One of the biggest knocks against Android is that it's not secure enough for enterprise use, but things are getting better.
Several Android security issues do exist, especially when it comes to Android app security, centralized management and the ability to protect data on lost or stolen devices. These are all legitimate reasons for organizations to think twice before letting Android devices into the corporate environment. Improvements in Android 3.0 Honeycomb and Android 4.0 Ice Cream Sandwich, however, are starting to address these risks.
Android app security risks
The lack of control over apps is probably the most serious of the Android security issues facing enterprises. Whereas Apple has a strict app-approval process and does not allow unapproved apps to be installed on its devices, Android users are free to install any application that anyone develops. The Android Market attempts to offer some level of control over the apps available to users, but other apps -- some potentially harmful -- are available in alternative app stores or even on developers’ websites.
To make users aware of the potential Android security issues around apps, most devices will explain what data and features the app wants to access, then ask for the user’s OK before installation. For example, the user will know if an app wants to use his or her contacts list, if it wants to access the SIM card to send text messages.
In most cases, however, these warning don't help much. If a user installs an app that promises to make it easier to communicate with others, it's obvious that he or she will press OK after reading these warnings. It might help if Android could alert the user at the moment the app starts sending text messages, but no such functionality is available in the current release. For the time being, anti-malware software can provide some protection against Android app security risks.
Android security issues around management
Earlier versions of Android, which most Android smartphones still run, have no native capabilities for tracking and disabling a lost or stolen device remotely. Some apps, such as Lookout Mobile Security, do tackle these Android security issues. And similar features are available natively as of Android 3.0 and 3.1.
Android 3.0 lets users encrypt the contents of their devices. This procedure takes an hour at least, after which you can access content on the device only by entering a password. Also, Android 3.1 gives administrators the ability to trace and lock down devices remotely.
The lack of centralized management utilities also contributes to Android security issues. It would be useful if a corporate IT administrator could manage Android devices by applying security policies, in particular to make sure that users can only install trusted apps. This typically is an option provided by third-party vendors, but at the moment no proven, integrated management tools exist. The good news, however, is that vendors are developing such products as we speak.
Android security issues, particularly with older versions of the OS, have been a serious roadblock to Android enterprise adoption. As features such as disk encryption and remote management become part of Android, and as third-party vendors develop better management tools, the situation is improving. But Android app security remains a major problem.
This was first published in November 2011