Page 2 of 5
There are elements of Java and Linux throughout the Android operating system and, like with Web applications, there is a general framework for allowing some applications to work with others. But in Android, that can produce another potential soft spot for security.
For example, one application in an Android device can talk to another application to give it a sort of "heads up" that it's about to do something and might need some help; that heads-up communication is called an "intent." Say you're running a contact-management app and you want to click on a contact's phone number from a list to make a call. The one app would issue an intent to the other app, and the way would be paved inside the phone to make that call.
However, "intents" have nothing to do with security and are not designed to know anything about security. So a rogue app, downloaded for free from a marketplace, could issue a safe-looking "intent" to open the contact-management app, copy all of the data, and then upload it to someone for malicious purposes.
India-based solution provider Imaginea, which has Android expertise, put it this way in a recent white paper on the topic: "Developers need to carefully ensure that sensitive data is not transferred using intents, when setting up permissions or when the broadcast intents are sent, so that rogue applications do not misuse the data."
Because Android is open freely to all developers, and because it's not that difficult, comparatively, to build an app and upload it to the Android Market for the world to have, this should be a true concern for enterprise IT staff.
All of those complaints about Apple being too deliberate with approving apps for its iTunes App Store take on a new meaning when you consider this: Apple, while making developers at times wait much longer than they'd like for apps to be approved for the iTunes App Store, tackles quality control before these apps hit the market. Google operates a "Kill Switch," which can impressively go into millions of Android devices and disable rogue apps, but only after they are out in the wild.