But one risk that's often overlooked, Kelley says, is users' willingness to tap the Accept button for whatever permissions an app requests. "This is compounded by developers' often overzealous permission requests, due to a lack of understanding of which permissions an app needs," he says. "Apps should request the least number of permissions possible to function appropriately, and users should be in the habit of not automatically granting permissions to apps whose functions wouldn't seem to need them."
How to build a secure Android environment
If your organization is preparing a significant rollout of Android devices or a BYOD program that includes devices running the OS, it needs to develop a strategy to keep the company protected from the known security risks and vulnerabilities. Here are the key components of that strategy.
Develop a trust model. Part of this involves identifying what the real risks of data loss are, says MobileIron's Rege. Based on those risks, you determine what level of enterprise content should be made available on the devices.
"We call this developing a trust model that establishes which users are trusted with which data or apps under what circumstances," Rege says. "Every major organization has gone through data classification to establish this underpinning for its security policies." But he notes, "This will take longer for Android because the Android fragmentation makes the process more complicated."
Designate an Android expert in IT. A key best practice is to designate an individual in the organization to be the Android expert, Rege says. "More and more of the overall IT team should gain Android familiarity, but our customers have found that they need one point-person who is chartered to keep up with the rapid pace of the Android ecosystem," he says. Otherwise, IT's Android knowledge base quickly becomes obsolete.
Use an app reputation service. Another good practice is to use a third-party app reputation service that evaluates apps and assigns them a risk score. "Then you can use these risk scores to set policies" in an MDM tool, Rege says. For example, you could set a policy that if an employee installs an app with a high risk score, his or her email is blocked and that user can't access corporate resources until the app is removed.
"With mobile, you have to assume the environment changes all the time as apps are installed and operating systems versions change," Rege says.
Layer your security. As with other IT security strategies, layering security makes sense for the Android environment. If you look at the mobile security stack in layers (starting from the bottom up) as network/carrier layer, hardware layer, operating system layer, and application layer, the chances of exploits increase as you climb the ladder, says Tyler Shields, a senior analyst for mobile and application security at Forrester Research. "Enterprises also have less control the lower we go in the stack," Shields says.
To try to mitigate the risk at each layer, Shields recommends a combination of mobile security technologies each specifically aimed at a different security layer. "The baseline security requirement is to have [an MDM] system managing every device in your environment," he says. "This will help with the remote-wipe capabilities, tracking lost devices, and general management and baseline security requirements."