Is The Android Operating System Too Risky For Enterprise Business?

A walk through the Android Software Development Kit and libraries will show you some interesting scenery.

You can, for example, see how a few strokes of code will allow you to write an application that can access an Android device's contact list and phone, in the background.

A walk through the Android SDK might also show you how you can write an app that will launch the device's e-mail service and even send e-mail messages.

The Android SDK hiking tour will also provide a mile marker with instructions on how to put together an app that will launch a device's text-messaging feature to both receive and send data.

If you're an upstanding citizen and software developer, you can use that information to create powerful, secure, productive and "gee whiz" apps of the kind that have made the Android operating system one of the fastest-growing operating systems of all time. If you're a hacker or a criminal, however, you can use Android to launch vicious, destructive attacks on individuals and, potentially, infrastructure.

Last month, more than 50 Android apps were found to contain malware called DroidDream, ranging from gaming apps to a currency converter app to a scientific calculator app, according to security ISV Lookout.

Lookout reported that the Trojan known as DroidDream used two exploits called "exploid" and "rageagainstthecage" to infect Android-based devices.

Lookout said it found that hackers had used exploid to deploy itself looking like a legitimate "calling plan management" app and began hitting the market via what it said were Chinese app markets. ventually, Lookout said, a version of that app turned up in the official (and more mainstream) Android Market. A further review found this app turned out to be, essentially, a dud because it didn't have the code to fully exploit a device. But just the fact that an app like this made it into the Android Market was frightening enough, Lookout said, because that indicates it could happen again in the future. And with real, device-smashing code.

Android, which was founded by Google and is developed by an open-source community, represents both an enormous opportunity to drive the enterprise to the edge of the network, as well as the risk of kicking it over that edge. Unlike the iOS platform for iPhone and iPad, which Apple oversees and manages so closely that the company has been accused of heavy-handedness in which apps it allows into its ecosystem, just about anybody can write an Android app and push it out to the market.

The recent DroidDream incidents, among others, may prove to be a cautionary tale that might slow down an industry that has been racing toward Android as an antidote to Apple's absolute market dominance in a strategic area.

Take, for example, Motorola. The Schaumburg, Ill.-based company's consumer division produces wildly popular Android-based phones such as the Droid X. It has received credit throughout the industry for providing the most stable and bullet-proof form of Android on a mainstream mobile device. But Motorola Solutions, the company's enterprise mobility unit formerly known as Symbol Technologies, is taking a slower approach with Android in providing technology used in business and government solutions.

"Our customers need certain functionality and capabilities in the underlying OS. We understand that a portion of our customer base desires to run commercially available prosumer and consumer applications available on Android, but the OS must be secure, manageable and reach an appropriate level of maturity," said Brian Viscount, Motorola's vice president of marketing for mobility.

"Enterprise customers just can't deal with the current deluge of Android revisions and releases," Viscount said. "So, we will eventually bring Android to market [in the enterprise], but we'll be filling in a number of enterprise voids in the standard OS offering, including security and manageability, and we'll be regulating releases to meet the requirements of our customer base."

Some experts in the channel give kudos to Motorola's own development of Android, even with acknowledgments that the raw, open Android source code needs work.

"The standard Android operating system is very weak from a security perspective, whereas the Motorola [version of the Android] operating system is much more enterprise-ready from a security perspective," said Mark Greer, COO of Milestone Systems, a Minnetonka, Minn.-based solution provider. "You need to have the right processes in place … to make sure you're controlling the exposure that's out there," he cautioned solution providers.

NEXT: The Android Operating System: Under The Hood

There are elements of Java and Linux throughout the Android operating system and, like with Web applications, there is a general framework for allowing some applications to work with others. But in Android, that can produce another potential soft spot for security.

For example, one application in an Android device can talk to another application to give it a sort of "heads up" that it's about to do something and might need some help; that heads-up communication is called an "intent." Say you're running a contact-management app and you want to click on a contact's phone number from a list to make a call. The one app would issue an intent to the other app, and the way would be paved inside the phone to make that call.

However, "intents" have nothing to do with security and are not designed to know anything about security. So a rogue app, downloaded for free from a marketplace, could issue a safe-looking "intent" to open the contact-management app, copy all of the data, and then upload it to someone for malicious purposes.

India-based solution provider Imaginea, which has Android expertise, put it this way in a recent white paper on the topic: "Developers need to carefully ensure that sensitive data is not transferred using intents, when setting up permissions or when the broadcast intents are sent, so that rogue applications do not misuse the data."

Because Android is open freely to all developers, and because it's not that difficult, comparatively, to build an app and upload it to the Android Market for the world to have, this should be a true concern for enterprise IT staff.

All of those complaints about Apple being too deliberate with approving apps for its iTunes App Store take on a new meaning when you consider this: Apple, while making developers at times wait much longer than they'd like for apps to be approved for the iTunes App Store, tackles quality control before these apps hit the market. Google operates a "Kill Switch," which can impressively go into millions of Android devices and disable rogue apps, but only after they are out in the wild.

NEXT: Android Operating System: What The Test Center Found

In the CRN Test Center lab, we've examined Android in a variety of devices over the past several months with an eye on how this platform could interact with the enterprise. We were pleasantly surprised by some aspects of the platform, unpleasantly surprised by others, and have come away with a general sense that it's just not there yet for commercial, small-business or government operations.

Android will need to experience a variety of growing pains, including waiting for best-in-breed app developers to rise to the top of the pack in key areas like management and security.

Here are some of the highlights of what we saw in the lab:

Android is different, even if slightly, in just about every device. If you're used to using one template for security practices in a Windows and BlackBerry environment, for example, you'll need more templates than ever with Android. That's because Android on a Dell Streak is different than Android on a Motorola Droid X, and both are different from what you'll find on a ViewSonic ViewPad 10. They differ to accommodate different screen sizes and resolutions, different hardware designs and different market focuses.

Motorola's Droid X, for example, is very friendly to peripherals. It supports miniSD, USB and HDMI, which opens up the platform to a lot of functionality. We were, for example, able to use an off-the-assembly-line mobile scanner from Visioneer to scan documents directly into the Droid X and completely bypass a PC in the process. That's because the Android ecosystem is open and allows flexibility for great peripherals. But, on the other hand, one can envision a day when malicious code on a USB drive infects an Android device and creates all sorts of havoc throughout an unprepared or unsecure network.

A number of Android devices, like the Droid X, provide "hot spot" functionality, meaning the devices can become 3G-based, Wi-Fi hot spots. This is an enormously productive function; however, it comes with the added concern of creating additional security vulnerabilities.

Again, all Android devices are slightly different from others, so determining which devices might have a greater vulnerability in this area might not be so easy and could change over time.

IT road-mapping with Android devices will be a huge test for solution providers and CIOs. Because Android is so fragmented, an app written for Android 2.2 that has been custom-tailored for a Dell device might break badly when ported over to future versions of Android for a Samsung device. If it's an app like Angry Birds, that's no big deal. But if it's a custom-written ERP application, for example, that helps control millions of dollars worth of inventory, it could be more than a little "whoops." On one hand, not deploying smart devices that increase efficiency and productivity could put a business at a competitive disadvantage. But deploying smart devices without a flexible road map that takes Android’s fragmentation into account could mean even worse.

NEXT: Keeping The Android Operating System Safe In The Enterprise

The CRN Test Center examined three security apps for Android that we liked and that could help secure a device.

Lookout's eponymous security app is a free and simple download from the Android Market onto a device. A device scan will check for spyware and malware, and the app provides a "Privacy Advisor" that will let a user know what tracking software is on a device.

On one device, Lookout told us that we had 10 apps that tracked our location, 10 apps that could read our identity information, one app that could access our text messages and six apps that had access to our contact list. None were malicious apps, but a couple of them we needed to examine more closely to determine why, exactly, that app needed access to certain sets of data.

We also examined Trend Micro's Mobile Security. The full app is $3.99, but a 30-day trial is free. Mobile Security, unlike Lookout, provides call and SMS filtering and blocks unwanted calls or messages. A realtime scan zeros in on malware on a device, and Mobile Security appears to scan files just as an antivirus application would scan a Windows PC -- although on our Android phone it was a lot quicker and provided much less granular detail on the results.

Finally, we installed AVG Antivirus for Android. Like Lookout and Mobile Security, AVG will scan for malware and vulnerabilities. We liked AVG, too, for the details it provided after every scan. For example, after an initial scan, the app told us we had 176 installed apps, 1,375 activity screens, 112 content providers, 243 receivers and 233 services. The AVG app was free but -- and we seldom say this about software we evaluate -- it served up advertising in the app itself. That struck us as odd and un-enterpriselike.

What we didn't see throughout the Android universe, though, were enterprise-ready, centrally managed security solutions like many in IT are used to seeing on platforms like BlackBerry and Windows Mobile/Windows Phone 7. While we don't see any for Apple's iOS platform, either, there's a basic understanding that Apple's lockdown of the hardware and App Store platforms will go a long way toward securing iPhones and iPads. (That understanding will change, though, the first time there's a significant data breach on an iOS platform.)

Standard enterprise best practices for IT security continue to apply in enterprises that adopt Android as part of their framework: deployment of antivirus technology, network password authentication, quarterly or monthly security audits, asset management and monthly or weekly inventory, firewalls, employee education and hardware security, among others.

With mobility, solution providers have also long recommended device standardization across an enterprise -- even with smartphones. This is especially challenging in an environment where one generation of devices will give way to another generation of devices sometimes in less than a year; in the case of Android, the OS can be expected to be slightly different with each upgrade as well. In addition, carrier restrictions may also factor into device life cycles in an enterprise.

The result: In an enterprise that supports Android devices, it may be necessary to simply restrict many aspects of network access from one generation to the next; as more security features and apps become available on the Android platform, those restrictions can loosen over time.

NEXT: The Test Center's Android Recommendation

It's hard not to like Android devices for the power and functionality that many of them provide: 8-megapixel cameras, long battery life, broad carrier support and an open platform that allows for the creation of tons of great software.

For solution providers or enterprises that have an anti-Apple bias, or a strategy that doesn't include Apple technology, Android is an alluring alternative. And, face it, employees in an organization will use their own Android smartphones and tablets for work even if an enterprise doesn't support them.

But keep an eye on an industry leader in this space: Motorola. No single company can boast more intellectual capital in the Android arena than Motorola, particularly with its consumer devices, yet the company is still moving slowly toward bringing that technology to the enterprise. And it appears to have very good reasons.

Until someone steps up to play a gatekeeper role with the Android app ecosystem, it may be difficult for enterprises to feel enough confidence to trust it with its corporate data. That's a shame.

Because Android is open-source technology, like Linux, and maintains many Linux features, some observers said early on that Android would simply be as secure as Linux. But Linux devices have never hit the consumer mainstream like Android, and have never been as big a target for hackers.

Android devices are on track for a record year in 2011, according to new estimates from the likes of research firms Gartner and IDC. That could mean more pressure on solution providers and CIOs to provide devices and the security and support to go with them. This pressure will be difficult to resist but, in the long run, may be the best course of action for many businesses and government entities.