Archived articles

Android security is better, but companies should be prudent

Companies need to consider the risks as well as the benefits of Android’s operating system, warn experts.

Smartphones and tablets are essential to companies, but they should proceed with caution when considering deploying Android devices, according to Michael Spreitzenbarth, team lead and IT security consultant at Siemens Cert.

“With around 300 security vulnerabilities reported in Android in the first nine months of 2015 and more than 200 vulnerabilities found in 150 apps tested, enterprises need to think about the risks as well as the benefits,” he told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.

The main advantage of using Android in the enterprise is that apps and accessories are normally cheaper than operating systems such as iOS. This means that companies will not have to pay for apps to be developed as there are lots of apps available in the Android app store – and often completely free.

Android vulnerabilities

However, Spreitzenbarth has said enterprises should be aware that many manufacturers do not discuss security vulnerabilities in their devices and recent study showed that 87% of Android devices are vulnerable to at least one critical attack.

“Although Google patches fast and diligently, manufacturers tend to patch only if media pressure is very high because it takes time and money to update all versions of Android in use on their devices, and service providers have to approve and sometimes modify each patch,” said Spreitzenbarth.

Consequently, security fixes can potentially take years to deploy.

Another issue facing enterprises using Android devices is that there is no general device management application program interface (API) for mobile device management (MDM) systems that can be used for all devices.

Third-party applications could also be dangerous as it often collects sensitive and private data when downloaded – and doesn’t allow you to download the app if you don’t agree to their terms.

Android for the workplace

As a result, Spreitzenbarth has urged enterprises using Android devices need to focus on user awareness, device hardening, vulnerability management and application testing. Guides should also be created to assist users as much as possible.

Google’s response to the security concerns is introducing initiatives such as ‘Android for Work’, which enables IT the ability to manage and secure business applications on a work-specific profile, and the introduction of the Nexus Security Bulletin, which is the first public Android security advisory.