Android Security (DOC download)

Document Sample
Android Security (DOC download) Powered By Docstoc
					Android Security: Worry, But Don't Panic, Yet

Are Android smartphones really a clear and present danger to enterprise security? Let’s look at
some of these findings.

Rampant Malware

Juniper recently reported 400 percent annual growth in Android malware, from Droid Dream and
Geinimi to SpyEye and DroidKungFu3. But this stat is misleading in that it starts from near-zero.
Other anti-malware vendors also report rapid rise in Android malware; a sharp upward trend is
clear. But let’s be honest: hundreds of Android malware apps are still dwarfed by millions of PC
malware infections.

Furthermore, reports indicate that most Android malware is downloaded from third-party
markets rather than Google’s Android Market. To be sure, Google’s requirements are far less
strenuous than those for Apple’s AppStore and some malware has infiltrated the Android
Market. But caveat emptor: Users who download from reputable sources are far less likely to
blunder into malware in repackaged apps on third-party markets.

Finally, popularity triggers unwanted attention. Android is the fastest-growing mobile OS,
representing 43% of the 2Q11 worldwide market. But consider what Android malware writers
are after: a fast buck. Examples cited by Symantec include FakePlayer (premium-rate texting),
Adrd (search engine poisoning), and Bgsrv (pay-per-click revenue). These are not (yet) corporate
network back-door or intellectual property stealing apps.

Bigger Risks

This is not to make light of Android malware; just put it in perspective. Enterprises have used PC
anti-malware for years because PC worms and trojans were pervasive and damaging enough that
risk management was warranted. The time has come to take Android threats seriously – but
measures should focus on the biggest business risks.

Malware makes juicy headlines, but these reports identify other aspects of Android security that
pose more significant threat. For example, McAfee’s report notes that “Android provides a small
set of APIs to administer the device; the OS controls the password/PIN policies and can remotely
wipe the phone. Unfortunately, this is fairly limited and of little help when building a security
product.” This is precisely why IT departments are resorting to encrypted containers and third-
party MDM agents to protect business data and assert more extensive policies.

Additionally, Lookout’s report observes that when Google fixes vulnerabilities within days of
discovery, it is up to device manufacturers to produce firmware updates incorporating fixes.
“This process is complicated by the fact that a single device model may have a large number of
updates to support carrier specific customizations. Once a manufacturer produces a firmware
update, it is up to each carrier to test it and deploy the update to users.” In short, time-to-patch is
lengthy – and enterprises have no way to control or speed up vulnerability management.

Finally, market fragmentation makes it hard for enterprises and security vendors to assert
consistently-strong controls. Android 3 (Honeycomb) made it possible for manufacturers to offer
hardware encryption; Android 4 (Ice Cream Sandwich) further raises the bar. But enterprises
must still deal with a plethora of devices, each with varied native security capabilities and
vulnerabilities. MDMs can help by enabling IT visibility and control. But IT must shoulder the
burden of deciding which devices are “secure enough” while limiting or banning business use of
the rest.

These concerns should be top-of-mind for enterprises when deciding whether and how to
manage Android threats. Don’t ignore Android malware – just battle it as part of broader
Android device management and security program.

Shared By: