Android Security: Worry, But Don't Panic, Yet
Recent research published by McAfee, Lookout, Juniper, and Symantec raises questions about Android security–especially with regard to malware.
Are Android smartphones really a clear and present danger to enterprise security? Let’s look at some of these findings.
Rampant Malware
Juniper recently reported 400 percent annual growth in Android malware, from Droid Dream and Geinimi to SpyEye and DroidKungFu3. But this stat is misleading in that it starts from near-zero. Other anti-malware vendors also report rapid rise in Android malware; a sharp upward trend is clear. But let’s be honest: hundreds of Android malware apps are still dwarfed by millions of PC malware infections.
Furthermore, reports indicate that most Android malware is downloaded from third-party markets rather than Google’s Android Market. To be sure, Google’s requirements are far less strenuous than those for Apple’s AppStore and some malware has infiltrated the Android Market. But caveat emptor: Users who download from reputable sources are far less likely to blunder into malware in repackaged apps on third-party markets.
Finally, popularity triggers unwanted attention. Android is the fastest-growing mobile OS, representing 43% of the 2Q11 worldwide market. But consider what Android malware writers are after: a fast buck. Examples cited by Symantec include FakePlayer (premium-rate texting), Adrd (search engine poisoning), and Bgsrv (pay-per-click revenue). These are not (yet) corporate network back-door or intellectual property stealing apps.
Bigger Risks
This is not to make light of Android malware; just put it in perspective. Enterprises have used PC anti-malware for years because PC worms and trojans were pervasive and damaging enough that risk management was warranted. The time has come to take Android threats seriously – but measures should focus on the biggest business risks.
Malware makes juicy headlines, but these reports identify other aspects of Android security that pose more significant threat. For example, McAfee’s report notes that “Android provides a small set of APIs to administer the device; the OS controls the password/PIN policies and can remotely wipe the phone. Unfortunately, this is fairly limited and of little help when building a security product.” This is precisely why IT departments are resorting to encrypted containers and third-party MDM agents to protect business data and assert more extensive policies.
Additionally, Lookout’s report observes that when Google fixes vulnerabilities within days of discovery, it is up to device manufacturers to produce firmware updates incorporating fixes. “This process is complicated by the fact that a single device model may have a large number of updates to support carrier specific customizations. Once a manufacturer produces a firmware update, it is up to each carrier to test it and deploy the update to users.” In short, time-to-patch is lengthy – and enterprises have no way to control or speed up vulnerability management.
Finally, market fragmentation makes it hard for enterprises and security vendors to assert consistently-strong controls. Android 3 (Honeycomb) made it possible for manufacturers to offer hardware encryption; Android 4 (Ice Cream Sandwich) further raises the bar. But enterprises must still deal with a plethora of devices, each with varied native security capabilities and vulnerabilities. MDMs can help by enabling IT visibility and control. But IT must shoulder the burden of deciding which devices are “secure enough” while limiting or banning business use of the rest.
These concerns should be top-of-mind for enterprises when deciding whether and how to manage Android threats. Don’t ignore Android malware – just battle it as part of broader Android device management and security program.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has reviewed, deployed and tested mobile policies and practices, ranging from wireless/VPN security to device/data defenses.