In less than six years on the market, Android has already become the world's most popular operating system. Gartner has estimated that nearly 900 million devices running Android were shipped in 2013, and that the annual haul would surpass 1 billion in 2014. For context, shipments of Microsoft Windows endpoints were 326 million in 2013, with only modest growth expected in the near term. Android's yearly total is also already several times larger than that of Apple iOS and OS X combined.
Android: A "toxic hellstew" of vulnerabilities, but also a rising star in the enterprise
Naturally, Android's enormous market share – along with its distinctively open, carrier- and OEM-dependent design and distribution model – has made it a magnet for malware. In late September 2013, Trend Micro observed that malicious Android applications in the wild numbered over 1 million, once again exceeding its expectations. Moreover, from January to September 2013, the amount of samples discovered by Trend Micro more than doubled.
A March 2014 F-Secure study likewise found that Android is now home to 97 percent of mobile malware. So what, specifically, do Android users have to deal with? Some of the most prominent issues have included:
- Fake applications, especially popular games. For example, the mega-hit Flappy Bird, after being pulled from Google Play by its developer, was used as a front for malware that requested extensive device permissions.
- Elaborate social engineering and phishing schemes, such as HijackRAT, that exploit Google branding and connect Android smartphones and tablets to command-and-control infrastructure.
- A recently uncovered exploit, potentially affecting up to 70 percent of all Android devices, that enables unauthorized phone calls and usage of premium SMS services.
While many Android shortcomings are proofs-of-concept that ultimately never affect end-users, the stakes for identifying and resolving as many issues as possible are only getting higher. For starters, Android is no longer just an OS for consumers.
Despite its reputation in some circles as an unserious platform that trails iOS in usability and the Windows family in business utility, Android is increasingly popular among enterprises. A 2014 Frost & Sullivan survey of U.S. and European organizations revealed that Android was the primary choice of 56 of respondents. Its wide application selection has fueled trends such as BYOD, while vendors such as Samsung have invested heavily in enterprise-grade security frameworks like Knox.
At this year's Worldwide Developers Conference, Apple CEO Tim Cook trotted out ZDNet writer Adrian Kingsley-Hughes' memorable description of Android as a "toxic hellstew of vulnerabilities" created by fragmentation, which is apt if a bit hyperbolic. Still, flaws and all, businesses have plenty to gain from Android and similarly much to lose if their endpoint security measures aren't in sync with the device and threat ecosystems that have formed around Google's OS. That said, what should an Android-inclusive security strategy look like in 2014?
Android's dominance spurs debate about need for antimalware protection
The broad migration of computing tasks from PCs to mobile endpoints running Android et al has caused a sea change in cybersecurity. In particular, new modes of application distribution, namely app stores, have removed some of the traditional risks of installing software but have also created additional problems such as fake storefronts. Accordingly, the role of security solutions is evolving, with blacklist-based antivirus on the wane while automatic threat scanning tools become more popular.
On Android, the preponderance of in-the-wild malware would seemingly make modern cybersecurity software a no-brainer, just as it is on any desktop running Windows. But the security and developer communities have strikingly disagreed on this issue.
Google itself has understandably taken pains to downplay the risks of using Android, with Android and Chrome head Sundar Pichai telling Bloomberg BusinessWeek that Android "from the ground up is designed to be very, very secure." Android security engineer Adrian Ludwig has also questioned the value of mobile antimalware, which he says would rarely protect users from threats. Instead, he and others have argued that ensuring Android is up-to-date is sufficient risk mitigation.
Security expert Graham Cluley took issue with this position in a blog post for HotforSecurity. Android fragmentation – the phenomenon of devices running a disparity of OS versions – is still an issue, with roughly one-sixth of smartphones and tablets running the Gingerbread release that was pushed out in 2010. It is symptomatic of Android's inefficient mechanisms for updating software and patching security issues.
"[T]he way that Android devices are updated with new OS versions is a much more hit-and-miss affair than iPhones – leaving it to Google, service providers and handset manufacturers to all agree and co-ordinate with the rollout of an update," wrote Cluley. "Sometimes, little more than a year after a new Android handset is launched, the company will reveal it is not going to release any more OS updates for it."
Sensible Android security: What are the key tenets?
Google's view of Android security seems to make generous presuppositions about the circumstances of average users. In reality, not every device has installed the most recent update. Google's own numbers from June 2014 indicate that only 14 percent of Android endpoints were running 4.4 KitKat. Plus, even the relatively new Galaxy Nexus – a onetime flagship handset – didn't receive official KitKat support.
Once enterprises realize that Android presents unique security challenges due to widespread inconsistencies in hardware and software, they can formulate a more pragmatic strategy based on:
- Comprehensive solutions that can scan applications, whitelist and blacklist phone numbers, perform remote wiping and restore data.
- Strict guidelines about where applications can be downloaded from, since unsecured third-party stores are often pipelines for malware.
- As much standardization as possible across endpoints, to prevent fragmentation and eliminate the need for bespoke security measures for each one.
Android will continue to face pressure from cybercriminals, due to its overwhelming popularity and particular design. However, strong security is within reach for today's enterprises. With a combination of dedicated solutions and sensible endpoint management processes.