Android Security: Enterprise Ready

BlueBorne, Heartbleed, Stagefright. The list goes on. Android gets a lot of negative publicity around security vulnerabilities. And Android is a large target with nearly 85% of the worldwide smartphone OS market share according to IDC, May 2017.

IBM’s 2017 Ponemon Cost of Data Breach Study revealed the average cost of a data breach is $3.62 Million, and companies are having larger breaches than in the past, averaging more than 24,000 records.

Corporations have a lot on the line with any device used as part of their business operations. So is Android really an Enterprise Ready Operating System?

The reality is that many of the headline-grabbing vulnerabilities are identified through Android-sponsored bounty programs with no actual exploitation in the real world.

Source: Google Safety Net Data; Masterkey data collected  from 11/15/2012 to 8/15/2013 and previously published at VirusBulletin 2013. Fake ID data collected data collected from 11/15/2012 to 12/11/2014 and previously published at the RSA Conference 2015.  Stagefright data current through May 2016.

Android has responded to the security challenges by making significant changes, starting particularly in Lollipop, to make a very secure operating system. Features like sandboxes & permissions, TrustZone Services, and Isolated Processes provide more Application Isolation. There is more comprehensive Device Management via administrative APIs and profiles. The OS now checks Device Integrity via Full Disk Encryption, mandatory for Android devices M and newer and encrypted at factory for the first boot. Verified Boot ensures OS image is not corrupted to prevent against malicious accidental OS changes.

Apps are still one of the areas that provide the most risk by opening access to a device so Android created SafetyNet Verify Apps which scans for Potentially Harmful Applications (PHAs) in Playstore on Device and third party app stores. Through this program over 1.4 billion devices are protected with 790 million device scans per day, and 6 billion apps checked per day. The result is that in 2016 less than 0.05% of devices that use Playstore have a Potentially Harmful App (PHA)

Source: Android Security 2016 Year In Review, March 2017

Google even proactively notifies developers of vulnerabilities resulting in over 275,000 apps improved in 2016.

As mentioned above, to improve Application Security Google has the Android Security Rewards Program with hundreds of active researchers who have been paid over $1 million in the last 12 months.

Google has also built the Managed Play Store, aka Enterprise Play Store. Administrators can configure Play Store on devices with only authorized applications from public or private Play Store or even local hosting.

Google regularly provides security updates to close the vulnerabilities in the Android Operating System, but attackers quickly exploit new vulnerabilities. As a trusted partner, Zebra gets early access to security patches and can prepare patches often before the vulnerabilities are made public. Google has moved to a 30-day security patch cycle, we are following this approach as well.

According to Google 15% of devices are still running KitKat and 29% on Lollipop. How does a 2-3-year consumer product life-cycle line up with an Enterprise life-cycle of 5 years? How can a business know their devices will continue to receive updates?

This is where the Zebra LifeGuard™ for Android™program comes in. LifeGuard provides extended security support, predictable periodic security updates and legacy OS security support when transitioning to a newer OS. Frequent updates will enhance your security and LifeGuard makes them easy to install at your discretion, either locally, or remotely via Enterprise Mobility Management (EMM).

There is no such thing as a completely secure solution, but Zebra and Android are working together to reduce the risks Enterprises must face. Three key areas of focus include

• Prevention: If harmful applications cannot execute, they can do no harm. Control access to settings and whitelist/blacklist for the minimum require application set.
• Detection: Zebra provides detection features to detect if vulnerability has occurred and take corrective action
• Security Updates: Zebra works closely with Google to keep up with new security vulnerabilities in a timely manner. Plan to deploy regular security updates.

For more details on Zebra Security visit the LifeGuard™ for Android™ page, the Zebra Developer Portal, or watch a session from Zebra APPFORUM on Android Security.

Android provides a host of resources at the Android Security Center and the Android Security 2016 Year in review white paper.