Android's security is broken. Here's how it could be strengthened.
If you are an Android user, you've noticed that when you install an app you are presented with a list of permissions. The idea is that you can decide whether you trust the app to have these permissions. In fact, these screens are like Terms of Service agreements for software: They're important, but everybody just clicks OK and puts them out of mind.
Android asks too much of its users in terms of security. (Apple's iOS, on the other hand, asks too little, but that's another story.) Even if you think users should pay attention rather than just blindly clicking, Android permissions are too complicated. The end result is that a malicious app could request excessive permissions, and very few users would notice.
The best solutions for situations such as these is a controversial topic, but I've long been a fan of whitelisting, under which users would be able to install only apps that are on a special pre-cleared list. Apple already does this with its App Store. Theoretically, there are problems with it, but in the real world it has proven to be a powerful technique. I think it's fair to say that if you install arbitrary apps from the App Store, you might get ripped off, but you aren't going to get "exploited" in the computer security sense.
There's at least one way for Android to implement this now. 3LM provides Android security and management solutions that fill in the many gaps in Google's implementations (Read about some here.). 3LM's big news, announced at RSA and Mobile World Congress, is its partnership with NQ Mobile to provide user-facing anti-malware protection. NQ Mobile is big in the Android anti-malware business, but primarily in Asia, where Android app stores other than the Google Android Market are popular.
Much more interesting from my point of view is the way 3LM extends the Android security system to give IT or a carrier better control. The company's software adds security hooks that protect APIs so that only whitelisted apps can use them. Alternatively, you can blacklist specific developer signatures and/or applications. They need to partner with OEMs to do this, though, because Android is at least secure enough not to permit end-user installation of software allowing this sort of capability.
The same security extensions allow 3LM to make Android anti-malware more powerful; under a stock Android installation, anti-malware is so unprivileged that it can do little more than alert the user that it's too late--they've already been compromised. 3LM allows such attacks to be prevented.
Personally, if I were managing an IT department that allowed Android phones, I'd want this capability, and I'd be strict with it: You want to install an app on a company phone? We have to approve it first. If it's not approved, you'll have to wait.
Some argue that this is a losing battle and the defensive lines need to be drawn further back, at the permission or API level. Either way, the 3LM approach has you covered. Just don't settle for out-of-the-box Android security.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.