Tuesday 27 March 2012

Is Android King - or too Risky?

I have both an Android phone and tablet.  I actually have the new ASUS Transformer Prime, which is incredible.  I like widget and the freedom to place anything on my phone.  There are thousands of Apps available in the new Google Play store. 

However, I attended a Bring Your Own Device event last week which discussed the security implications.  One main point that came across was how insecure Android is, for example there was recently an application for a touch (flash light for my friends in the US), which would maliciously send a text message for an extortionate rate.  McAfee were one of the presenters and showed a frightening slide that told us... 

57% of Android users have no security on their phone 
Only 5% have anti virus or anti malware 
19% have some form of encryption 
17% have a password, or keypad lock 
Some of the above is quite frightening, especially as another slide showed that there were almost 400 new malware Apps found in Q4 of 2011, compared to just over 100 in Q3 of the same year. 

Why Android? 

The reason the hackers are targeting Android is due to that it is easy to publish an application on the Google Play site.  Anyone can simply create an application and publish it.  With the rising market share of Android, it seems that this is the easiest way to hit as many people.  This is why Windows is always a target of many viruses and malware.  I read last week that 90% of the smart phone purchased recently are either Android or iOS, with 53.8% of that figure being Android. 

Another reason for the easy access for malware is that people do not keep their phone up to date with various patches from Google.  This is for three main reasons. 

The phone is "Rooted" and therefore the updates have to come from an independent developer. 
The manufacturer does not update their version of the OS. 
The mobile operator does not allow the OS to be updated by Google or the manufacturer and does not update the OS themselves. 

All of these issues above are beyond the control of both the user and the corporation, when considering BYOD.  Try to think of the number of applications that are downloaded each day.  There was a game released 6 weeks ago, which has already been downloaded 35 million times.  Hackers and writers of malware and viruses will target these popular applications in hope that just 1% of users run their malicious code. 

How do you combat the threats? 

The threats can be combated in a number of ways.   

Malware / Viruses - Firstly, the OS could be kept up to date which would remove some of the loopholes that viruses and malware exploit.  In addition to this, many of the virus protection software companies provide a mobile phone version, for example I use AVG at home, as it is free, and they provide a mobile version - also for free. 
Device lock - On top of this we can add a simple screen lock, which would keep the average thief from stealing our data. 
Encryption - In addition we should encrypt our phones, which would mean that without a key, the data would be unreadable.  This means that as a company, you can send a command to delete the encryption key from the device and this in turn would make the data unreadable. 
Firewall - For corporate customers, you can ensure that the web browsing on the device is all filtered through your company firewall, which will include the safe browser and proxy settings you use within the desktop browsers. 

What to protect? 

There are three parts to securing the mobile device. 

Device - First, what would happen if the device was lost or stolen.  A good Mobile Device Management (MDM) policy is required, which would either track the phone, or could even disable it to the point that it could never be used again.  It would be good to add screen locks and password protection. 

Data - The most expensive part of the loss of the device would not be the replacement value, but would be issues around the data loss.  To prevent this the MDM should be able to Lock / Wipe or Delete the data on the device.  The corporate data must remain encrypted on the device and therefore a tool would be able to remove the encryption key, to ensure the data remains secure.  An issue here is 

Applications - Some companies would choose to only allow certain Apps on their devices, but what would happen in a truly BYOD environment?  If I was to use my own device for reading my work email, i would still want the choice to play games and use Apps that i want to use outside of work.  In response to this, McAfee and other suppliers have created their own Application Store, which contain all of the Apps which have been scanned for any virus or malware, which could be used by the device owner.  In addition to the supply of the applications, the Application Store would be able to remove applications from the device immediately, if a threat is detected. 

Conclusion 

The on-line world is a world where many unscrupulous people reside.  They target the vulnerable and the target them in numbers.  The new on-line experience is growing rapidly via the mobile browser and the number of Apps downloaded from various Application Stores is incredible, for example a new drawing game has had 35 million downloads within 6 weeks.  With the combination of both the application downloads and the web browsing, the sample is large for people to exploit.   

I only have a simple screen pattern lock on my phone, but will be adding the AVG free version of the anti virus / malware to my collection of applications today ! 

No comments:

Post a Comment