3 min read

Dealing with the Android security risk

Android Lollipop.

BlackBerry still gets a sympathetic hearing in some quarters because it offers enterprise-grade security on its phones. Security is baked into BlackBerry DNA. Its phones, operating systems and services are the safest around.

That’s important because mobile devices, especially Android phones, are now the biggest online security risk. A recent Symantec Cybersecurity Report found 38 per cent of mobile users saw cybercrime activity in the past year.

Not everyone listens to the warnings. Security barely registers on the radar with most phone users who seem more interested in the latest fad app. Their managers are as clueless about the risks. Like World War Two generals, most of them are still fighting the last war. In business that means putting up Maginot line defences against PC malware infections. They seem unaware Blitzkrieg is coming.

Earlier this year I interviewed Trend Micro’s Tim Falinski for NZBusiness magazine. Falinski says people know there are risks with laptops and desktops. He says they “are less aware of the threats when using tablets and phones. These days the weakest link is not your PC or notebook”.

He says it only took six months from the total number of malware and high risk smartphone apps to climb from one to two million. Falinski says while Android devices are especially vulnerable, no brand or operating system is immune.

This is a headache for companies that let employees bring their own devices to work. Android now accounts for about 80 per cent of all phones. It remains largely a second class citizen in the corporate world. At the moment Apple’s iOS is more widely supported inside large organisations. However, pressures are building to include Android. For the OS to take off in the corporate world, Google and the companies making Android phones need to address fragmentation and security.

There’s nothing inherently unsafe about Android. It is based on Linux, which is arguably the safest operating system.

Dirty secret

Android’s dirty secret doesn’t lie in viruses or malware arriving through email or as a nasty payload when users illegally download media files. Falkinski says the problem comes almost entirely from downloaded apps. He says: “In the PC world, you know you can trust a program from a company like Microsoft. Things are not the same with smartphone apps. Many come from companies you have never heard of”.

Falinski says you can reduce risk by restricting app purchases to the official Google Play app store. You should be safe if you stick with the official store, but there are no guarantees.

Although Apple’s iPhone isn’t immune, it is safer. That’s because it’s harder to get dodgy apps past Apple’s locked-down iTunes store. Harder, not impossible. And Apple users are less inclined to stray off the beaten track when finding apps.

There’s a point where privacy intersects with security. Apps often ask for permission to use information such as your location. People rarely look at this and ask why an app to do something needs to know where you are. Some are ridiculously intrusive — why does the NZ Herald Windows Phone app insist on knowing the user’s location?

Being able to track your movements can be a different kind of security risk. Predators could use that information to stalk people.

New kernel, better security

Google is taking Android security more seriously in the latest version: Lollipop. There is a new kernel security module: SELinux. It limits app privileges making it harder for bad apps to take control. Encryption is built-in to Android, but is largely hidden. When Lollipop arrives it will be more prominent and users will be encouraged to switch it on.

The problem, as always with Android, is upgrades are haphazard compared with other smartphone operating systems. This has been tidied up, most hardware brands say their devices will move to Lollipop soon. Most Android phones introduced since early 2013 should be able to run Lollipop.

For an individual staying safe is largely a matter of common sense. That means not downloading dubious-looking apps, getting all software from reputable sources and using all your phone’s built-in security, such as screen locking and password protection features.

There’s a whole extra layer of concern for companies wanting employees to use their own hardware for work. That’s another opportunity for BlackBerry with some wise employers giving staff locked-down phones for work and letting them do what they want with their own devices.