To consumers, smartphone features and costs are always more important than security. For enterprises though, the security of both a phone's OS and the applications that run on it are critically important. Therefore Android 2.2, the seventh and latest version of Google Inc.'s Linux-based mobile OS, seeks to address some of the OS security concerns of enterprise security managers who may be reluctant to allow them access to corporate data. In this tip, we'll examine
More on mobile data protection
Learn about choosing smartphone encryption software for mobile smartphone security.
Smartphone security: The growing threat of mobile malware.
For starters, Microsoft Exchange administrators can now enforce password policies across devices. They can also remotely reset an Android phone to factory defaults to secure data in case the phone is lost or stolen. However, unnecessary features like the camera or Bluetooth that may pose a data leakage risk can't be remotely disabled.
There may also be a compliance issue for certain organizations, as syncing Outlook contacts and other information between an Android phone and a computer requires the user to first sync with Google's cloud services. There are now numeric PIN and alphanumeric password options to unlock a device, but its short and poorly implemented lockout period makes it annoying to use.
On-board data encryption is still not available and, while the iPhone has encryption built into the chipset, Android devices have to rely on the javax.crypto library, which means they are trusting the developer has used the library correctly: an added risk. That said, both iPhone and BlackBerry encryption have been broken, but if Android is going to successfuly break into the enterprise market, the product should be bettering its rivals' security features.
However, it's the ability to download applications onto smartphones that makes them attractive targets for cybercriminals, and potentially makes the devices dangerous to allow onto the enterprise network. Android relies on its Linux-based OS to enforce security at the process level between applications and the system to prevent system-wide damage by a rogue application. Android apps, however, have been discovered sending users' private information, including location data to remote servers, without users being aware of what was being sent or to whom.
This can happen because an application is granted or denied "capabilities" during installation that, like privileges, enforce restrictions on what that particular application is allowed to access and do. However, there's nothing that can be done to stop an application from misusing its capabilities. As legitimate apps may use the same capabilities as malicious ones, it makes it difficult for the user to evaluate any potential risks.
This is a markedly different approach compared to Apple. Although all apps are considered equal and can access many resources, by default Apple polices apps for its phones by testing and approving them. How thorough these checks are is not clear and relying on human screening at first glance doesn't seem as failsafe as the OS restricting an application to using only the capabilities listed during installation, which it requires to run.
But enterprises need to know how an application is going to use a capability once it's been granted. Google has responded to criticism that it hasn't sufficiently policed the Android market by disabling several apps that were violating licensing agreements. Until third-party applications are forced to detail in their specification data sheet exactly how data is used and by whom, there will be an element of distrust by those responsible for an organization's compliance and data security.
Enterprises wanting to use Android-based devices are unlikely to have to make major changes to their overall mobile device strategy. No mobile platform has perfect security, so all acceptable-usage policies need to state that users with enterprise-owned devices can only install applications approved by the IT department and should avoid opening files, emails, SMS messages and IM's if they're from an unknown source. (When it comes to user-owned devices storing company data, however, it becomes a bit of a gray area, as it's difficult to enforce policies on devices that don't technically belong to the company.)
As with any OS, administrators need to subscribe to the vendor's alerts to keep abreast of any security developments and look to install a mobile-based antivirus software package; McAfee Inc.'s VirusScan Mobile for Android is free to its existing customers and Symantec Corp.'s Norton's Smartphone Security is also free, providing antitheft and threat protection.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in November 2010