At the very best, Android security is so difficult and runs into so many interactions that it may not be solvable, according to Tim Vidas, who looked at the question at AusCERT.Vidas’ presentation won’t have been welcome news to any partisan of Android – nor to IT departments trying to tackle the risk BYOD poses.The problems are legion – malicious applications that assume too many privileges; developers who gravitate to mobile platforms because development is relatively easy (and therefore permit the unschooled and unskilled to create new insecurities); users who, in their desire to have a particular application, will fall prey to spoofed applications and then give them excessive privileges; to the burgeoning world of malicious markets whose only purpose is to distribute malware; to devices which ship their own vulnerabilities.And even on the official Android market, a malicious application might not last long – but two or three days is sufficient, Vidas said, to achieve thousands of downloads before the app is removed. Vidas noted that it’s quite feasible for a malware writer to craft an application that won’t be noticed by scanners even in a well-managed market, because the app doesn’t contain the dangerous payload; rather, after installation, it will fetch the payload separately.Device rooting is yet another serious risk. “If you have rootsmart now, and you connect to other corporate resources, then the malware has more privileged access to your device than any of your security software. The device can be used as a proxy into your network,” he said. “And who is the device administrator?” In almost any circumstances, Vidas’ said, it’s not the business’s IT administrator: “the real device admin might be some collection of hackers sitting somewhere.”Android’s slow update cycle – an almost inevitable outcome of a software upgrade having to flow through a large number of participants (Google, telecommunications carriers, and device makers) can mean that the gap between an upgrade being prepared and actually shipping can be as long as 12 months, he noted. In other words, the software upgrade cycle to fix (for example) a browser vulnerability could easily be longer than the end-user’s “buy new telephone” cycle.The worst news: Vidas – currently awaiting his doctorate from Carnegie Mellon University – could not see any imminent solution to this host of security problems that confront both the individual and the enterprise.#auscert2012Follow @CSO_Australia and sign up to the CSO Australia newsletter. Related content feature What’s a cyber incident response retainer and why do you need one? Whether you need to hire a team to respond to any and all cyberattacks or just some hired guns to boost your capabilities, incident response retainers can ensure you’re covered. By Linda Rosencrance Sep 27, 2023 8 mins Cyberattacks Cyberattacks Cyberattacks brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe