Android Security Issues Could Cause Pause For Midsize Businesses
While bring-your-own-device (BYOD) has proven tricky for many IT professionals at midsize businesses, recent news about Android security issues could provide yet another layer of concern. The smartphone, which has already seen an increase in security threats, is now suffering from slow patching. This not only puts the individual phone at risk for malware and hacking, but could jeopardize an entire company's network.
According to InfoWorld, demos at Black Hat USA 2012, an annual conference on information security held most recently in Las Vegas, illustrated several of Android's vulnerabilities and weaknesses. Charles Miller, an Accuvent Labs research consultant, showed audiences just how easy it is to exploit Android's beam file-sharing feature. All a potential hacker needs to do is place the target phone near another Near Field Communications (NFC) phone that he or she is controlling and then beam a code from one to the other to run the malware from--no permissions necessary.
In another demonstration, Trustwave researchers illustrated that although Google's Bouncer is supposed to scan Android marketplace applications for malware, a weakness in the program allows for potential hackers to covertly update apps that have passed Bouncer security, so they can then load malicious websites or view files on the targeted smartphone. Through this method hackers could ostensibly take full control of the user's phone--an end result that could be potentially devastating for a business if the phone contains sensitive information.
While vulnerabilities in smartphones are par for the course, what should be particularly troubling for IT is the slow pace with which Google, carriers, and device manufacturers are issuing patches to their users. InfoWorld sites a browser vulnerability discovered in February as a prime example. Though Chrome was notified and eventually fixed the weakness, carriers and device manufacturers have yet to send the patches out to all Android users. The site also warns that according to a study done by Michael DeGusta of the website The Understatement, 11 out of 18 Android phones have no support a year into their release.
While IT can't control what devices employees choose to use, Android security issues, and the slow pace to patch, implementing mobile virtualization platforms becomes a necessity. Having dual operating systems on a single phone at least gives IT the peace of mind that if a user's phone is compromised by downloading a malicious app via the marketplace while using their personal operating system, encrypted information on the business operating system--and then the business's network at large--is still safe.
This issue also sheds light on the ever-growing load faced by IT at a midsize business. Not only do they need to contend with patches and updates for their enterprise's computer operating system, but it's now important to keep abreast of those necessary to keep employee's smartphones safe from malware. Is there a solution to lighten the load? A one-size-fits all hasn't appeared yet, but having a solid yet flexible game plan that also includes educating employees seems to be--for now--IT's best bet.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.