DOC RABE Media - Fotolia
Android has a target on its back, partly because of its popularity, but also because of its well-known security shortcomings.
Android app security is the main concern most organizations have with the mobile operating system (OS). It's especially difficult for IT to control all the different Android devices with varying iterations and customizations of the OS. Because of these security challenges, organizations have a lot to consider when incorporating Android devices into their environments, including why Android app security has so many holes and what Google is doing to fill those gaps.
With these frequently asked questions, take a look at Android's native security capabilities and what's next for Android app protection.
Why does Android app security have so many holes?
The Android OS is open source, which is great for consumers because it lets them download any app from anywhere. This includes applications from developer's websites and alternate app stores that go through no screening process at all. For businesses, that lack of control over where applications come from is an enormous problem. To make matters worse, even the apps that have been vetted and live in the Google Play Store can be dangerous because Google has looser app approval guidelines than competitors such as Apple.
User approval is Android's only real measure of defense against this free reign of app downloading. The device will ask the user to agree to let the app access certain data and features. This deterrent does little to stop people from installing questionable apps, however, because users will approve almost anything they think can make their work easier. Once the app installs, there is no way to block its activity, nor are there any further warnings about what the app is doing and what it's accessing.
What native capabilities does Android have for security?
Android is a Linux-based system, so it has many of the built-in security features Linux users are familiar with, including file system permissions and encryption. The permissions restriction prevents apps from entering file systems they have not been approved to access. Android disk encryption uses the Advanced Encryption Standard algorithm at the kernel level to password protect the OS. The Android platform comes with other standard security features such as sandboxing, code signing and address space layout randomization.
To troubleshoot problems malicious apps are causing, the user can fire up safe mode, which disables any third-party apps on the device. In addition, there are many APIs and security protocols included in Android to ensure users are accessing apps and data through secure portals. The built-in Digital Signature Standard provides document authentication, and the Secure Sockets Layer/HTTP over SSL delivers server and client authentication as well as encryption for any communication between the client and the server.
How does Android for Work increase app security?
Android for Work is Google's main strategy for making Android more business-friendly. This program, which is split into four main components -- Work Profiles, the Android for Work app, Google Play for Work and built-in productivity tools -- helps IT manage and secure business apps on a work-specific profile, where IT cannot touch personal data. The contained work profile protects business apps from potentially risky activity users engage in on their personal apps. Android for Work was supposed to include Samsung Knox technology, but Google turned to its own technologies including its Divide acquisition instead.
Google Play for Work gives IT admins the power to deploy third-party or internally developed apps of their choice to users through the Google Play Store. It also gives them the ability to pre-approve, whitelist, configure or block applications.
What is Google doing to improve Android app security?
As the holes in the application approval process show, Google needs to enhance its security to make Android viable for businesses. Enter Google Play services, which provides developers with APIs and tools to safely integrate apps onto Android devices. Its two primary security features are Verify Apps and Safety Net. Verify Apps can scan and identify malicious code in any application whether it's installed through the Google Play Store or through sideloading. The Safety Net set of features gather data about potential threats to understand what attacks are most prevalent. Safety Net can also verify if a device is up to Google's Android security standards and change its configuration or settings and update any blacklists to prevent attacks.
The latest version of Android, Lollipop 5.0, boasts full disk encryption and Security-Enhanced Linux Enforcement (SELinux) enforcement. With the improved disk encryption, the scrypt function bolsters password protection against brute force attacks. With SELinux, admins can sandbox apps and force them to follow specific restrictions.
How to remove Android malware that reinstalls itself
Comprehensive guide to Android management
Google offers rewards for Android bug patching
Facebook adds to the Android security puzzle