11:40 AM
Connect Directly

Android Security Becomes FUD Fest

Big scary warnings about Android security just keep on coming. Are you focused on the right MDM questions?

InformationWeek Now--What's Hot Right Now
With great power comes great responsibility, for the security community. The current noise and hype level around Android security has become so loud that I wonder if many people are simply tuning it out. As InformationWeek's Eric Zeman points out, Juniper, Symantec, and Kaspersky Labs have all been making dire warnings about increased threats to Android devices from malware.

You've probably seen the same string of headlines I have, like "Android's a malware magnet, says McAfee" and "2011 Is The Year Of Mobile Malware." Maybe you've seen the big scary numbers, too, like Juniper's claim that the ranks of mobile malware have risen 472% since July.

Zeman, no newcomer to mobile, notes that vendors have ratcheted up the scare factor pretty quickly-- given that a phone-to-phone threat that has yet to surface in a widespread way. Check out his take on where the truth lies between the vendor warnings and the critics' opinions on Android security.

Of course, as one reader commented on Zeman's story, mobile security also depends largely on user behavior: "If you don't want apps to have access to your personal data, then don't install apps that say they are going to access your personal data. It really is that simple. No app will ever have access to your personal data unless you have explicitly given it permission to access that data," writes DLYNCH294.

The hype around mobile device management hasn't been much better this year, says our MDM expert, Mike Davis, in his well-balanced column on Top 5 MDM Must-Do's.

As Davis notes about a recent conference talk: "I will most likely get hate email for saying this, but ... MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon."

If the vendor offerings prove that similar, Davis says, that means your recipe for staying safe in the enterprise boils down to three factors: planning, process, and policy enforcement. Check out his advice.

See our InformationWeek 2011 Mobile Device Management and Security Survey for more on how your peers are dealing with MDM. (It's free with registration.)

Amazon's Android-based Kindle Fire tablet poses a special problem, because your trusty enterprise mobile device management tools don't work with the Fire yet. The safest choice now: Block the device from connecting to your enterprise network, though users won't like it.

Looking ahead, Amazon also plans an Android Kindle phone in 2012--though InformationWeek's Thomas Claburn fears it could flop if Amazon makes a me-too design choice. "Amazon wants to sell you a phone so you'll buy Amazon App Store apps and Kindle e-books, which will almost certainly be readable on this expected Kindle phone (too bad the name Phondle won't fly)," writes Claburn.

Phondle. Don't you love it? That would not be a me-too name.

One thing's certain. Enterprise IT will not be fond of the Phondle if Amazon doesn't see its way clear to letting users connect to an app store that will allow install of enterprise-grade MDM tools.

Laurianne McLaughlin is editor-in-chief for InformationWeek.com. Follow her on Twitter at @lmclaughlin.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ted E.
Ted E.,
User Rank: Apprentice
11/22/2011 | 9:26:25 PM
re: Android Security Becomes FUD Fest

Sorry to bear bad news, but personal data can leak without downloading clearly "bad" apps or explicitly granting access to your personal data. In the case of many Android devices the risk involves the SD Card. Read my blog post to see how this can occur.

There has been some hype about Android security gaps. The antidote to FUD is quality information, which we provide in our mobile security risk report. Our information is both vendor neutral (we don't sell MDM) and highly technical/research based.
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio