As you may have read in my last blog there are many areas of vulnerability in the world of enterprise mobility. However, one operating system seems to have received more than its fair share of bad press in this respect – Android.
Obviously this highlights the difference between an open and a closed operating system environment. Android as we all know is open source so everything is out there for the world to see whereas iOS is completely closed with any app having to be rectified by Apple.
Here I wanted to run through just a few of the vulnerabilities of Android to synopsise where they are today and help inform your enterprise mobility decisions rather than to judge or criticise.
One of the key and core weaknesses of Android has to do with the way Android phones work, like all mobiles they have two areas in the memory; a shared one and a private one, in the private area should only be the things that work on your device like contacts and SMS messages in the shared area are the downloads.
With Android as with iPhones there is a bridge between the private and the public areas. However, with Android the bridge is open and of course its use or abuse does not need to be approved by anyone. Conversely, Apple check and approve how you use the bridge.
This means that with Android there is a bridge which is unmanaged and this means apps can easily go into the private area and do what they please. For instance you download something inoffensive like a game and it could easily sit and listen to voicemail and send those to a server or it could access your pictures and email them to the contacts in the private memory.
This is the tip of the iceberg with Android but here are the four most recent vulnerabilities.
1. The first bug is called a “permission-escalation vulnerability” and apparently, it affects all Android users. The exploit allows for an app to be installed without a user approving of the permissions typically required when installing an app. A hacker could then use this vulnerability in Android to gain additional malicious permission privileges after an install.
2. The second exploit is known as a “Linux kernel privilege escalation” and it allows for an unprivileged application to escalate or gain privileges and gain full control over a device.
3. The third is FakeToken a malicious Android application capable of grabbing banking passwords from a mobile device without infecting the user’s computer.
4. The fourth as yet unnamed by CrowdStrike could allow hackers to launch attacks and take control of some Android devices.
It seems the very “open nature” of Android may be the crux of its security issues and until devotees spend as much time creating security fixes as they do hacks this may continue. What is key is that enterprises not run a mile from Android as it does have its own merits but instead build a strong enterprise mobility plan with security at its heart irrespective of which platform is used.