11:40 AM
Connect Directly

Android Security Becomes FUD Fest

Big scary warnings about Android security just keep on coming. Are you focused on the right MDM questions?

InformationWeek Now--What's Hot Right Now
With great power comes great responsibility, for the security community. The current noise and hype level around Android security has become so loud that I wonder if many people are simply tuning it out. As InformationWeek's Eric Zeman points out, Juniper, Symantec, and Kaspersky Labs have all been making dire warnings about increased threats to Android devices from malware.

You've probably seen the same string of headlines I have, like "Android's a malware magnet, says McAfee" and "2011 Is The Year Of Mobile Malware." Maybe you've seen the big scary numbers, too, like Juniper's claim that the ranks of mobile malware have risen 472% since July.

Zeman, no newcomer to mobile, notes that vendors have ratcheted up the scare factor pretty quickly-- given that a phone-to-phone threat that has yet to surface in a widespread way. Check out his take on where the truth lies between the vendor warnings and the critics' opinions on Android security.

Of course, as one reader commented on Zeman's story, mobile security also depends largely on user behavior: "If you don't want apps to have access to your personal data, then don't install apps that say they are going to access your personal data. It really is that simple. No app will ever have access to your personal data unless you have explicitly given it permission to access that data," writes DLYNCH294.

The hype around mobile device management hasn't been much better this year, says our MDM expert, Mike Davis, in his well-balanced column on Top 5 MDM Must-Do's.

As Davis notes about a recent conference talk: "I will most likely get hate email for saying this, but ... MDM technology is all pretty much the same; maybe 10% of features are unique, usually around self-registration capabilities and enhanced encryption. And I don't see that changing, even though Google and IBM got in the game this week, each announcing it will have an MDM product available soon."

If the vendor offerings prove that similar, Davis says, that means your recipe for staying safe in the enterprise boils down to three factors: planning, process, and policy enforcement. Check out his advice.

See our InformationWeek 2011 Mobile Device Management and Security Survey for more on how your peers are dealing with MDM. (It's free with registration.)

Amazon's Android-based Kindle Fire tablet poses a special problem, because your trusty enterprise mobile device management tools don't work with the Fire yet. The safest choice now: Block the device from connecting to your enterprise network, though users won't like it.

Looking ahead, Amazon also plans an Android Kindle phone in 2012--though InformationWeek's Thomas Claburn fears it could flop if Amazon makes a me-too design choice. "Amazon wants to sell you a phone so you'll buy Amazon App Store apps and Kindle e-books, which will almost certainly be readable on this expected Kindle phone (too bad the name Phondle won't fly)," writes Claburn.

Phondle. Don't you love it? That would not be a me-too name.

One thing's certain. Enterprise IT will not be fond of the Phondle if Amazon doesn't see its way clear to letting users connect to an app store that will allow install of enterprise-grade MDM tools.

Laurianne McLaughlin is editor-in-chief for InformationWeek.com. Follow her on Twitter at @lmclaughlin.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ted E.
Ted E.,
User Rank: Apprentice
11/22/2011 | 9:26:25 PM
re: Android Security Becomes FUD Fest

Sorry to bear bad news, but personal data can leak without downloading clearly "bad" apps or explicitly granting access to your personal data. In the case of many Android devices the risk involves the SD Card. Read my blog post to see how this can occur.

There has been some hype about Android security gaps. The antidote to FUD is quality information, which we provide in our mobile security risk report. Our information is both vendor neutral (we don't sell MDM) and highly technical/research based.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.