adam121 - Fotolia

Get started Bring yourself up to speed with our introductory content.

What does this year's Android Security Report mean for enterprises?

Google's second Android Security Report revealed changes and upgrades made to the OS. Expert Michael Cobb covers the important takeaways for enterprises.

Google's second annual Android Security Report contained several security enhancements made to the operating system, but what were the other important takeaways from this year's Android Security Report, and what should enterprises keep in mind when considering Android as a potential enterprise mobile platform?

Google's Android operating system (OS) continues to dominate the mobile and tablet market. According to Net Applications, more than 65% of mobile devices run on Android, way ahead of its nearest rival iOS, which has a 23% market share. However, much has been made of the volume of malware targeting Android users. In 2013, for example, Android accounted for 97% of all mobile malware according to research by F-Secure. In 2014 Pulse Secure still put the number at 97%, and in 2015 the number of new Android malware apps increased by almost 50% as compared to 2014. Android's larger user base and the existence of app stores that don't police the security of the apps they offer make it popular with hackers.

While Google's second annual Android Security Report may be biased, it shows a strong commitment to continually improve the security of the Android ecosystem. The percentage of apps carrying malware on Google's official Play Store was just 0.1%, with the rest originating from small, unregulated third-party app stores, predominantly located in the Middle East and Asia. This highlights the importance of ensuring users only obtain apps from Google's Play Store, or the enterprises' own app store, if it exists.

One form of malware that afflicts Android users is Potentially Harmful Apps (PHA). These are apps that may adversely impact a device's security or user's privacy, such as displaying intrusive ads, tracking the user's internet usage to sell to advertisers or using premium SMS services to rack up charges, all usually done without the user's informed consent. Google has increased its app scanning and security checks, and it has reduced the probability of installing a PHA from Google Play by over 40% compared to 2014; fewer than 0.15% of devices that only get apps from Google Play were affected. Android's Verify Apps option should always be turned on, as it checks apps when they're installed and periodically scans the device for PHA. Android 6.0 Marshmallow also introduces various new security measures to combat malicious apps. A welcome improvement is the ability to update app permissions with more granularity and precision once they have been installed. Most new devices with Android 6.0 will include an improved verified boot process, further application isolation enabled by SELinux, mandatory full-disk encryption and a simplified check to ensure that the device has the most recent security updates.

It could be a while before these security features reach users' devices though, as it can be some time before vendors and telecomm providers push the new version to their users. Android's fragmentation is a problem for security, since patches to bugs found in the core OS often do not reach users of older and lower-price devices. In 2015, researchers at the University of Cambridge found that the failure of vendors to support older Android devices with patches and updates left more than 87% of active devices vulnerable. According to Statista, in May 2016 KitKat version 4.4 was still the most widely used version of Android at 32.5%, while Marshmallow version 6.0 only accounted for 7.5%. To combat this issue, Google has introduced a monthly public security update program to the Android Open Source Project to help partners update more devices in a timely manner.

Google is also encouraging developers to make their apps more secure. It has released the SafetyNet Attestation API to help developers and enterprises check device compatibility, integrity and safety. Android is open source, so enterprises can adapt it for highly secure uses. For example, Samsung has introduced new kernel monitoring capabilities on its Android devices, while Blackberry has added various security features to PRIV, the first BlackBerry smartphone powered by Android. Its DTEK for Android app automatically monitors the OS and tracks other applications, notifying the user if her privacy or security could be at risk.

Google's Android Security Report helps administrators to make informed decisions about how best to manage Android users and devices, and which additional security measures are needed to ensure networks are not put needlessly at risk. Although Google automatically provides cloud-based and on-device security services delivered as Android applications, administrators may still want to consider additional mobility management tools to help secure and control Android mobile devices still running older versions of the OS. The more open nature of the Android ecosystem means that users need to take more responsibility for the security of their Android devices. Enterprises that allow Android devices to connect to their network should ensure users receive regular security awareness training to keep them up to date with the latest threats and attack techniques.

Next Steps

Find out more about built-in Android security features

Learn about the risks and benefits of the Android OS

Discover how Android dual persona can protect business data  

This was last published in August 2016

Dig Deeper on BYOD and mobile device security best practices