By James A. Martin, CIO.com, May 20, 2015
A set of security experts shares actionable tips for IT departments and users to help reduce the risk associated with the popular mobile OS.
The security pros interviewed for our article, “Experts bust Android security myths,” offered up the following eight Android security tips for IT administrators and users:
1) Don’t root that Android device
“To do significant damage in the mobile world, malware needs to act on devices that have been altered at an administrative level,” according to Dionisio Zumerle, principal research analyst atGartner. “The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices …
While these methods allow users to access certain device resources that are normally inaccessible … they also put data in danger.”
2) Don’t overlook Android security or focus only on malware
“Perhaps one of the biggest risks of mobile malware is the fact that mobile malware, in itself, is not yet abundant,” says Domingo Guerra, president and cofounder of Appthority. “This creates a false sense of security in government and enterprise organizations.”
Guerra also identified a number of additional Android risks, including “corporate data exfiltration, poor app development practices, mismanagement of user names and passwords, poor implementation of encryption, and data harvesting and sharing for marketing purposes.
“These risks are often overlooked by shortsighted, malware-only security strategies,” Guerra says.
3) Don’t install Android software from unofficial app stores
“Only install apps from the Google Play store that are from known and trusted developers,” says Terry May, an Android developer with Detroit Labs. “It would also be a best practice to take advantage of the multiple users feature in Android and have a user account that is just for enterprise.”
4) Pay attention to Android app permission requests
Reading an app’s access requests is critical, according to Mark Huss, senior consultant at SystemExperts. For example, a flashlight app doesn’t need access to services that cost you money (such as SMS messaging), system tools, your call list or any personal information, network communication or location service, Huss says.
5) Always keep Android software and firmware updated
“Always check for available firmware updates and patches and download the latest version if possible,” says Gleb Sviripa, an Android developer at KeepSolid. “The newer the version is, the fewer the chances that hackers can attack your device.”
6) Install security and VPN apps
It’s simple to find a plethora of security apps for Android. Look for apps that scan for malware and block apps from non-approved sources, according to Geoff Sanders, cofounder and CEO of LaunchKey. Disk encryption should be enabled, and apps that have “overreaching access to potentially sensitive data” should be denied, he says.
When surfing the Internet, Android devices should be protected with virtual private network (VPN) software such as VPN Unlimited, Sviripa says.
7) Organizations should set and enforce clear access policies
Companies need to be clear about the sensitive materials that users can access via mobile devices and ensure those devices have “the right infrastructure in place to protect against mobile threats,” according Swarup Selvaraman, senior product manager at Dell SonicWALL.
8) The four basic tenets of Android security
Troy Vennon, director of Pulse Secure’s Mobile Threat Center, says enterprise mobile security boils down to following four essential steps: Disallow rooted and jailbroken devices; ensure that devices are protected by passwords; keep devices updated; and require users to connect through a VPN.