Risk
11/21/2011
11:40 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Android Security Becomes FUD Fest

Big scary warnings about Android security just keep on coming. Are you focused on the right MDM questions?

InformationWeek Now--What's Hot Right Now
With great power comes great responsibility, for the security community. The current noise and hype level around Android security has become so loud that I wonder if many people are simply tuning it out. As InformationWeek's Eric Zeman points out, Juniper, Symantec, and Kaspersky Labs have all been making dire warnings about increased threats to Android devices from malware.

You've probably seen the same string of headlines I have, like "Android's a malware magnet, says McAfee" and "2011 Is The Year Of Mobile Malware." Maybe you've seen the big scary numbers, too, like Juniper's claim that the ranks of mobile malware have risen 472% since July.

Zeman, no newcomer to mobile, notes that vendors have ratcheted up the scare factor pretty quickly-- given that a phone-to-phone threat that has yet to surface in a widespread way. Check out his take on where the truth lies between the vendor warnings and the critics' opinions on Android security.

Of course, as one reader commented on Zeman's story, mobile security also depends largely on user behavior: "If you don't want apps to have access to your personal data, then don't install apps that say they are going to access your personal data. It really is that simple. No app will ever have access to your personal data unless you have explicitly given it permission to access that data," writes DLYNCH294.

The hype around mobile device management hasn't been much better this year, says our MDM expert, Mike Davis, in his well-balanced column on Top 5 MDM Must-Do's.

As Davis notes about a recent conference talk: "I will most likely get hate email for saying this, but ... MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon."

If the vendor offerings prove that similar, Davis says, that means your recipe for staying safe in the enterprise boils down to three factors: planning, process, and policy enforcement. Check out his advice.

See our InformationWeek 2011 Mobile Device Management and Security Survey for more on how your peers are dealing with MDM. (It's free with registration.)

Amazon's Android-based Kindle Fire tablet poses a special problem, because your trusty enterprise mobile device management tools don't work with the Fire yet. The safest choice now: Block the device from connecting to your enterprise network, though users won't like it.

Looking ahead, Amazon also plans an Android Kindle phone in 2012--though InformationWeek's Thomas Claburn fears it could flop if Amazon makes a me-too design choice. "Amazon wants to sell you a phone so you'll buy Amazon App Store apps and Kindle e-books, which will almost certainly be readable on this expected Kindle phone (too bad the name Phondle won't fly)," writes Claburn.

Phondle. Don't you love it? That would not be a me-too name.

One thing's certain. Enterprise IT will not be fond of the Phondle if Amazon doesn't see its way clear to letting users connect to an app store that will allow install of enterprise-grade MDM tools.

Laurianne McLaughlin is editor-in-chief for InformationWeek.com. Follow her on Twitter at @lmclaughlin.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ted E.
50%
50%
Ted E.,
User Rank: Apprentice
11/22/2011 | 9:26:25 PM
re: Android Security Becomes FUD Fest

Sorry to bear bad news, but personal data can leak without downloading clearly "bad" apps or explicitly granting access to your personal data. In the case of many Android devices the risk involves the SD Card. Read my blog post to see how this can occur.

There has been some hype about Android security gaps. The antidote to FUD is quality information, which we provide in our mobile security risk report. Our information is both vendor neutral (we don't sell MDM) and highly technical/research based.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio