Android is like the web in 1994 — pure architecture just waiting for developers, entrepreneurs and users to decide what they want, what they'll pay for and what it will do. Marc Maifrett, a former black hat hacker who woke up at age 17 with an FBI agent pointing a gun to his head, and who now runs eEye Digital Security, says, "This is definitely the hacker fan favorite. It's seen more real-world attacks than any other."
Before Google bought it, Android was built to know where you are and what you like, putting the two together seamlessly. It suited Google's mission of putting local information at our fingertips perfectly, and there's already been eight major updates. (Apple names its OSes after big cats, Android names its after sweet treats; Ice Cream Sandwich is due some time soon.)
The twin pillars of threat facing Android users are the open-source architecture and the large amount of data gathered on the user, the latter not always consciously; many apps use location-based data and exchange a lot of information that you might not even be aware of.
Google has pulled bad apps from the Android Market, but the Android marketplace isn't like iTunes or the BlackBerry App Store. Although the default setting only lets you download from the official Android channel, it's easily disabled. Plus, even though the system will ask you to confirm that it can access certain functions, it's a little like the User Account Controls that plagued Windows Vista. After being asked ad nauseam if you really want to do this, most users are likely to glaze over and just agree to everything.
According to Clint Adams, director of technology and product engineering at US Mobility-as-a-Service provider Fiberlink, Android belongs on the bottom of the mobile security heap simply because it hasn't been built with security in mind. "Android is adding security capabilities at a snail's pace," he says. "The problem is it's heavily influenced by carriers more interested in making money in the consumer market than enhancing the enterprise posture of their devices."
Yet, ironically, the openness might also be Android's saving grace. As Maifrett adds, "Google's openness is making it more straightforward to develop new ways of compromising devices, but the same openness means third parties can build applications to secure Android devices in a way that really isn't possible on other platforms."
And because Android market share is climbing so fast, security vendors are taking it seriously and adding Android protection to their product offerings. There are also signs that Google is beefing up its security profile to entice enterprise to have a closer look. In early April it added some handy native security apps; one pinpoints the location of a lost device, calls and resets it remotely, and another gives app admins the ability to encrypt device data.
But after-market or add-on apps raise another point about security. As Brian Reed, chief marketing officer of mobile service management provider Boxtone, cautions, serious encryption and security policy should be part of the underlying code. "There's no way to add device-wide encryption and lockdown control that is loaded after the device boots up that can't be cracked," he says. "You can try to add third-party agents with encryption or management software, but for a non-encrypted mobile OS that has no native policy management capabilities, a smart hacker can still get around it. Don't let an after-market vendor fool you — policy management should be built into the OS."