Experts weigh in with wish lists for Android 4.4 KitKat security
With the next version of its mobile OS, Google has a chance to prove that it's a good fit for the enterprise crowd
October 30, 2013 — CSO — With Android 4.4 KitKat, Google has an opportunity to show that when it comes to security, the next version of the mobile operating system is ready for business. While we don't know whether Google will take up the challenge, security experts provided Wednesday their wish lists of enterprise-pleasing features.
The longed-for enhancements range from more application programming interfaces (APIs) for controlling Android devices to a 64-bit ARM architecture, which is what Apple introduced in September with the iPhone 5S. Whether any of this becomes reality won't be known until the OS hits the market, which is expected to coincide with the release of Google's Nexus 5 flagship smartphone early next month.
The new APIs favored by Daniel Ford, chief security officer for Fixmo, would provide more information to IT staff sitting behind a device management console. Useful data would include whether an app came from Google Play or a third-party online store, which is where criminals often hide malware.
Android devices should also provide notifications to when a browser engine is modified, a sign of infection, or if the mobile carrier is sending/requesting data, an indication of a hijacking of a femtocell base station used by service providers to extend coverage indoors.
Another useful API would let IT staff set policies for app-to-app communications. "The default rule should be that no app can communicate with another app unless explicitly permitted," Ford said.
Other features favored by experts include control over individual app permissions for accessing device services and data encryption by default. Jon Oberheide, chief technology officer for Duo Security, would also like to see Google take Android from a 32-bit ARM architecture to 64-bit.
The latter architecture vastly improves the effectiveness of security techniques such as address space layout randomization (ASLR), which helps defend against buffer overflow attacks.
Oberheide also favors adoption of the secure computing mode (seccomp) framework for sandboxing. Seccomp is used in Google's Chrome OS and can provide better protection to the mobile browser in Android.
Experts also want Google to go much further with the user profiles currently in Android and the policies available for parents to restrict children's mobile phone use. Rather than stop with consumers, Google is being encouraged to go much further to allow companies to set policies for downloading apps and sharing data. This would make securing a device much easier when employees want to use their smartphones to access corporate networks.
Samsung has introduced technology called Knox that creates a wall between personal applications and data and those belonging to companies.
Meshing the needs of business and consumers within Android would be a win-win for Google and companies, experts say.
"Android is the least secure of the major smartphone platforms," Jack Gold, analyst for J.Gold Associates, said. "Adding enhanced security targeted at the enterprise would accelerate adoption and also provide a uniform security environment."
Read more about data protection in CSOonline's Data Protection section.
Other stories by Antone Gonsalves