Google Now draws caution among security experts

Google Now, the smart assistant in the latest upgrade of the Android operating system, draws an uneasiness among security experts evaluating the risks the search-based feature for mobile devices brings to businesses.

Google introduced Now on Wednesday in unveiling Android 4.1 Jelly Bean at the company’s I/O developer conference in San Francisco. Now is designed to use a person’s search history, calendar, location and Google Maps to deliver useful information, such as the next bus for that appointment downtown or a weather warning on the day you plan to bike to work.

Several security experts told CSO they were concerned over Now, while acknowledging it was too early to say for sure whether there are risks to businesses.  Like companies, consumers may also be uneasy with the amount of information going to Google and what the company can do with it.

Jon Oberheide, chief technology officer for mobile security vendor Duo Security, said: “I’m sure there will be opinions on both sides of the aisle:Privacy-focused users who are spooked by knowledge of Now and everyday users who are impressed and drawn to the utility of Now.”

While consumer advocates worry about privacy, corporations will be thinking about the implications of having Now on the same device an employee is using to tap a company’s web application or email server. At the very least, companies will want to have control to shut off the feature.

“Google states that you must opt-in to use these services, but it is unclear whether the management APIs (application programming interfaces) provided by Google will allow centralized control of these settings,” Chester Wisniewski, security research analyst for Sophos, said.

Besides control, there’s the question of third-party apps that will have access to Now and an employee’s personal information, which could also include some corporate data. In addition, those apps could also be tied to the device’s native Web browser, a favorite entry point for hackers.

“This could be especially concerning for corporate web-based apps if they depend on the native browser,” Stacy K. Crook, analyst for IDC, said. “So a recommendation there would be for companies that have mobile web applications to look into secure browsers that they can have some control over to launch those apps in.”

The challenge of securing mobile devices in light of the growing number of features is likely to push more corporations toward adopting security tools used in online banking today, Gartner analyst Peter Firstbrook said. Like banks, companies won’t know in advance whether a device is infected with malware when it connects to web applications. As a result, companies will also need authentication, encryption, database monitoring tools and browser isolation software.

“We anticipate the bring-your-own-device (BYOD) trend will force organizations to use the same types of tools,” Firstbrook said.

In the meantime, Wisniewski has found his own way to use features like Now and still keep corporate data safe. He uses a Research In Motion BlackBerry for business and an Android smartphone for his own use. “Personally, I hate carrying two devices, but I don’t see a lot of safe alternatives,” he said.