Android makes enterprise inroads, but security still an issue
Aug 5, 2010 — by Eric Brown — from the LinuxDevices Archive — viewsAndroid and Apple's iOS are making major inroads into the enterprise market, according to customer data from Good Technology. However, Android faces an uphill battle convincing enterprise customers it is sufficiently secure, even if some issues, such as the recent Android “wallpaper” scare, appear to be much ado about nothing, industry observers say.
Good Technology, which offers managed services for mobile devices, says both Android and Apple iOS platforms (the iPhone, iPad, and iPod Touch) are making substantial inroads among its enterprise customers. Apple iOS and Android devices have now penetrated 43 percent of all of its deployments, says the company.
In the first half of 2010, over 1,500 enterprises have deployed the company's "Good for Enterprise" software and service, which secures and manages consumer devices for enterprise customers while enabling secure access to business applications, Good Technology says. In addition, nearly one-fifth of its enterprise customers are using Good for Enterprise to secure and manage three or more device platforms, the company adds.
Despite Froyo enterprise gains, IT managers still leery of Android
Android may have shoved its foot in the door of an enterprise market dominated by RIM's BlackBerry and Windows Mobile phones, but Google and its handset vendor partners have their work cut out for them in pushing Android into the IT department and corporate suite, say two stories in our sister publication, eWEEK.
Security is the prime concern among corporate buyers, suggest the stories.
Google has responded to criticisms that it has not sufficiently policed Android Market by disabling several apps that were violating licensing agreements. More recently, Google introduced a new security tool for Android Market developers that is said to prevent the illegal use of paid Android applications.
Still, meeting the security needs of users and app developers is one thing, but satisfying enterprises is another.
To its credit, Google and the Android community reached out to the enterprise world with the recent Android 2.2 ("Froyo") release, which now becoming available on phones including the HTC Droid Incredible (pictured at right), the Motorola Droid X, and as of the last few days, at least some of the original Motorola Droid handsets (pictured below, at left).
Froyo features appealing to enterprise IT and security managers include new policy management APIs, writes Clint Boulton in eWEEK. The APIs enable developers to write applications that can enable remote wipe, lock-screen timeouts, and other features for Microsoft Exchange on Android smartphones, he adds.
Specifically, there are now numeric pin or alphanumeric password options to unlock a device, and Exchange administrators can now enforce password policy across devices, says the story. Exchange calendars are now supported in the Calendar application, and an auto-discovery feature is said to let users set up and sync an Exchange account with only their username and password.
Lack of encryption Froyo's "biggest failure"
Some analysts, such as Michael Gartenberg, partner at The Altimeter Group, have proclaimed that with Android 2.2, the Linux-based OS is finally acceptable for some businesses to deploy, the eWEEK story says.
Gartenberg was said to have praised the vastly improved security in the release, although he noted several key omissions. These include the lack of on-board encryption for removable media cards, the inability to apply remote tracking, and the lack of remote management of standard application load sets for mobile devices.
For all these reasons and more, Jack Gold, of J. Gold Associates, is not yet sold on Android as an enterprise platform, writes Boulton. "The biggest failure of Froyo is the lack of on-board data encryption to secure device-resident data," Gold was said to have written in a recent research note. Gold added, "We therefore believe that Android poses a significantly greater risk to enterprises than the other major mobile OSes."
Earlier this week, Wayne Rash added his own skeptical take on Android's enterprise effectiveness in eWEEK, reporting that IT managers he surveyed are still skeptical about Android security. In addition to questions about Android Market security, enterprise users have other stringent requirements that Android does not yet meet, writes Rash.
Block that camera!
While Android 2.2 supports Microsoft Exchange and ActiveSync, it's not totally functional for some of the limits that ActiveSync has the ability to impose, writes Rash. Android's ActiveSync implementation may let users enter a password or PIN to use the device, and perform a remote wipe, but it won't let ActiveSync turn off features like the camera or Bluetooth, he adds.
Some corporations are particularly sensitive to employees photographing documents and other intellectual property, writes Rash. Security managers are said to appreciate the fact that RIM sells versions of its BlackBerry without cameras.
Other IT managers are uncomfortable with Google's Gmail (a regular component of Android phones), which uses cloud-based storage, says the story. Meanwhile, both enterprises and privacy advocates have raised concerns about Google using user data, even if the company claims it's only for aggregate profiles.
One related practical issue raised by Rash is that to sync Outlook or Lotus Notes contacts and other information between an Android phone and a computer, users first have to sync with Google's cloud services.
According to many of the enterprise security managers interviewed by Rash, Google has not responded quickly enough to their concerns about the security flaws of Android and Google's cloud storage requirements.
In part, Rash concedes, this is an inherent problem when an open source operating system meets the more security conscious world of the enterprise.
Still, Google is missing out an opportunity, writes Rash. "Google is effectively kissing the enterprise goodbye," he concludes.
Wallpaper app scare said to be non-issue
While Android is clearly lacking in some security features found on platforms such as RIM's BlackBerry OS and Windows Mobile, several issues about Android security that have arisen in recent months have been blown out of proportion.
Most recently, for example, ComputerWorld's JR Raphael reported that Google has stated that the story about "data-mining" Android wallpaper apps was in fact much ado about nothing. After blocking access to the wallpaper apps from China-based Jackeey Wallpaper during an in-house investigation, Google has lifted the ban, stating that the apps are safe, says the story.
The wallpaper apps story came to light when representatives of mobile security firm Lookout discussed them during a presentation at the BlackHat Security Conference last week in Las Vegas. Lookout, which markets an app-scanning utility for Android phones, said the programs were "gathering seemingly unnecessary data" from users' devices," writes Raphael.
Tech blog VentureBeat then published a report misstating Lookout's findings, suggesting that the apps were "stealing" browser history, text messages, and passwords for nefarious means. The story quickly escalated around the web from there, with headlines proclaiming that some one million Android users had been compromised by the "malicious app," says the story.
As it turns out, Jackeey Wallpaper was accessing users' phone numbers, subscriber ID numbers, and voicemail numbers in order to identify devices and track users' preferences, Google concluded. While this is a bit excessive, it is not atypical of modern practices, suggests the story.
Raphael interviews several developers, as well as Lookout's CEO, John Hering, who agreed that the app was far from being malicious. Hering had apparently mentioned the app in the first place to make a point that many app developers collect more user data than they need.
Availability
More information on "Good for Enterprise — Android" may be found at Good Technology's site, here.
The eWEEK story by Clint Boulton on Android's profile in the enterprise world may be found here, and the related Wayne Rash story may be found here.
The original ComputerWorld story by JR Raphael questioning the validity of the Android wallpaper security scare should be here, and the follow-up on Google lifting the ban on the apps may be found here.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.