The Google Plus logo

Android, security and the enterprise

This post first appeared on the LINE blog on 6th August 2012.

Whilst a lot of businesses have settled on purchasing iPads and iPhones for delivering corporate information and apps to users within the business, when a business settles on a Bring Your Own Device (BYOD) strategy then the playing field is different. A lot of people, given the choice, choose Android devices. Android phones represented 56% of all world smartphone shipments in Q1 2012. These devices bring a different set of security risks than Apple’s. With the huge growth in mobile phone popularity (e.g. 22M UK phone users will renew their device this year) and 11,000 Android malware programs identified (and the number is growing daily), companies such as Sophos, AVG and Kaspersky are investing in the rapidly growing mobile security market, so clearly it’s a serious problem to consider. However, publicly available virus checkers, according to IT Security organisation, AV-Test, are only 40% to 95% efficient, so software is not always the answer, only greater awareness of the problems can help stop issues at the source – the users. While our enterprise application development platform, creates secure, stable Android smartphone and tablet apps, we recognise that not all apps are created equal so here’s a quick guide to some key Android security issues.

1) Malware versus legitimate apps

11k malicious mobile applications is a tiny figure compared to the 10M malicious Windows applications in general circulation. The huge difference shows that Windows is an easier platform to attack than the fragmented Android mobile platform, but, as more people use handsets, then malware and attacks will increase. However, this malware, whilst a real threat, is perhaps less of a threat than legitimate apps that gather information from the handsets used within the enterprise. Apps can access calendars, address books and location. They can also access ad networks and analytics, giving a different type of valuable user data. Blocking clearly malicious apps is one strategy but changing employee behaviour to educate them about the risks of exposing data to apps, is a much harder strategy to implement.

2) Why is Android different?

Android OSs lag and are difficult to update, meaning that OS upgrades and updates that enhance handset security don’t get through to devices that are being used to access business information. The fact that manufacturers and carriers/mobile networks can amend the Android OS as they ship phones is also a major issue. Apple apps access more information that could be considered a security risk, but the platform is generally more secure as Apple users update their OS more often.

While Apple iOS apps outpace apps on Google Android devices in their level of access to data sources, it’s Android that’s generally seen as higher risk. The majority of iOS apps (88%) can access ad networks and analytics, the location of the device (70%) and the user’s list of contacts (52%).

Among the Top 50 iOS apps, 22% are capable of accessing all four sets of information. Interestingly, there is no app in the Android Top 50 that taps into all four sets of information, which is notable because security experts generally believe the Android platform poses a greater security risk than iOS.

3) What can be done?

While updating the OS on your device is an obvious fix to security issues. Some processes on Android devices are insecure by default and are therefore exploited by those wishing to attack the device, so there’s nothing that can be done about this apart from changing user behaviour, which is difficult. Telling all users not to click any links in SMSs, while seemingly sensible, is almost impossible to make stick but you still have to have a corporate IT strategy that includes mobile and that has to be owned by the end users in some way.

4) Who’s the developer?

Do you know who has developed the app that your users are interacting with? Many popular public apps are from companies with a very short history and may have themselves only produced 3 or less apps in the past. What do these companies really know about corporate security and did they in fact code the entire app themselves? What shared code did they use and how integral is that to the app you are giving access to your corporate data? There are important questions to be considered when choosing a mobile partner. It’s important to go to a mobile application developer with a history of stable, enterprise-level app delivery.

As well as producing award winning mobile learning products, LINE also offers you the capability to create, manage and distribute mobile content across your organisation with our LINE Mobile Enterprise Platform.