Android has long been the outcast of mobile device security largely because hackers have been adept at getting malware onto the platform via third-party application marketplaces and lax submission policies on Google Play. The security of the operating system itself, however, hasn’t been challenged any more than Apple iOS or even BlackBerry OS, forever a staple inside the enterprise.
The U.S. Department of Defense’s announcement last week that the Pentagon has given it the green light to bring Android in-house in the form of Samsung’s KNOX platform, currently supported on the Galaxy S4, is a huge bound forward for Android. DoD employees will now have a full range of mobile platforms to choose from; Apple is expected to get similar approval soon. The Pentagon also gave its blessing to BlackBerry’s new smartphones, the Z-10, and Playbook tablets running the BlackBerry 10 operating system.
KNOX is a locked down version of Android that enables business and work data to coexist on separate partitions within the same device. Known as containers, these partitions have their own encrypted file systems separate from any applications outside the container. There is also an on-demand VPN client, Per-App VPN. Samsung said the VPN can be configured and provisioned on a per-application basis, and supports Suite B cryptography which should be attractive to federal agencies, Samsung added.
The long-standing criticism around Android security stems from the overwhelming number of malicious applications developed for the platform. Android malware zoomed in 2012; Kaspersky Lab researchers detected nearly 45,000 samples last year, up from well under 10,000 in 2011. Since Android has the largest market share and is open source, users are able to download applications from a number of third-party sources, many of which don’t have the security standards in place that Google Play would, for example. Even Google Play had its shortcomings, most notably in its vetting of application developers.
Before recent policy changes, a developers license cost $25 and a credit card was the only means of identification required of someone trying to submit an app to Google Play. Malware writers also exploited the fact that they had the ability to modify features in runtime, meaning they could submit benign apps to the marketplace, and then add a malicious payload once the app was downloaded to the phone.
This is very much in contrast to Apple, which requires valid identification, including either a driver’s license or articles of incorporation for a business developer’s license. Also, Apple requires all code be digitally signed, something Google did not require.
Google, however, did enact some forceful policy changes recently that prohibit developers from sending users who download apps from Google Play off the marketplace for updates. The Google policy change states that any app downloaded from Google Play may not modify, replace or update its Android Application File (APK) binary code using an update method other than Google’s.