Risk
11/21/2011
11:40 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Android Security Becomes FUD Fest

Big scary warnings about Android security just keep on coming. Are you focused on the right MDM questions?

InformationWeek Now--What's Hot Right Now
With great power comes great responsibility, for the security community. The current noise and hype level around Android security has become so loud that I wonder if many people are simply tuning it out. As InformationWeek's Eric Zeman points out, Juniper, Symantec, and Kaspersky Labs have all been making dire warnings about increased threats to Android devices from malware.

You've probably seen the same string of headlines I have, like "Android's a malware magnet, says McAfee" and "2011 Is The Year Of Mobile Malware." Maybe you've seen the big scary numbers, too, like Juniper's claim that the ranks of mobile malware have risen 472% since July.

Zeman, no newcomer to mobile, notes that vendors have ratcheted up the scare factor pretty quickly-- given that a phone-to-phone threat that has yet to surface in a widespread way. Check out his take on where the truth lies between the vendor warnings and the critics' opinions on Android security.

Of course, as one reader commented on Zeman's story, mobile security also depends largely on user behavior: "If you don't want apps to have access to your personal data, then don't install apps that say they are going to access your personal data. It really is that simple. No app will ever have access to your personal data unless you have explicitly given it permission to access that data," writes DLYNCH294.

The hype around mobile device management hasn't been much better this year, says our MDM expert, Mike Davis, in his well-balanced column on Top 5 MDM Must-Do's.

As Davis notes about a recent conference talk: "I will most likely get hate email for saying this, but ... MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon."

If the vendor offerings prove that similar, Davis says, that means your recipe for staying safe in the enterprise boils down to three factors: planning, process, and policy enforcement. Check out his advice.

See our InformationWeek 2011 Mobile Device Management and Security Survey for more on how your peers are dealing with MDM. (It's free with registration.)

Amazon's Android-based Kindle Fire tablet poses a special problem, because your trusty enterprise mobile device management tools don't work with the Fire yet. The safest choice now: Block the device from connecting to your enterprise network, though users won't like it.

Looking ahead, Amazon also plans an Android Kindle phone in 2012--though InformationWeek's Thomas Claburn fears it could flop if Amazon makes a me-too design choice. "Amazon wants to sell you a phone so you'll buy Amazon App Store apps and Kindle e-books, which will almost certainly be readable on this expected Kindle phone (too bad the name Phondle won't fly)," writes Claburn.

Phondle. Don't you love it? That would not be a me-too name.

One thing's certain. Enterprise IT will not be fond of the Phondle if Amazon doesn't see its way clear to letting users connect to an app store that will allow install of enterprise-grade MDM tools.

Laurianne McLaughlin is editor-in-chief for InformationWeek.com. Follow her on Twitter at @lmclaughlin.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ted E.
50%
50%
Ted E.,
User Rank: Apprentice
11/22/2011 | 9:26:25 PM
re: Android Security Becomes FUD Fest

Sorry to bear bad news, but personal data can leak without downloading clearly "bad" apps or explicitly granting access to your personal data. In the case of many Android devices the risk involves the SD Card. Read my blog post to see how this can occur.

There has been some hype about Android security gaps. The antidote to FUD is quality information, which we provide in our mobile security risk report. Our information is both vendor neutral (we don't sell MDM) and highly technical/research based.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio