Malware threats are ever-present in mobile and this needs to be a top concern for IT execs, as they continue to issue millions of mobile devices to enterprise workers daily.
An interesting piece ran in late October at TechTarget examining the protections—or lack of same—that exist for Android apps. It was a legitimate exploration of the issue and it noted that protections are much better in North America, Europe, Japan and Australia than in the rest of the world.
The reason for those geographic security differences are that the places listed is where Google itself screens and monitors the apps. And that, ladies and gentlemen, is the real problem. It's about conflict of interest coupled with priorities. As for the conflict, do you really want to leave your security to a search engine firm that makes almost all of its money by selling your data to advertisers?
As for the priorities, let's be honest. How much money and resources do you think a Google exec can justify protecting the apps before you can download them? Although it's true that Google has an interest in minimizing embarrassing security leak stories, it has a much greater business incentive in housing as many apps as possible. At the very least, Google wants to offer as many—if not more— apps than their rivals in the iOS offices at Apple. After all, IT managers supporting Android are always looking at Apple, in the same way that IT folk supporting Apple are always looking at Android.
Where does this leave things on security? It means that Google will do the bare minimal effort on security—just enough to ferret out the most obvious offenders, so they can say that they did that. If it's of any comfort, Apple does the same level of effort for iOS apps. Apple's priority is selling hardware, software and services—none of which are security.
Back to that TechTarget piece on Android. The story offered two other reasons to be comfortable with Android security, two reasons that should actually make you far more nervous.
"Google’s statistics claim that 0.16 percent of the apps that users attempted to install from the Play Store in 2015 were found to be malicious. And various studies show that the average Android user only installs about one app per month," the story noted. "Basically, you really need to be unlucky to install a malicious app out of the 2.4 million available in the Play Store."
First, enterprise employees download a lot more than one app per month, on an individual basis. But the company overall? It's a mammoth figure. That's because BYOD (Bring Your Own Device) efforts are coupled with corporate-owned devices being distributed. Either way, these devices are going to house a plethora of corporate apps right alongside personal apps. A handful of companies create rock-solid (or so they hope) partitions that supposedly provides some degree of separation between personal and corporate data. This allows for the company to backup corporate data onto their servers, while leaving personal data and apps alone.
Even when that works—which isn't often—that does nothing for security risks. Any personal app that is downloaded with malware will have no respect for such a barrier and will infect corporate data with ease, which will then be backed up and do its nefarious damage across your LAN and then your WAN. Partitions are designed for privacy, not security.
Secondly, that stat assumes that all apps are created equal, which they are not. When identity thieves or cyber assailants want to infiltrate enterprise networks, they will specifically target the kinds of apps most likely to be used. Indeed, some will target specific companies and research what apps are likely to be installed for those employees. Hence, that 0.16 percent number shouldn't provide any comfort.
The story also offers seemingly comforting thoughts about how hard it is to work outside the Android environment. "Going outside of the Play Store does bump up your risk factor, but there is still a process to installing a malicious app that news about Android malware tends to gloss over. The vast majority of Android malware is delivered to devices via 'side loading,' which is to say the app has to be actively installed by the user outside of the Google Play Store environment. This is not a simple process," it noted. "In order to be able to side load an app, a user must first go into the device settings and turn on the option to install apps from 'Unknown Sources' and tap OK on the dialog that pops up warning the user that side loading apps makes 'your phone and personal data more vulnerable to attack.'"
For a determined tech-comfortable employee, that's not difficult. And for a determined teenage offspring of said employee? It's a lot more fun than homework. To be fair, though, this misses the point. This suggests that it's safe staying within the Google control mechanism, in the same way that it's presumably safer to stay within Apple's environment. I'll concede that it's safer. It's simply not nearly safe enough.
A company needs to control its own security and that means retaining the services of an operation whose priority is maintaining security. If it's a minor hobby far removed from how they make almost all of their money, that's not who you want checking your apps.