Security

Lock Down Your Android Devices

Two years ago almost nobody had heard of Android. Now it’s nearly ubiquitous among smartphone users, and it’s on track to become the most popular mobile operating system in the United States. When it comes to business use, though, Android still has some growing to do. Here’s how to keep your Android phones and tablets safe from malware and hackers.

Some security concerns--such as the nefarious wallpaper apps issue (in which the apps allegedly collected personal information and sent the data to a Website) or the compromise of sensitive information via apps--are more hype than reality, but there are still plenty of legitimate problems that you should be aware of. Android smartphones typically have 16GB or 32GB of internal storage, and many have SD Card slots that enable users to extend the data capacity. That means users could potentially walk around with 32GB or more of business data in a handheld device that is vulnerable to loss or theft.

Android's ability to encrypt data on removable storage depends largely on third-party software-based encryption, which is inferior to hardware encryption. IT admins also don't appreciate Android's lack of a remote-tracking capability, as well as the inability to impose standard sets of apps (or other IT and security policies) remotely.

To sync contacts from Lotus Notes or Microsoft Outlook to an Android smartphone, you must first sync the data with Google's cloud. But incidents such as a hacked Google Apps account resulting in a serious security breach at Twitter, along with general concerns about cloud security, give IT admins good reasons to be apprehensive. The requirement that sensitive data be stored on the Web with Google could be reason enough for some IT departments to ban Android devices altogether.

Android does have some useful security controls and remote-management capabilities built in, and you can overcome most security concerns with a bit of planning and some good app downloads. Here’s how to lock down your phones.

Working With Android

As with the Apple iPhone, the primary framework for remote configuration and management of Android smartphones is Microsoft Exchange Server and ActiveSync. Using Exchange, IT administrators can impose configurations and enforce policies, up to a point. Let's examine some of the pros and cons of managing Android devices with ActiveSync.

Researchers have found that the connect-the-dots pattern screen for unlocking an Android smartphone is vulnerable to cracking: A thief could trace over the fingerprint smudges on the display to unlock the phone. Fortunately, Google has added PIN and alphanumeric-password options to Android 2.2 (aka Froyo), and IT admins can select and enforce a password policy across Android devices using Exchange ActiveSync. Unfortunately, only about a third of Android devices are currently running version 2.2.

Another useful Android security feature gives you the ability to remotely wipe the data on a device in the event that it is lost or stolen. Using Exchange ActiveSync, IT admins can remotely reset an Android device to factory defaults, in the process removing any sensitive or confidential data stored on it.

However, although Microsoft Exchange and ActiveSync can also disable functions such as the smartphone camera or Bluetooth connectivity, those security controls are not available to Android. If your organization is concerned about the security implications of smartphone cameras, or the possibility that an attacker could hijack the smartphone's Bluetooth connection and use it to access the other network resources the device is attached to, those shortcomings are crucial.

Tools to Manage Android

The rise of third-party offerings for managing and protecting mobile devices is not directly related to Android, or to any other platform per se. It is more about filling a need for a framework capable of managing a diverse, heterogeneous collection of smartphone platforms. Businesses are increasingly allowing employees to choose the smartphone that suits them best and then working to accommodate those choices, rather than simply dictating which smartphones are--and are not--acceptable.

For less-mature platforms like the Apple iPhone and Android smartphones, though, third-party products provide a much more robust and comprehensive set of smartphone management tools than those of the respective device vendors. And third-party tools tend to be more suitable for cross-platform work environments.

Zenprise MobileManager can apply and update ActiveSync policies, and it also provides security controls that extend beyond the basic protection Android alone offers. Symantec has a comprehensive set of tools for managing and protecting mobile devices, as well, and it recently introduced Android support for some of those applications.

With these tools, IT admins can monitor and track Android smartphones to enforce compliance with established security policies, as well as set policies to define password requirements, lock company smartphones after a period of inactivity, and wipe a device after a set number of failed password attempts. The mobile-security platforms will also detect noncompliant Android devices and suspend ActiveSync access to prevent them from connecting to sensitive information and networks.

The most established third-party product for managing mobile devices, though, is Good for Enterprise from Good Technology. Good for Enterprise provides IT admins with a Web-based console for managing and troubleshooting remote mobile devices--including Android smartphones. For businesses deploying Android smartphones, one of the most important features of Good for Enterprise is the ability to ensure protection of data using AES-192 encryption.

Obviously, such third-party management tools require an additional investment; IT admins will also need time to become familiar with the policies and protection required, as well as to get things properly configured. But once you overcome the initial learning curve and the tool is up and running, it can pay for itself in reducing the effort necessary to monitor and protect mobile devices, and in freeing up IT administrators for more important tasks.

Android Invasion Marches On

Android is a powerful platform that has a lot to offer for mobile business productivity. The diverse array of smartphones available, combined with the impending explosion of Android-based tablets, virtually guarantees that Android's presence in business will continue to grow.

Here's hoping that as Android matures, the tools available to manage, maintain, and secure Android devices within a business-network infrastructure evolve as well. Whether Android expands to include more of the functionality that IT admins expect, or whether more third-party developers step up to fill the void, the long-term success of Android as a business tool depends on it.

For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Subscribe to the Security Watch Newsletter

Comments