by Bharat Mistry
Last week Google made an announcement which could have a major impact on the security of the much-maligned Android mobile app ecosystem. Hidden away in the second half of a blog post on user experience in the online Play store came confirmation that the web giant is now reviewing apps before they can be published there. For Android and security watchers who’ve long complained that the platform was way too easy to upload malware onto, this is a noteworthy occasion.
However, let’s not forget that Android is still a platform riddled with threats. And any IT security managers tasked with managing BYOD in the enterprise had better make sure they have a clear and effective mobile security strategy in place to minimise risk.
The right direction
Let’s not underestimate the impact Google’s announcement might have on Android security. Google Play product manager, Eunice Lam, claimed that the firm had actually begun reviewing apps before they’re published to the site several months ago. The decision was made to “better protect the community and improve the app catalogue”, she said.
“This new process involves a team of experts who are responsible for identifying violations of our developer policies earlier in the app lifecycle.”
It’s not clear exactly how much of the new app review process will be done by this crack team of experts and how much will rely on speedy automated software checks. But Google did claim that the process would still allow developers to get their apps to market in a matter of hours rather than days or weeks. One would assume, therefore, that the Mountain View giant is not trying to ape its fruit-flavoured rival in Cupertino – which famously boasts a lengthy and somewhat opaque approvals process.
Nevertheless, by paying more attention to what goes up on the Play store, Google is leading by example and making a genuinely proactive bid to improve security and quality on the platform.
However, that’s not the end of the security concerns for enterprise IT managers. First, it remains to be seen whether the new app review process, and one as quick as that described by Google, will be 100% accurate. Then there are the multiple third party Android app stores out there where employees could download non-vetted apps. Both scenarios could see malware find its way inside an organisation – especially in an age where BYOD is increasingly the norm rather than the exception.
To ensure you support staff use of personal mobile devices at work – and all the productivity and business agility benefits this can bring – but minimise any associated security risks, ensure you have an effective mobile security strategy in place.
This should include at least the following:
- Enforce passcode device lock and remote data wipe policy
- Limit third party software to official app stores and/or prescribed whitelists
- Carry out periodic mobile security audits
- Enforce pre-determined device configuration, for example one which will not allow users to log-on to unsecured networks.
- Make sure all users download industry-leading anti-malware software. Choose a product with device management functionality to give you single console visibility into usage for all staff mobiles.
- Don’t allow users to jailbreak/root their smartphones.