With Android smartphones overtaking Apple’s iOS market share in May last year, it’s inevitable companies will be asked to integrate the open operating system into their closed networks. But questions remain over Android’s suitability for corporate environments, especially when it comes to security.
Malware continues to haunt the Android Market, with UK tech news website The Register reporting in December that a dozens smartphone games were removed by Google when it was discovered they contained the software behind a premium number SMS scam.
Marc Maiffret, CTO of digital security consultant eEye, doubts business is ready for Android. He sees its fragmentary nature as the biggest stumbling block.
“Android gets a bad rap but the OS itself isn’t that bad from a security perspective,” he says. “The problem is the lack of timely updates from manufacturers who create their own modified versions.”
Michelle Savage, spokesperson for US mobile security provider NetQuin says “employees and IT managers are simply not prepared for a world running on handhelds’.
Unlike Apple, Google neither screens apps nor fully controls the distribution of software updates. The result is an environment more like that of Linux, with versions as varied as the environments they occupy.
David Astley, IT Operations Manager for Australia/NZ optometrist chain Specsavers, helped oversee a move from Blackberry to Android across the corporate fleet following a move to Gmail as the company email server.
“We’re reading what everyone else is, that there’s a shift toward BYO,” Astley says. “There are lots of ways people can get around security by emailing attachments and using USB devices.”
One solution Astley says Specsavers has done some testing in is thin client technology, a move Matthew Toohey, general manager of GM Information Services for iiNet, has already put in place.
“We’ll allow staff to use any device to access systems, though we’ll retain strict control within secure networks by enforcing port-level security, encryption, multiple passwords, auto lockouts and 802.1x authorisation regardless of wired or wireless. Networks are segregated based on security requirements,” he says.
Rodney Gedda, an analyst from telecommunications industry research company Telsyte, reminds us Android already have some serious security backing.
“[The big security vendors] are supporting Android, which flies in the face of the scare-mongering. We’re talking about large companies with their reputations on the line – if it was a hot potato they wouldn’t do that.”
In fact, Gedda says, implementing a security policy might be preferable on Android over others. “Android has better access to lower level components like the kernel. iOS, by contrast, is a very closed ecosystem and everything has to go through Apple’s vetting process.”
As a minimum, says Savage, companies should insist on the basics of phone security. “A sound corporate policy might start with the simple mandate of locking and secure passwords for mobile devices and a loss-prevention security system that locks and wipes the device if it gets lost of stolen.”
Google says its operating system is safe. As Android product Manager Gabe Cohen explains on his blog, the latest version of the OS ‘Ice Cream Sandwich provides full internal storage encryption on both phones and tablets. We openly share how we implemented encryption within Android, and will soon open-source our implementation for further review within the Android community.’
Sean Greene works for US data recovery firm Evidence Solutions, a company now allowing employees to bring their own Android devices to work to access company data, and he says the best defense can simply be to recruit your staff as gatekeepers. “Keeping malware out of a system is done through user education, not software.”