Google Ramps Up Android Security As Threats Grow

Google is taking steps to bolster the security of its highly targeted Android platform, which security experts warn is significantly outpacing other mobile platforms in introducing risk to corporate networks.

Android is now part of Google's patch reward program, which gives cash to developers to contribute to security patches to popular open source projects. The move, unveiled last month, encompasses all open-source components of Android, wrote Adrian Ludwig, an Android security engineer, in the company's official Android blog.

"The Android team works very closely with the security research community at large to foster public discussions and implement improvements," Ludwig wrote.

[Related: Top 5 Android Malware Threats ]

Ludwig said the company pushed out security improvements in Android 4.4, known as KitKat, reinforcing the Android sandbox to prevent mobile apps from extending to other device processes. The sandboxing technology is core to most mobile device platforms and significantly increases the difficulty in carrying out attacks that can root or takeover a mobile device. In addition, Ludwig highlighted the enforcing mode, which is enabled by default on Android devices, to prevent malicious code from violating or attempting to bypass security restrictions.

Google is responding to reports that consistently document attacks targeting the platform. Android smartphones and tablets make up more than 90 percent of the attacks targeting mobile devices, according to data collected by a variety of security vendors. Google remains fairly tight lipped about the actions it takes to address mobile threats, such as malicious applications and mobile malware attacks.

The latest threat report, issued last month by McAfee, found mobile malware that allows an attacker to bypass mobile application restrictions. The firm documented approximately 700,000 new Android malware samples. The company pointed to the rising threat posed by malicious applications overstepping their bounds. One gaming app bilked more than 37 million email addresses from the contacts associated with 810,000 Android phones and tablets.

Solution providers told CRN that more businesses are considering implementing security as part of their core mobility strategy.

While the increasing amount of mobile malware gets the most attention, small and midsize businesses are concerned about data loss associated with lost or stolen devices. Security policies designed to prevent employees from accessing the most sensitive data on mobile devices is also difficult to enforce without new technology, said Bill Hoblin, sales manager at Redding Calif.-based West Coast Technology.

Firms understand that restricting employees to a single platform is difficult, Hoblin said. West Coast Technology's conducts educational and informational sessions focused on mobile security, which are gaining interest, he said. Not surprisingly, according to Hoblin, most interest is coming from firms in highly regulated industries, such as healthcare, where data leakage is a growing concern with mobile.

"They're implementing email encryption to protect sensitive data and making sure that they can remotely wipe lost devices that may contain sensitive data," Hoblin told CRN.

NEXT: Business Must Develop Plan To Address Mobile-Based Threats

In addition to network access control technologies designed to control access to corporate network resources, businesses are considering mobile device management technologies to oversee BYOD and are even looking at virtualization technology to satisfy laptop and mobile device risks, West Coast Technology's Hoblin said.

"It's finally becoming an increased awareness for most organizations," Hoblin said. "Up until now, they've been less willing to spend money to solve these issues."

Google's Ludwig also pointed out in the blog the software maker's support of security researchers via the Pwn2Own Mobile security competition at the PacSec Applied Security conference held last month in Tokyo. No exploits were used against Android, Ludwig wrote, but providing devices to hacking contests helps bolster security and gives engineers a way to test device security controls against new threats and bypass techniques, he said.

Businesses have to decide how to address mobile threats based on their security posture, said Tony Giandomenico, director of business solutions at Honolulu-based managed security services provider Referentia Systems Inc. Firms dealing with more sensitive information or those involved with critical infrastructure might restrict mobile devices from accessing internal resources. Other firms allow open access, Giandomenico said.

"We're entering that stage where businesses are beginning to execute against a mobility strategy," he told CRN in a recent interview. "Every business will have a unique way of dealing with mobile threats."

PUBLISHED DEC. 3, 2013