A Clear-Eyed Guide to Android's Actual Security Risks
If you're an Android user -- or want to be -- you've likely heard about all the security risks of Google's mobile operating system. But how real are these threats, and how much damage can they do? Despite the fears, are Android devices actually a safe bet for an enterprise mobility strategy?
Mon, December 09, 2013
InfoWorld — If you're an Android user -- or want to be -- you've likely heard about all the security risks of Google's mobile operating system. But how real are these threats, and how much damage can they do? Despite the fears, are Android devices actually a safe bet for an enterprise mobility strategy?
These are key questions for any organization thinking about a broad Android rollout or even simple acceptance of Android devices in a BYOD context. The answers may not be what you expect.
[ Mobile security: iOS vs. Android vs. Samsung SAFE vs. BlackBerry vs. Windows Phone. | The truth about Samsung's Knox for Android security. | Bob Violino and Robert Scheier show how businesses today are successfully taking advantage of mobile tech, in InfoWorld's Mobile Enablement Digital Spotlight PDF special report. ]
Depending on whom you talk to, you might hear horror stories about Android security that "prove" the need for multiple solutions to address. Or you might be advised that buying a single tool will obliterate all your Android fears.
The truth is somewhere in between, and before making a serious commitment to Android as a mobile platform, it's important to determine where Android's relevant security issues are and how you can assess their actual risk and remediation.
Android's two fundamental risks
The Android ecosystem has two main security risks, according to mobile security experts:
The Google Play Store
The fragmentation of devices and OS versions
The Google Play Store's risks. Android is a truly open OS, and that makes it risky, says Andrew Borg, research director for enterprise mobility and collaboration at research firm Aberdeen. "Unlike Microsoft Windows Phone or Apple iOS, there is no walled garden, and this leads to potential security vulnerabilities when not managed coherently," Borg says.
Google Play (formerly called the Android Market), the digital distribution platform for applications for Android devices, is itself a source of potential security risks. "With Google Play, there is a higher percentage of apps that contain malware, or social engineering to connect to malware, than any other app store by an order of magnitude," Borg says. "It's not a well-policed environment, and these factors continue to create friction or resistance toward greater adoption of Android in the enterprise."
When users download apps from Google Play, they often don't pay attention to the extent of permissions an app can have on their device, says Chandra Sekar, senior director of the Mobile Platforms Group at Citrix Systems, a provider of cloud-based mobility and collaboration products. "They usually just accept the permission during installation," he says. "And more often than not, apps ask for more permissions than they really need."