Be scared of Android BYO. Be very scared.
- 01 December, 2011 14:55
They may not say it out loud, but I'd bet most network managers and security executives tell themselves over and over again that their end-users are idiots.
Sadly, the reputation isn't entirely without merit: consider surveys such as the one that today suggested 90 percent of users don't know they can search a document using CTRL-F, or the ongoing reports of Australians being taken for thousands from overseas scammers. Users routinely ignore security warnings, grant approval to unknown applications to access new smiley sites or Facebook polls, and visit malware-laced Web sites to download porn or first-release movies.
That many such people might work in your organisation – and use your company's network on a daily basis – is cause enough for concern when it comes to enforcing security. That they are now expecting you to let them use their own smartphones, tablets and computers to access networks where confidential business documents live, should keep you up at night. But the fact that many of them expect you to allow those devices to be based on Android, should be enough to make you want to call in sick for the rest of the year.
If, that is, recent figures are to be believed. Security vendor AVG, for one, has just published its SMB Market Landscape Report 2011 (PDF) (conducted by market-research giant GfK), which bodes poorly for the state of IT security in small businesses. Just 58 percent of respondents were worried about the loss of company or customer information, social engineering or theft of employee identities, while 36 percent fear mobile malware and just 16 percent are worried about theft of information from the cloud.
In other words, the majority of SMBs aren't concerned about these things – and can be taken as not having invested heavily to prevent them. Given that the same survey revealed around one in five companies is now using Android devices, all this couldn't be better news for the crims that are, by all accounts, now actively targeting Android and its growing body of users.
Security vendor McAfee is the latest to warn of the Android malware explosion, recently warning that attacks on Android had jumped 76 percent in the past three months. Much of this seems to be due to the transference of desktop security standbys such as bait-and-switch applications and fake application updates to new threats such as hidden keyloggers. In other words, malware authors are finally finding that they can teach this new dog old tricks.
One wonders whether Google is rethinking its decision to offer the source code for its environment; its decision not to release Android 3.0 'Honeycomb', and long delays in releasing the source code for Android 4.0 'Ice Cream Sandwich' source code, suggest as much. Although open-source does give certain companies better visibility of what they're using, it also does most of the homework for malicious hackers who now seem to see Android as the mobile vector of choice when it comes to spreading malware, keyloggers and other nastiness.
Given that every major security vendor is now spruiking Android security software that purports to address these issues, it is perhaps healthy to take any reports like this with a grain of salt. But there is just as much self-interest in Google's angry response that labelled the vendors "charlatans"; after all, if Android gets a reputation as a security minefield, what self-respecting CSO would push ahead with plans to let Android devices into their corporate network by the millions?
Can you watch the 20-minute demonstration that security researcher Trevor Eckhart has published, showing that hidden device-monitoring software can bury itself within Android and record everything a user is doing, and still heartily recommend devices running the operating system be allowed, unfettered, into your corporate IT environment?
The maker of that particular software, Carrier IQ, has argued against Eckhart's characterisation of its application as a 'rootkit' but the distinction is academic: if Carrier IQ can bury undetectable tracking software in Android, there's no reason to think malicious hackers out there can't do the same.
Many will argue that Apple's iOS also has inherent insecurities, and this is likely true. However, its tight control over application loading and unloading at least means you know that someone is watching what's loaded onto your iPhone-toting employees' phones. As a caveat, iOS users with jailbroken iPhones could be just as dangerous as those running Android.
Say what you will about surveys – particularly those from vendors that are often discounted as self-serving – but there is a growing body of evidence suggesting Android is less than the security paragon we'd like it to be. Given that fewer than 1 in 5 users bother to install security software and most feel mobile security software is too expensive, it's also clear that users – the same ones that expect equal network rights for their often-promiscuous devices – aren't going to be much help in the fight against Android malware.
No: without appropriate controls and a realistic approach to mobile security, Android could easily become the security equivalent of Windows XP, which has been exploited in too many ways – often with the assistance of ignorant users – to count. And unless they're ready to mandate regular device audits, installation of mobile security software and mobile device management (MDM) clients onto users' phones and limits on acceptable installed applications, CSOs should seriously considering their plans for mobile BYO before users' Android dreams become their own security nightmare.