Securing Android for business

As more Google Android devices enter the workplace, Computer Weekly looks at the best ways of securing the mobile operating system

BlackBerrys used to hold the enterprise phone market by the throat. Every executive, every sales person, virtually anyone with a company phone, used a BlackBerry.

Those days are over. iPhones and Android mobiles are increasingly being used as business phones, fuelled by the trends of bring your own device (BYOD) and the IT department’s need to cut costs.

iPhones have become increasingly easy to slot into a company network, but securing Androids for use within a business can be a nightmare. iOS is a closed shop, Android dangerously open. Six main models of iPhone have been released, while there are over 500 different Android phones.

Many believe it is foolish, or impossible, to use an Android phone within a business, but that is not quite true.

Follow these steps to discover quite how secure the system can be.

STEP 1: Rule out outdated Android versions

The security measures incorporated in the Android OS are flaky at the best of times, but with an outdated version of the system, matters can be far worse.

For example, Android only started using basic encryption for its file system with Android 3.0. Without encryption, any malicious malware can steal valuable data without the OS even putting up a fight.

The earliest version of Android that features file encryption is Android 2.3.4. To check if a device has a suitably up-to-date edition of Android, head to the Settings menu and tap on the About Phone menu, which has an entry detailing the exact version number used on the phone.

If the phone uses Android 2.1 or 2.2, and there is no update available, it will no offer the basics required of a business phone. At this stage, it is time to think about an upgrade.

STEP 2: Tread carefully around apps

The biggest security risk of Android is one of the key things that attracts people to it – control.

Unlike iOS or Windows Phone, you can install Android apps from any source, rather than just the official Google Play app store. This has made Android the key target for malware-makers.

In 2012, mobile malware increased by 163% year-on-year, according to the NQ Mobile 2012 Security Report, with Android accounting for 95% of it.

The simplest way to avoid most of these threats is to turn off installations of non-Google Play store apps. This filter is enabled as standard, but check it is still in place within the Settings menu of a device. The Unknown Sources check box is found either under the Security or Applications sub-menus, depending on the version of Android.

There have been many reports of malware within Google Play store apps, but it is far less common than in "rogue" Android apps found on the web.

Android 4.2 was the first version of the system to give any kind of protection from viruses within these errant apps, and features a malware scanner that gives you the option to scan apps against a database of known nasties before installing files.

People working within a business without Android 4.2 should avoid untrusted apps like the plague.

STEP 3: Installing anti-malware

The explosion of Android malware and, just as important, public recognition that it even exists, has seen a raft of third-party security solutions pop up. This means there is no need to wait for Google to catch up with the way the world works. 

The most basic of these offer a virtual safety deposit box for important files, passwords and other pieces of information. They are stored behind an additional wall of encryption, and a password, to make them much safer from threats, both human and electronic.

To take a more active part in Android security though, an antivirus package is needed. These function much like the anti-malware protection of Android 4.2, scanning apps for any malicious intent.

Without a solid database and a promise to react quickly to new malware, Android antivirus packages are more-or-less useless

Like a traditional virus scanning package, these apps cross-reference what is being installed with a database of known threats. Without a solid database and a promise to react quickly to new malware, Android anti-virus packages are more-or-less useless. Picking the right one is key.

There is not always a direct correlation between the cost of Android anti-virus and how good it is. AV-Test, an independent institution that tests antivirus software across all kinds of platforms, found that many of the most effective Android packages are free.

In its 2013 Android report, it found TrustGo to be the most effective of all Android AV apps, despite being completely free to download and use. Other recommended Android antivirus apps include BItdefender Security & Antivirus ($9.95 a year), Symantec: Norton Mobile Security (requires server-side support), and LookOut Security & Antivirus.

A mandated installation of one of these packages should allay the concerns of some IT managers or CIOs, especially as some are designed to be particularly tricky to uninstall.

STEP 4: The remote wipe

Anti-virus and data encryption are essential for any business-bound Android phone, but they are preventative measures. There is a point where their effectiveness ends – when a phone is lost or stolen.

That is why remote wiping and locking are also extremely important. All the packages mentioned above offer these features, and they work in roughly the same fashion.

Using either a web dashboard or a text message, you can lock a stolen phone, rendering it inoperable, or wipe its contents. It is a last-ditch solution, but could save someone’s job in a particularly bad situation.  

STEP 5: Protecting you from yourself

Making a mobile device suitable for business use is not just about making sure it is protected against data theft. There is also a degree to which people need to be protected from themselves.

We have heard the horror stories of jobs lost and business relationships ruined because of an accidental call at an inopportune moment.

With version 4.2, Google introduced multiple user accounts to the Android operating system. These offer separate logins to separate areas, each with their own store of data. Being able to split work and play within a mobile could become an imperative feature for BYOD workers.

But multiple user accounts are only currently used in tablets, not mobile phones. It is believed that the feature was left out due to potential patent conflicts with Nokia.

To get this working with an Android phone, a third-party solution is needed. The most notable is SwitchMe.

The downside of SwitchMe, however, is that it requires a rooted device. Rooting an Android phone gives apps access to the core of the system – itself a huge security risk. This highlights why the lack of multi-user support in Android 4.2 mobiles needs to be addressed.  

STEP 6: Real protection – Samsung Knox and co.

Most of the solutions we have looked at are partial ones. They may suffice for small businesses, but companies with particularly stringent IT regulations will not allow Androids to use a company network simply because employees promise not to install dodgy apps and to install an antivirus package.

What’s missing is standardisation – something that puts control in the hands of the IT department, not the employee.

The most convincing Android security solution for CIOs and IT directors is Knox. This is Samsung’s concerted effort to become the new de facto provider of secure smartphones.

It is designed to plug all of Android’s security gaps and, much as BlackBerry Balance does, separates work and personal data. Knox splits a phone into discrete work and play zones, separated by a password and navigated through with a simple press of a homescreen icon.

What makes Knox particularly special is its ability to plug into company networks through Microsoft Active Directory, letting it interact with Windows-based business networks. This is the full solution, not just an app quickly downloaded from Google Play.

Such is its secure credibility that it has been cleared by the Pentagon for use by the Department of Defence in the US – alongside BlackBerry 10. If it’s good enough for the Pentagon, it should be good enough for most businesses.

The downside is that Knox is only available for the Samsung Galaxy S4, with the S4 Mini due to get the feature when it is released. It is also not available automatically within compatible phones, but will be sold as a business package through mobile networks.

Samsung Knox will not become available for phones from other manufacturers either, as it gives Samsung a killer edge in the business market.

STEP 7: Real protection – Knox alternatives

There are third-party mobile device management (MDM alternatives to Knox – and plenty of them – set up in a largely similar manner.

Devices are "invited" to the MDM suite through a desktop interface, and then the Android phones and tablets are authenticated through an app interface, downloaded from Google Play.

Using a combination of the tips mentioned, and a dose of common sense, Android phones can be made into capable business devices

They tend to be less elegant than the profile-based MDM experience of iPhones, or the native Samsung Knox. They also tend to drain a phone’s battery and make it operate slowly. But for larger companies they represent the only acceptable Android security solution.  

Top names include Fiberlink’s MaaS360 MDM, Zenprise’s Citrix Mobile Connect, IBM’s IBM Mobile Client, MobileIron’s [email protected], and Soti’s MobiControl.

Their respective Android apps can be found at the Google Play app store.

MDM Android apps give access to corporate email accounts that would otherwise not be accessible, along with shared documents, calendars and company apps. Some also make use of the Google Play store’s enterprise feature, letting companies create their own private channel of specific apps.

According to Jonathan Dale, director of Fiberlink, a “key feature is the ability to enforce separation between corporate and personal data and apps”.

As well as bringing secure, encrypted access to all of this content, these systems also let CIOs identify rooted devices, should they be against company policy.

Using a combination of the tips mentioned, and a dose of common sense, Android phones can be made into capable business devices.

Read more on Mobile apps and software