Why Google Needs to Get a Grip on Security10:19 AM EST Tue. May. 31, 2011
The din over security issues continues to grow on a daily basis, and Google winds up being part of the discussion more often.
Most recently, a vulnerability that could impact Android devices was pointed out in February but was still capable of exploitation in May.
The particular vulnerability had to do with the fact that some of Google’s other cloud-based services -- like Google Calendar -- are not encrypted as are other services like Gmail. Other apps at the time, like Facebook’s Android app, had similar issues. Network eavesdroppers could gain access to all of that data through the air, via unsecured Android devices.
There are about 70 million Android-based devices that ship annually, with double-digit growth. That’s a lot of devices with some big vulnerabilities.
And at the same time, many apps -- including these 20 - will help to increase security on Android-platform based devices.
But while Android devices have achieved stunning popularity in the consumer space, executives from at least one major mobility vendor tell us they are going to tread very carefully before they introduce Android devices into enterprise hardware. And it appears that caution is with good reason.
Take, for example, this latest analysis from security vendor McAfee on Google’s Google Wallet e-commerce and payment app:
"Android apps are relatively easy to reverse-engineer, so that would probably be the first step an attacker would take. Google says that only authorized apps will have access to the 'secure element' chip, and the chip uses asymmetric encryption to authenticate access to stored secrets (credit card credentials). This implies that an attacker has a good chance of extracting the authentication key from the Google Wallet app. The next step would be to create a malicious application that emulates the official Wallet app to fool the 'secure element' chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards."
A digital mugging might be less physically harmful than a real one, but a mugging is a mugging nonetheless. McAfee appears to be sounding an important alarm.
Android boosters will rightly point out that, hey, Windows has had vulnerabilities for years. Tons more data has been compromised or lost via Windows-based PCs over the years than anything that has come from Google or the Android community. That’s true, but that’s not the point. The marketplace, over years, developed core best practices that have elevated security in the Windows world to the point where enterprises -- business of all sizes, government agencies of all sizes -- now have a checklist they can constantly examine to make sure they are in the best position possible to protect data.
Android is a relative Wild West. Where are the best practices for Android-based IT?
Google needs to do a better job of getting out front on security issues regarding Android. Google executives can choose to become the public face of mobile security, or they can risk becoming the public face of vulnerability.