Sometimes being the most popular comes at a steep price. In the desktop operating-system world, Microsoft Windows is the big kahuna in terms of market share. This also makes it a much bigger target for malware proprietors, leaving the perception that Apple’s Mac OS X is a safer ecosystem, when, in fact, that perceived security is in part derived from its much smaller market share.
The phenomenon is playing out once again in the mobile space with Google’s Android OS, which has successfully established itself as the most popular mobile OS. At this year’s Google I/O, the company’s annual developer conference, officials boasted that there are more than 900 million Android devices active on the platform.
The massive market share, along with its open-source origins, makes Android a prime target for malware; the U.S. government has claimed that 79 percent of mobile malware was aimed at Android devices. Fragmentation in the Android ecosystem among manufacturers is another factor that complicates Android’s security standards.
This fragmentation means an Android experience on a Samsung device is wildly different from an Android experience on an LG phone — which means a security vulnerability could be addressed on one version of Android on a specific device, but not ALL versions on all devices.
Google has heard the complaints about Android’s security challenges and has decided to include several enterprise-focused security features in its latest release, Android 4.4 KitKat.
We reached out to Adam Stein, senior director of mobile marketing at SAP, to get his take on the latest security features in KitKat.
STEIN: Android is a much different OS compared to other mobile platforms, including Apple iOS. Android is akin to a multithreaded series of highways, all carrying live production apps, content and devices simultaneously. Comparatively, Microsoft Windows Phone 8 and iOS7 are single-threaded highways.
Since Android is open source, and upgrades are not mandated in any sequence by Google, many of the [original design manufacturers] simply update their “highway” as needed, often with proprietary “lane markings” and “traffic signals” to help show differentiation.
While this improves differentiation, it often is confusing to the enterprise or consumer user, since one “highway” never duplicates another. Security is often a matter of policy settings and original design manufacturer (ODM) innovation. On the Samsung Android “highway” they’ve provided extra “airbags,” “locks” and other “security options” in the form of SAFE and KNOX for Security. Other Android highways take advantage of third-party aftermarket security capabilities like secure PIM and email. The primary Android “release train” highway also continues to gain more secure capabilities that ODMs are in turn updating on their products.
STEIN: For enterprise deployments, a few of the larger advancements are per-user VPNs, as well as the addition of more secure cryptographic libraries for protecting users’ data at rest or in transit. Dm-verity helps prevent persistent rootkits that can hold on to root privileges and compromise devices. Lastly, certification management is improved to offer a warning if encrypted network traffic is requested for the device certificate store. KitKat can also detect and block fraudulent Google certificates in secure SSL/TLS communications.
STEIN: On average, each successive release of Android has taken 6 to 9 months to hit critical mass and another 3 to 6 months to start declining. This decline usually coincides with another Android OS release. This pace is accelerating as Google increases its investment and the reach of Android-based devices extends past the traditional mobile markets, including OEM embedded (for example, automobiles) and connected gaming markets.