Experts weigh in with wish lists for Android 4.4 KitKat security

With the next version of its mobile OS, Google has a chance to prove that it's a good fit for the enterprise crowd

With Android 4.4 KitKat, Google has an opportunity to show that when it comes to security, the next version of the mobile operating system is ready for business. While we don't know whether Google will take up the challenge, security experts provided Wednesday their wish lists of enterprise-pleasing features.

[Android now mobile world's equivalent of Windows for hackers]

The longed-for enhancements range from more application programming interfaces (APIs) for controlling Android devices to a 64-bit ARM architecture, which is what Apple introduced in September with the iPhone 5S. Whether any of this becomes reality won't be known until the OS hits the market, which is expected to coincide with the release of Google's Nexus 5 flagship smartphone early next month.

The new APIs favored by Daniel Ford, chief security officer for Fixmo, would provide more information to IT staff sitting behind a device management console. Useful data would include whether an app came from Google Play or a third-party online store, which is where criminals often hide malware.

Android devices should also provide notifications to when a browser engine is modified, a sign of infection, or if the mobile carrier is sending/requesting data, an indication of a hijacking of a femtocell base station used by service providers to extend coverage indoors.

Another useful API would let IT staff set policies for app-to-app communications. "The default rule should be that no app can communicate with another app unless explicitly permitted," Ford said.

Other features favored by experts include control over individual app permissions for accessing device services and data encryption by default. Jon Oberheide, chief technology officer for Duo Security, would also like to see Google take Android from a 32-bit ARM architecture to 64-bit.

The latter architecture vastly improves the effectiveness of security techniques such as address space layout randomization (ASLR), which helps defend against buffer overflow attacks.

Oberheide also favors adoption of the secure computing mode (seccomp) framework for sandboxing. Seccomp is used in Google's Chrome OS and can provide better protection to the mobile browser in Android.

Experts also want Google to go much further with the user profiles currently in Android and the policies available for parents to restrict children's mobile phone use. Rather than stop with consumers, Google is being encouraged to go much further to allow companies to set policies for downloading apps and sharing data. This would make securing a device much easier when employees want to use their smartphones to access corporate networks.

Samsung has introduced technology called Knox that creates a wall between personal applications and data and those belonging to companies.

[10 tips for Android security]

Meshing the needs of business and consumers within Android would be a win-win for Google and companies, experts say.

"Android is the least secure of the major smartphone platforms," Jack Gold, analyst for J.Gold Associates, said. "Adding enhanced security targeted at the enterprise would accelerate adoption and also provide a uniform security environment."

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies