First it was Mac versus PC: endless arguments about which platform was better, more secure, more cost-effective. Then Linux versus Windows, and now smartphones. In the age of mobile, nailed down answers on what’s best are often hard to come by, and users will argue the point endlessly. So what is right; what is the answer when it comes to most secure mobile device?
Let’s start with this fact: Android’s Open Source heritage and more than 60,000 different device models means that evaluating the security of Android requires you to also consider the device, the application ecosystem, and the Android operating system that you’re using. More than that, though, is the ability for IT managers and end users to achieve a higher level of security with Android by making choices regarding application stores, Android versions and smartphone vendors.
Pick the Right App Store
Android boasts many application stores, but the first step in mobile security is eschewing all that choice. Google has worked hard to create a safe application store, and statistics strongly support locking devices down to the Google Play Store. Google uses the term “Potentially Harmful Application” (PHA) to lump together different types of applications that have malicious intent: everything from stealing local files to sending spam to your contact lists to subscribing you to for-pay services billed directly by your wireless carrier. Applications are the main security vulnerability in any smartphone — the core operating system is no longer being exploited. For example, in the 2017 Zero Day Initiative Mobile Pwn2Own contest, the only successful zero-day Android exploits required specific applications and hardware.
Because applications are the main weakness for Android phones, Google is strongly focused on keeping PHAs out of the Google Play application store. In their 2017 Android Security Year in Review report, they offer a staggering statistic: “Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources.”
The Google Play application store offers another advantage: Google Play Protect, which scans Android devices, checking for security updates and looking for PHAs that might have been discovered after they were downloaded from the Google Play store. Play Protect also covers some applications downloaded from other application stores.
IT managers should focus on controlling the source of applications because applications are the primary vector for security problems in today’s smartphones.
Pick the Right Android Version
The pressure to improve Android security — not just patch it, but make fundamental improvements — is enormous in the Android world, and this means that IT managers should aggressively be updating to the newest versions of the operating system. For example, Android 8.0 (Oreo), released in 2017, included a re-architecture (“Project Treble“) of the interfaces between the Android OS and the underlying hardware to further isolate the software that smartphone and hardware vendors must write.
The hoped-for result is faster security updates and less “overprivileged” software that could be exploited to break security. Android 8.0 also redesigned the boot process (Android Verified Boot 2.0) and extended the secure cryptographic key store (among other security updates) to add further layers of security and a tightened set of permissions.
Many of the Android security updates in Oreo are there specifically to improve the speed at which security patches can be delivered. Because the core Android operating system and many of the system libraries are open-source, the rate of discovery of security bugs is higher than it would be with a closed-source operating system. This creates a requirement to patch the operating system quickly when problems are found, so changing the operating system to optimize the path for security updates closes the loop — but only if you’ve got the latest operating system.
IT managers should understand that keeping smartphones and tablets secure in an open-source world requires a high velocity of updates, similar to that for desktop and server operating systems such as Windows and Linux. Getting security updates installed and operating system versions upgraded is part of keeping personal devices secure.
IT administrators who have chosen Samsung also have E-FOTA – Enterprise Firmware-Over-The-Air – available to them, which gives full control of operating system updates.
Pick a Smartphone That Cares About Security
There’s no question that Google and the Android developer community is serious about security and are working together to push security best practices (such as work/home profiles) directly into the operating system and make them available to everyone.
At the same time, though, there are distinct differences between different smartphone vendors when it comes to a commitment to enterprise security. For example, the Samsung Knox team worked with Google (and the NSA) to get SE for Android’s Mandatory Access Controls into Knox first, before it was generally available in Android. The same is true for features such as application sandboxing — Samsung’s Knox Enabled Applications were around for years before the same feature set was ported into the base Android operating system. Security-focused smartphone vendors also have the option to offer hardware support for security — such as the real-time kernel protection (RKP) in mid-range and high-end Samsung smartphones — that goes beyond what’s available in Android current releases. Security patch frequency and timeliness, along with extended operating system support lifetimes, are other signs of a smartphone vendor with a strong security commitment.
A smartphone vendor with an enterprise security attitude will offer hardware and software options that better meet the needs of IT managers who don’t care about smartphone wars as much as they care about keeping their end users and devices — and the enterprise data they hold — secure.
Explore the benefits — from security to integration — of switching to Samsung for all your business needs.