DOC RABE Media - Fotolia

Get started Bring yourself up to speed with our introductory content.

Learn the fundamentals of Android app security

Android is one of the most widely used mobile operating systems, but its openness and diversity create application security challenges. Learn what IT can do to fight back.

Android has a target on its back, partly because of its popularity, but also because of its well-known security shortcomings.

Android app security is the main concern most organizations have with the mobile operating system (OS). It's especially difficult for IT to control all the different Android devices with varying iterations and customizations of the OS. Because of these security challenges, organizations have a lot to consider when incorporating Android devices into their environments, including why Android app security has so many holes and what Google is doing to fill those gaps.

With these frequently asked questions, take a look at Android's native security capabilities and what's next for Android app protection.

Why does Android app security have so many holes?

The Android OS is open source, which is great for consumers because it lets them download any app from anywhere. This includes applications from developer's websites and alternate app stores that go through no screening process at all. For businesses, that lack of control over where applications come from is an enormous problem. To make matters worse, even the apps that have been vetted and live in the Google Play Store can be dangerous because Google has looser app approval guidelines than competitors such as Apple.

Android for Work is Google's main strategy for making Android more business-friendly.

User approval is Android's only real measure of defense against this free reign of app downloading. The device will ask the user to agree to let the app access certain data and features. This deterrent does little to stop people from installing questionable apps, however, because users will approve almost anything they think can make their work easier. Once the app installs, there is no way to block its activity, nor are there any further warnings about what the app is doing and what it's accessing.

What native capabilities does Android have for security?

Android is a Linux-based system, so it has many of the built-in security features Linux users are familiar with, including file system permissions and encryption. The permissions restriction prevents apps from entering file systems they have not been approved to access. Android disk encryption uses the Advanced Encryption Standard algorithm at the kernel level to password protect the OS. The Android platform comes with other standard security features such as sandboxing, code signing and address space layout randomization.

To troubleshoot problems malicious apps are causing, the user can fire up safe mode, which disables any third-party apps on the device. In addition, there are many APIs and security protocols included in Android to ensure users are accessing apps and data through secure portals. The built-in Digital Signature Standard provides document authentication, and the Secure Sockets Layer/HTTP over SSL delivers server and client authentication as well as encryption for any communication between the client and the server.

How does Android for Work increase app security?

Android for Work is Google's main strategy for making Android more business-friendly. This program, which is split into four main components -- Work Profiles, the Android for Work app, Google Play for Work and built-in productivity tools -- helps IT manage and secure business apps on a work-specific profile, where IT cannot touch personal data. The contained work profile protects business apps from potentially risky activity users engage in on their personal apps. Android for Work was supposed to include Samsung Knox technology, but Google turned to its own technologies including its Divide acquisition instead.

Google Play for Work gives IT admins the power to deploy third-party or internally developed apps of their choice to users through the Google Play Store. It also gives them the ability to pre-approve, whitelist, configure or block applications.

What is Google doing to improve Android app security?

As the holes in the application approval process show, Google needs to enhance its security to make Android viable for businesses. Enter Google Play services, which provides developers with APIs and tools to safely integrate apps onto Android devices. Its two primary security features are Verify Apps and Safety Net. Verify Apps can scan and identify malicious code in any application whether it's installed through the Google Play Store or through sideloading. The Safety Net set of features gather data about potential threats to understand what attacks are most prevalent. Safety Net can also verify if a device is up to Google's Android security standards and change its configuration or settings and update any blacklists to prevent attacks.

The latest version of Android, Lollipop 5.0, boasts full disk encryption and Security-Enhanced Linux Enforcement (SELinux) enforcement. With the improved disk encryption, the scrypt function bolsters password protection against brute force attacks. With SELinux, admins can sandbox apps and force them to follow specific restrictions.

Next Steps

How to remove Android malware that reinstalls itself

Comprehensive guide to Android management

Google offers rewards for Android bug patching

Facebook adds to the Android security puzzle

This was last published in August 2015

Dig Deeper on Google Android operating system and devices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How are you fighting against Android app security challenges?
Cancel
In IT Security, specifically in organizations where users are allowed to access the network utilizing their own devices, the main challenges are keeping their apps from corrupting data or delivering a virus. Precautions are so mandatory and necessary that the United States Government has guidelines and minimal security recommendations advising IT Support departments in these organizations. Prevention, is really the keyword when allowing non-company Smartphones and Tablets access the networks. Third-party apps that have not been reviewed or tested should be considered a threat and since most are not, then the majority are a threat to security. Along with personal data, an unsuspecting device user may deliver critical organizational information to an undesired recipient and consideration of that is crucial. So, my first objective, is to limit my apps, monitor the demands their access demands and avoid installing apps that want too much of my private information. Without consideration for the network, as an IT Professional, I treat all access as intending malice and take preventive measures in securing my organizations network. I simply consider every device a threat whether the user may or may not be aware.
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close