Experture /rfg …experts on demand



Download 25.74 Kb.
Date30.06.2017
Size25.74 Kb.
#22268

Nov. 16, 2011 Executive Technology Strategies ETS 11-11-10


Experture

/RFG

experts on demand



Android Phone Security

A client of ours is interested in understanding Android usage level in the high security minded private sectors such as banking, insurance, consulting, etc…

Their security department’s latest findings are that Android’s security and encryption is not high enough for them to deploy Android devices and they are curious to know if that is also the case in the market.

They’d like to see a chart with the sectors that are the most security conscious along with analysis and opinion on the subject.

They’d also like to know how soon Google will offer native on-board encryption on their android devices.

Introduction and Perspective

Android is an open-source platform based on the Linux kernel. As such it provides access to the general developer population to discover and exploit security vulnerabilities in the platform.


Research on Android security turned up a number of ways to improve the security in the Android market1. The list presented below provides some insight to the potential challenges and pitfalls of the Android landscape.


  • Charge Developers More To Become Approved – currently Android developers only have to pay $25. Apple developers have to pay $100.

The lower price allows “trouble-makers” to register and develop/release malware into the Android market. It is suggested to raise the price of entry, therefore discouraging those malcontents.

  • Improve Security Assessments – need to improve and monitor the application security testing and assessment process.

The current testing and assessment process is not robust. However, even if this is improved in the U.S., there are certain global markets, like China, that do not have the same standards or safeguards in place.

  • Application Scanning – downloading from unapproved developers can be prevented by using third party verification systems; signature-based scanning is recommended.

The challenge with signature-based scanning is that any certificate can be used; right now there isn’t any way to properly govern the use of “stolen” certificates.

  • Fix Linux kernel-level flaws – newly discovered flaws need to be fixed immediately.

As an open-source program, there isn’t a definitive process and timeline in place.

  • Better App-Testing Protocols – better testing protocols are needed to identify and capture potential security concerns.

As an open-source program, this is not the case.

  • End ‘Wild West’ Approach to App Acceptance – The open source application approval process is not as robust as it should be.

As an open-source program, this is not currently the case.

  • Sandboxing – create individualized computing environments in which each app can process.

This is a function of where Android runs and is therefore up to the device manufacturer.

  • Build Android Security Apps – lack of security apps for Android.

A number of third-party security-based applications are available; more are being developed. However, the general feeling is that a lot of user-intervention will be needed so that it will not be transparent.

  • Create Remote App Installation Alerts – Automatic and/or transparent user app approval takes authority away from the user and enables download of unsecure apps.

In some cases, user intervention is a good thing - need to have user-controlled approval for app installation.

  • Improve Patching Methodology to Resolve Android Fragmentation – various versions make it difficult to patch;

The challenge here is that there are too many versions of Android in use. Developing and distributing patches becomes geometrically more difficult as more versions/variations are developed. More control is needed to combat this issue.

It is apparent that your security department’s concern is valid. A lot of work needs to be done before Android reaches an appropriate security level.
Experture feels that given the open-source development environment, it will take some time to address all of these concerns. For example, there is a strong negative developer reaction to charging more money for developer access and to enforcing control.
The result is that the more astute, security conscious industry segments, i.e., Financial Services are attempting to slow the adoption of Android-based devices.
Industry Use of Android and Other Operating Systems
Unfortunately, information on Android use by industry group is not readily available. However, there is enough valid information to provide a good picture of OS/device use, adoption and prediction.
Listed below (Chart 1 – Activations by OS/Device2) is a breakdown for the last quarter of Android and iOS device activations by Good Technology. Note that iOS-based smartphones and tablets account for over 70% of the new activations for the last quarter.

Chart 1 – Activations by OS/Device


Looking at OS use over the last three years and projections provided by Gartner (Chart 2 – Mobile OS Use), a number of observations can be made.
First of all, it is projected that by 2015, Android will represent close to 50% of the market. For this to happen, significant strides need to be made to reduce the risk of security flaws.
Blackberry will continue to decline. This could be accelerated if RIM succumbs to financial and competitive pressures.
iOS will retain is market share of around 17%. Experture anticipates that continued improvements in iOS will not only assist in retaining market share, but should potentially raise activations so that the end result could be as high as 25%.
Symbian, which had one of the largest market segments, will all but disappear by 2015.
Interestingly enough, Gartner projects that Windows will grab around 20% market share in 2015. Experture has no reason to believe that this will be true and expects it will be much less than that.

Chart 2 – Mobile OS Use


The next Chart (Overall Activations by Industry) raises some concern that the Financial Services industry is using Android more than they should. This is NOT necessarily true since a correlation between OS activations and industry is NOT available. However, Experture contends that risk-aware industries are Android adverse based on a number of articles in the trade press3.

Chart 3 – Overall Activations by Industry



Google Native Encryption Availability
According to Experture’s research, there is no native encryption being offered by Google at this time4. However there are alternatives being provided by third-parties5 for specific applications like TouchDown, Good for Enterprise, and Trust Digital or generically like Symplicity.
This is not to say that Google is not aware of its deficiencies. Recently, Google released Android version 4.0.1, "Ice Cream Sandwich (ICS)" to open source. Within it a number of issues as outlined by the first section of this report are being addressed. For example, ICS unifies the 2.x smartphone branch and the Android Honeycomb tablet branch. This should start to address the patch issue caused by the many branches of Android versioning.
There is NO indication of when native encryption capability will be released. Experture anticipates that this will not be for some time since there are so many other items that need to be attended to. Our best guess is nine months or more.
The Bottom Line: After reviewing all of the accumulated material on Android security, it is obvious that from a risk perspective, it is not ready for primetime.
It is interesting to note that the adoption rate is expected to increase dramatically by 2015.
Now either the general public is ignorant of or doesn’t care about security (not true) or the market gurus expectation is that the security concerns will be handled sooner than later is true. Experture feels strongly that market pressure caused by BYO devices will force adoption of Android before there is a 100% comfort level. This provides an excellent opportunity for third-party suppliers to fill the gap left by Google.


1 Multiple internet sources…

2 Good-data, good technology, new activations by quarter.

3 http://blog.brightpointuk.co.uk/android-ready-enterprise;

http://www.windowsitpro.com/article/windows-mobile/what-you-need-to-know-about-google-android




4 https://wikis.utexas.edu/display/ISO/Approved+Encryption+Methods+for+Handhelds

5 http://www.syncplicity.com/company/press/syncplicity-launches-android-client.aspx, November 15, 2011

Copyright © 2004-2011 Experture and Robert Frances Group, all rights reserved

649 Fairfield Beach Road, Fairfield, CT. 06824; (203) 557 0856;

http://www.experture.com/; Contact: inquiry@experture.com




Download 25.74 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page