Android’s perception problem is largely due to well-documented flaws in OS releases prior to v4.0, which have been plagued with malware. The good news is that many of the exploits are limited to older versions of the operating system. The bad news is that more than 50% of the Android devices in use are on versions prior to v4.0 and, according to Google, 44% of Android users are still on Gingerbread (v2.3.3 - 2.3.7; many of these devices were released two years ago). This platform fragmentation will persist as a problem, as handset OEMs continue to sell pre-v4.0 devices. Additionally, many users can’t upgrade to the latest OS release because the process is tightly controlled by their carriers, which have been slow and inconsistent (at best) in updating devices on their networks.
Improved Security Mechanisms
While the BYOD trend has opened new opportunities for businesses, it has also introduced new risks. The continued uplift in Android market share not only has more consumers bringing these devices into the workplace, but has IT organizations increasingly open to supporting the devices due to the important incremental security enhancements Google has made since the initial release of Android in 2008. The most recent Jellybean Android firmware incorporated several critical security enhancements such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). ASLR is a defensive technique that has long been a security mechanism for desktop and server operating systems; DEP imprints important structures that reside in memory as non-executable. These exploit-mitigation elements are common features in desktop Linux distributions, and are critical to the Android platform. They harden and protect it from exploits such leakage of kernel addresses that lead to privilege escalations and expose devices to privacy and security risks. Similar to malware problems that plagued earlier versions of Windows, pre-v4.0 Android releases are vulnerable due to the platforms’ openness. Not to mention, that the "bouncer" feature that Google added to their Google Play app store security mechanisms seems to have also helped with "bad apps".
While improvements have been made, Google has much further to go. The commitment from handset OEMs like Samsung and HTC has helped raise the bar for Android, as these vendors are partnering effectively and integrating IT-friendly security mechanisms into their devices. However, additional precautions and considerations should be taken into account for mission-critical deployments in corporate environments - vendors such as Motorola Solutions recognize this and have raised the bar with their Assured Mobile Environment (AME) solution. The platform battle looks like it will be continuing for the forseeble future (be sure to check out my next post on tnis topic).
Comments
You can follow this conversation by subscribing to the comment feed for this post.