Risk
11/21/2011
11:40 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Android Security Becomes FUD Fest

Big scary warnings about Android security just keep on coming. Are you focused on the right MDM questions?

InformationWeek Now--What's Hot Right Now
With great power comes great responsibility, for the security community. The current noise and hype level around Android security has become so loud that I wonder if many people are simply tuning it out. As InformationWeek's Eric Zeman points out, Juniper, Symantec, and Kaspersky Labs have all been making dire warnings about increased threats to Android devices from malware.

You've probably seen the same string of headlines I have, like "Android's a malware magnet, says McAfee" and "2011 Is The Year Of Mobile Malware." Maybe you've seen the big scary numbers, too, like Juniper's claim that the ranks of mobile malware have risen 472% since July.

Zeman, no newcomer to mobile, notes that vendors have ratcheted up the scare factor pretty quickly-- given that a phone-to-phone threat that has yet to surface in a widespread way. Check out his take on where the truth lies between the vendor warnings and the critics' opinions on Android security.

Of course, as one reader commented on Zeman's story, mobile security also depends largely on user behavior: "If you don't want apps to have access to your personal data, then don't install apps that say they are going to access your personal data. It really is that simple. No app will ever have access to your personal data unless you have explicitly given it permission to access that data," writes DLYNCH294.

The hype around mobile device management hasn't been much better this year, says our MDM expert, Mike Davis, in his well-balanced column on Top 5 MDM Must-Do's.

As Davis notes about a recent conference talk: "I will most likely get hate email for saying this, but ... MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon."

If the vendor offerings prove that similar, Davis says, that means your recipe for staying safe in the enterprise boils down to three factors: planning, process, and policy enforcement. Check out his advice.

See our InformationWeek 2011 Mobile Device Management and Security Survey for more on how your peers are dealing with MDM. (It's free with registration.)

Amazon's Android-based Kindle Fire tablet poses a special problem, because your trusty enterprise mobile device management tools don't work with the Fire yet. The safest choice now: Block the device from connecting to your enterprise network, though users won't like it.

Looking ahead, Amazon also plans an Android Kindle phone in 2012--though InformationWeek's Thomas Claburn fears it could flop if Amazon makes a me-too design choice. "Amazon wants to sell you a phone so you'll buy Amazon App Store apps and Kindle e-books, which will almost certainly be readable on this expected Kindle phone (too bad the name Phondle won't fly)," writes Claburn.

Phondle. Don't you love it? That would not be a me-too name.

One thing's certain. Enterprise IT will not be fond of the Phondle if Amazon doesn't see its way clear to letting users connect to an app store that will allow install of enterprise-grade MDM tools.

Laurianne McLaughlin is editor-in-chief for InformationWeek.com. Follow her on Twitter at @lmclaughlin.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ted E.
50%
50%
Ted E.,
User Rank: Apprentice
11/22/2011 | 9:26:25 PM
re: Android Security Becomes FUD Fest

Sorry to bear bad news, but personal data can leak without downloading clearly "bad" apps or explicitly granting access to your personal data. In the case of many Android devices the risk involves the SD Card. Read my blog post to see how this can occur.

There has been some hype about Android security gaps. The antidote to FUD is quality information, which we provide in our mobile security risk report. Our information is both vendor neutral (we don't sell MDM) and highly technical/research based.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.