If you really want to keep your company’s Android devices safe, third-party security apps shouldn’t be your focus.
Sound familiar? It should: A warning like that is issued practically every month — sometimes even more often. It’s enough to make you want to collect every Android device in a 12-mile radius and bury them all in a signal-free bunker. In actuality, though, it’s a highly misleading message with no real cause for alarm.
I’ve covered Android closely since the platform’s inception, and the subject of Android security is one of the most sensationalized and misunderstood areas of tech today. The reason is simple: Mobile security is big business, and plenty of companies stand to profit from creating and continually reinforcing irrational fear.
Well, enough’s enough. It’s time to break down the realities of Android security — and see why third-party security software is almost never the right answer.
Sorry to burst the bloodcurdling bubble, but most of those big, bad Android malware threats you hear about have practically zero chance of affecting any corporate device in America. You just have to seek out the often-unstated fine print to understand why.
The only answer, according to the folks at Check Point who publicized this thing, was to use an “advanced mobile threat detection and mitigation solution” — you know, kind of like the one Check Point just happens to sell to enterprise customers.
Verify Apps was available on every Android device with 2010’s Android 2.3 or higher — in other words, virtually all active Android devices. By the time Check Point’s publicity campaign began, Google had confirmed the system was already actively protecting users from any Quadrooter-related activity. (None of which, it’s worth noting, was ever actually observed in the real world).
The same sort of scenario pops up all the time with these scares. More often than not, reports of Android malware are little more than thinly veiled marketing campaigns for unnecessary software. For perspective, Google’s most recent Android Security Year in Review report found that as of the fourth quarter of 2016, only 0.05 percent of devices that download apps exclusively from the Play Store had encountered any sort of potentially harmful application.
Adrian Ludwig, director of Android security at Google, says when a breach like that is identified, the company typically takes such action within “a couple hours.” More frequently, he says, the process doesn’t even reach that point.
“Probably 80 or 90 percent of the apps that we take action on don’t receive any visibility — they’re either uploaded to Google Play and blocked before they get published, or we take action when they have extraordinarily small number of downloads,” Ludwig says.
Ask around. There’s a reason practically no one who’s knowledgeable about Android — Googlers, developers, even lowly tech journalists — uses or advocates these types of tools.
Malware on a mobile operating system is meaningfully different from malware on the desktop. When we think about infections like 2017’s Windows-based WannaCry, we think about nasty code that sneaks onto systems and gains access to everything within.
“Almost none of the malware we see on Android even makes an attempt — let alone succeeds — at going across those sandbox boundaries,” Ludwig says.
Traditional computer viruses can’t operate within those parameters, in fact. Malware on Android will never sneakily “install itself” as a result of a user visiting a website or opening an ill-advised message. It requires explicit installation — maybe via manipulation, but explicit nevertheless — and even then has access only to the specific permissions granted by the user.
If loading up on superfluous security software isn’t the answer, what is? First, it’s important to recognize the more realistic points of compromise on a mobile device and what you can do to address them.
According to the SANS Institute’s 2017 Endpoint Security Survey, browser-based attacks and social engineering pose the greatest risks to enterprise security today. That lines up with multiple recent reports from the Ponemon Institute that find negligent employees are the leading cause of business-oriented data breaches.
In other words, people — not technology — tend to be the weakest link. That’s certainly applicable on Android, where sound judgment and common sense are half the battle. After all, if you don’t download, install, and then grant permissions to something shady, it won’t just magically appear on your device.
If your company allows employees to bring their own devices, Ludwig suggests creating a tiered approach in which more trustworthy devices — those with current software and security updates — receive elevated access to corporate data, while higher risk devices get limited or no such access.
Obvious as they might seem, don’t forget security basics. Use a mobile device management (MDM) tool to maintain minimum security standards. Require employees to use device encryption, strong passwords or biometric protection (ideally along with two-factor authentication), and virtual private networks when appropriate. Restrict app downloads to the Play Store, and reinforce the importance of downloading only reputable-looking items with reasonable ratings and reviews (qualifications that didn’t appear to be met by the apps identified as WireX transmitters).
Slapping a second security app onto your Android devices may be the easiest way to feel protected, but it’s the smartphone equivalent of putting two alarm systems on your home instead of making sure your locks work and your kids know not to let strangers in the front door. Don’t let the misleading hype guide your security decisions — and don’t let your weakest link go unaddressed.
