• United States




Google running late to the enterprise mobility party

News Analysis
Apr 14, 20155 mins
AndroidMobile SecuritySecurity

Is Android secure enough for the enterprise?

Android has a bad reputation when it comes to security, which is unfortunate because it’s the biggest mobile platform around in terms of market share. Gartner says Android claimed 80.7% of the worldwide smartphone market in 2014. We know that the BYOD trend has sparked a dramatic rise in personal mobile devices being used for work, and the bulk of those devices are running Android.

As the most popular mobile platform around, it’s inevitable that Android is going to be targeted by cybercriminals. Cisco’s 2014 Annual Security Report found that 99% of mobile malware in 2013 targeted Android devices.

But beyond its ubiquity, there’s another reason that Android is such a common target for malware. The fact that it offers an open alternative to Apple’s walled garden is a double-edged sword. It allows users the freedom to customize and micro-manage permissions on their devices, but if you don’t know what you’re doing, it’s very easy to expose yourself to risk.

Opening yourself up to risk

High-profile incidents and malware attacks are common. Just the other day, Palo Alto Networks highlighted a potential hijacking vulnerability which allows attackers to replace a seemingly legitimate app with malware without the user’s knowledge during the installation process. This could give them access to sensitive data, including usernames and passwords.

In some ways, the security threat with Android is overstated, and this incident is a good example of why. The exploit that Palo Alto Networks discovered requires users to install an app from outside the Google Play Store. In fact, the vast majority of malware found on Android, according to Cisco’s data, is found in third-party app stores. The bulk of malware is actually found in app stores predominantly serving Eastern Europe, the Middle East, and Asia, especially China, where Google doesn’t have an official presence.

An F-Secure whitepaper from 2013 found that the number of apps carrying malware in Google’s Play Store was just 0.1%, and that they have an extremely short shelf life, because they are removed as soon as they are discovered. Google has also tightened security significantly since then. But even though the risk may be exaggerated, that doesn’t mean there isn’t a risk.

Significant obstacles for Android

Android defenders will point out that installing apps from outside the Play Store requires the user to tick a box in a menu in their Android settings, and that is true. The problem for IT departments sizing up the competition is that platforms like Apple’s iOS and BlackBerry don’t allow users that level of freedom. In theory, Android’s permission system shows users exactly what each app can do, but in practice users treat it like a Terms and Conditions page and just blindly accept most permissions.

Fragmentation is another headache for IT departments looking to manage mobile devices. There are lots of different flavors of Android, and a multitude of different devices with customized user interfaces and apps pre-installed by manufacturers and carriers. Because Google doesn’t exercise as much control over apps as Apple does, the chances are good that the mobile apps putting your data at risk are Android apps. It’s the low-hanging fruit for cybercriminals.

Google is late to the enterprise party

Traditionally, the mobile device market for the enterprise has been dominated by BlackBerry, but in the last couple of years Apple has made major gains by offering a good range of security capabilities. Google is relatively late to the market.

Samsung, the leading Android manufacturer, actually started targeting the enterprise security market with its Knox platform a couple of years ago. It offers cloud-based device and application management and secure workspaces, but despite working across Android and iOS devices, it hasn’t been widely adopted.

Now Google has stepped in with Android for Work, which allows users to partition Android devices so work apps and data are kept separately from personal apps and data. IT departments can control work apps and keep data secure without infringing on personal privacy. Since many startups also use Google’s web apps, this could prove to be a very popular service in the months to come.

There are also a number of third-party solutions out there from vendors like SOTI that go even further, offering deep levels of control and oversight for the security-conscious.

Android can be secure

None of this means you can’t use Android in the enterprise. It just means that you need a solid MDM policy and you need to employ the right management tools. If you consider that Android devices are already in the enterprise through the BYOD trend, they can be significantly cheaper than the competition, and their security capabilities are improving all the time, it may be unwise to discount the platform out of hand.

Comparatively, it may still be easier for IT departments to securely manage devices running BlackBerry or iOS than Android, but that’s beginning to change.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated com


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.