Android 4 Security Better, But Still Lacking

Google released the source code for ICS, officially called Android 4, last week, giving developers a close look at the inner workings of the OS, which runs on more than half of the smartphones in use today, according to market researcher Gartner. Two VARs that made CRN's 2011 list of leaders in the security space shared their opinions of Android 4.

Among the standout features listed was on-device data encryption and implementation of a technique called address space layout randomization, which shuffles memory location for various application components. The technique rattles hackers by making it difficult for them to predict the memory location of a component they want to exploit.

Another strong security feature is the ability to store certification authority in Android's keychain. This feature adds another layer of security in identifying a smartphone user entering a corporate network.

Android 4 also has a VPN application programming interface that vendors can use to provide an encrypted tunnel from the phone to corporate applications behind the firewall. Before ICS, everything had to be built and managed by the vendor, Joey Peloquin, director of mobile security for FishNet Security, said. To Peloquin, the VPN feature and ASLR were the top standouts. "These two features are actually huge," he said.

While praising the added security, Peloquin was not ready to give Android his blessing. "In its current state, Android is not anywhere near enterprise ready," he said.

His biggest area of concern was the Android Market and its lack of rigorous inspection to ensure that published apps do not contain malware that could steal personal or corporate data from an Android phone. "It's horribly broken," Peloquin says of the Market.

In March, more than 50 malicious applications were discovered in the Android Market. The apps mimicked legitimate applications to trick users into downloading them. Google pulled down the apps and remotely removed the malicious software from affected devices. The company also added safeguards to the market.

Peoloquin is not convinced the remedy was enough, saying anti-malware will be required on every Android device connected to a corporate network. "We've got to get the market under control," he said.

Other areas of concern included the near field communication technology, called Android Beam, in ICS. Peloquin wasn't convinced that the feature would provide adequate encryption for corporate use. He had the same concerns with the ability of ICS phones to communicate over a Wi-Fi network.

A features that Peloquin would like to see added to Android is a mobile device management API that would give IT developers the option of turning off any application or component on the phone.

Scott Christie, security solutions engineer of ChipherTechs, echoed Peloquin's call for more control. He wants Google to create a native remote administration server, similar to Research In Motion's Enterprise Server for the BlackBerry. Such technology would enable greater control by giving corporate IT the ability to remove and add software, enforce policies and wipe the device clean. Such features are available from third-party security vendors today, but Christie said such add-ons are not always enough.

"Sometimes the add-ons are not as interwoven into the operating system as a native solution would be," he said.

That kind of tight integration between Android smartphones and security is a must, he said, as the number employees and executives using the devices grows.