The Android Invasion: BYOD Security Implications and Solutions
With users bringing their own devices into the work environment, running various and sundry operating systems, security is a major concern. Some vendors of mobile products and operating systems (such as Windows Phone and Windows RT, and Blackberry) emphasize integrated security in the design of their devices. Some of the others, not so much.
The bad news (for BYOD) is that those more security-focused devices are not the ones being snapped up by consumers. Android is currently the top-selling smartphone OS, with almost 70% market share world-wide in 2012 and iOS has another 20% of the market. It’s an ever-changing market, though. I’m writing this during the week of the World Mobile Congress (WMC) in Barcelona, where Mozilla just announced that it is taking the plunge and launching its own mobile operating system, Firefox OS.
Phones, though, are only the tip of the mobile iceberg. When I attended CES 2013 in January, the exhibit hall was covered with tablets of all sizes from manufacturers ranging from tiny start-ups to the biggest name computer OEMs. As long ago as last summer, tech writers were coming up with lists like The 20 best Android tablets, giving you an idea of how much competition was already out there – and that’s just the ones running the Android OS.
Of course, employees also have hundreds of different choices when it comes to buying a laptop and it’s no longer just a matter of Windows vs. Mac. Although Linux as a client OS still hasn’t really taken off, with only 1-2% of the market share, you can buy computers with Linux pre-installed from a number of vendors, or install it on a Windows machine. Android runs on low-powered notebooks/convertibles in addition to phones and tablets. Google is also marketing its Chromebooks that run the Chrome OS and has just recently introduced a more high-end version, the Pixel.
All of these are available to consumers and potentially could show up on your network as BYOD machines. It’s enough to give security pros nightmares. What’s a company to do, if you want to let as many of your users as possible bring their own devices? This article will go beyond previous discussions on this site about mobile security threats and examine how you may be able to tame the emerging monster that BYOD is becoming.
The Droid Dilemma
From the consumer’s point of view, there is a lot to like about the Android OS. You get much more control over your own device than you do with the “walled gardens” of Apple and Microsoft. You can customize the look and operation of your phone or tablet to a far greater degree. If you’re technically savvy, you can even root the device and install custom ROMs. There are far more apps available than for Windows Phone or Blackberry. There are also many, many more different hardware models to choose from, made by many different vendors.
Unfortunately, some of the same characteristics that make Android devices appealing to the user make them problematic for those who are charged with keeping the network safe. Because apps that are sold through the Google Play Store are not as thoroughly controlled by the OS maker as those sold through the store venues of the other major mobile operating systems, malware is more of a problem.
A report issued last November indicated that as many as a quarter of the apps that can be downloaded from the official Google Play market pose security risks. Security vendor Bit9 examined 400,000 Android apps and classified more than 100,000 of them as “questionable” or “suspicious.” In addition, Android users can more easily “side load” apps – that is, install apps that they get from sources other than the official store, without having to root/jailbreak the device.
Now, this is not to say that Android is “evil” - despite what some pundits would have us believe. In fact, it’s based on the Linux kernel, which is considered to have many security advantages and has a long history of operating in high security environments. Android is designed to incorporate kernel-level security mechanisms such as process isolation and a user-based permissions model with an application sandbox. It supports cryptographic APIs for standard encryption methods such as AES, RSA, SHA, etc. as well as HTTPS and SSL. Later versions of Android (4.0 and above) support Address Space Layout Randomization (ASLR), read-only relocations and more.
Beginning with Android 3.0, full file system encryption is included; all user data can be encrypted in the kernel. It can be configured to require a password for access, and password complexity rules can be imposed. In fact, from version 2.2 onward, the Android Device Administration API can be used for enforcement of password policies and for remote wipe of the devices. For a full discussion of the security mechanisms built into Android, see this document.
Nonetheless, in a security-sensitive environment, Android devices can use a little help.
Making Android devices more secure
All those security APIs are great news, but we all know from our experiences as Windows network administrators that, no matter how many great security features are built into an OS, you first have to actually enable and use them. One problem with BYOD is that it’s a relatively new phenomenon and processes and policies are still evolving. Too many companies have taken a “hands off” approach to devices that are owned by the users. That’s where policies come in.
Another part of the problem is that many network administrators don’t know how to automate the management of non-Windows devices within a Windows network – or even know that it can be done. But there are a number of solutions that will let you do just that.
Microsoft System Center 2012’s Configuration Manager (SP1) is one option for managing mobile devices. Not only does it let you apply policies to Windows Phone, Windows RT tablets, and Windows Embedded devices, but can also be used to manage Symbian, iOS and Android. It currently does this using Exchange ActiveSync (EAS) policies, but Microsoft has indicated that the goal is to move beyond EAS toward newer protocols such as OMA-DM (Open Mobile Alliance – Device Management) and is working on an Android client that will provide more extensive management capabilities.
Windows Intune is a cloud-based mobile device management solution that also supports iOS and Android. It includes built-in self-service portals for iOS and Android. It can be used in conjunction with SCCM, as part of Microsoft’s vision of unified device management for both cloud-based and on-premise computing. It’s Service Pack 1 for SCCM that adds the integration with Intune.
Third party solutions
At least until Microsoft develops its new Android client for SCCM, you may need to investigate third party mobile device management options. A few possibilities include:
- Citrix XenMobile MDM. This software was formerly Zenprise, which was acquired by Citrix, in December 2012. It gives you a lot of control over Android phones and tablets, as well as iOS, Windows, Symbian and Blackberry devices, letting you automatically apply policies to the devices, provision apps, and create blacklists and whitelists to control what apps can be installed. You can also detect if a device has been rooted and you can wipe lost or stolen or compromised devices or those whose owners have left the company. It keeps an audit trail for your own internal analysis or regulatory compliance purposes. It’s considered one of the best MDM solutions on the market.
- MobileIron. This is a relatively new company that has gotten some rave reviews for its MDM and MAM (Mobile App Management) solution. In addition to the four mobile operating systems supported by XenMobile MDM, it also lets you manage WebOS devices. (An interesting side note: LG has just recently licensed WebOS for use in its Smart TVs).
- MaaS360. This one lets you integrate MDM, MAM, laptop management (Windows and Mac), secure document sharing, and mobile expense management in a simplified solution that they describe as “cloud-centric.”
Some phone vendors are getting involved, too, in making their Android devices more security-appropriate for the enterprise environment. At a strategic time that encompassed RSA 2013 and the Mobile World Congress in Barcelona, Samsung and Centrify announced a partnership that brings a new Android solution called KNOX to the table. It enables multi-application Single Sign-On (SSO) and allows organizations to use their Active Directory infrastructures for centralized management of Samsung Android devices. It’s great for BYOD because it aims at allowing consumers to easily separate their work and personal apps/data on their devices.
BYOD offers advantages for both the individual users who bring their own devices to work and for the companies that implement BYOD programs – if those programs are implemented correctly. In this article, we’ve focused on security implications and solutions regarding personally-owned Android devices in the enterprise, because Android has the largest market share for smart phones and a growing share of the tablet market, and because the OS is seen to be the least secure of the common mobile operating systems due to its more “open” model.