job of building controls. But with more than 400 controls and more than 1,000 APIs supporting them, these options can very easily introduce more complexity," he says.
Securing devices going forward
By mid-year Leek hopes to have a mobile device management system in place that will help to enforce security policies on their incoming Android devices. "We will be evaluating mobile applications and taking an inventory of apps on peoples' phones," Leek explains. "We will be testing those apps, and if we find things that are not desirable, or we feel that something is potentially exposing Blackstone, we will take remediative actions until the issue is fixed," Leek explains.
That secure application vetting won't just be for Android devices, either, but for iOS devices as well. "The same principals need to be applied to iOS. I believe we are less likely to have problems with iPhones, but I wouldn't be surprised if we uncovered a fair amount of security challenges with iOS apps," he says.
Sign up for CIO Asia eNewsletters.