What has Android been announcing?
It’s no secret that Android devices have had some issues with malware and that, unfortunately, it seems to get worse each year. As a result, Android has been making some additional effort to combat malware and malicious activity.
One service, Verify Apps, was aimed at protecting users from installing what they call “Potentially Harmful Applications”, or PHAs. This service was on the lookout for things like application backdoors, billing fraud, spyware, hostile downloads, and trojan apps. When detected, it would alert the user that a PHA had been detected and prompt them to remove it. In extremely severe cases, Android would remove the PHA automatically. These are all good capabilities, except that the feature was buried in the Android suite and hard for users to find (and turn on).
Android took another step forward this week, announcing a new service called Google Play Protect, which seems to be an extension and/or rebranding of Verify Apps. Google Play Protect will automatically run and update, so they’ve eliminated the issue of users simply not toggling it on. The aim of Google Play Protect is, once again, to alert users to PHAs and advertises that it will be scanning over 50 billion apps per day and using machine learning to do so.
The Google Play Protect announcement also lent some focus on apps undergoing extreme security testing before appearing in the Google Play Store, and that apps and developers who violate Google Play Store policies can be suspended or banned. This seems like just a repetition of their existing policy, and perhaps just meant to mitigate the fact that there have been some high-profile cases where apps with malware did infiltrate the officially Google Play Store.
Though the Google Play Protect announcement had the most visibility, there have been other security developments within the Android world recently as well. Project Treble, as an example, aims to fix some of the major gaps in the manufacturing supply chain. Essentially, when Android released new (and therefore, more secure) software, it was painstakingly difficult for manufacturers to update existing devices. It typically required direct interaction with the chip makers (like Qualcomm) who had to make hardware-specific code modifications, too. Project Treble’s aim is to provide a more stable framework, such that Google can push Android updates out without requiring direct interaction from chip makers.
Yet another announcement is that the Google Play developer console now makes it easy to stipulate if an application can run on a rooted Android device or not. The move seems tied to corporations trying to protect content by adopting Google’s Widevine DRM protection, and Netflix is the most recent corporation to restrict their app from being installed on rooted devices.
Does any of this actually help enterprises?
Any time Android decides to take steps towards a more secure mobile device that is a good thing, without question. The problem for enterprises is that unfortunately there are still significant gaps in what needs to be done to truly protect their end user’s data, privacy, and devices. Let’s go back through each of these announcements and do a quick analysis from the perspective of the enterprise.
For Google Play Protect (and/or Verify Apps), there are a few issues that should still give enterprises pause. For starters, users can still turn this feature off if they choose to. If the feature is off, then that user is back to being completely unprotected. Note that Skycure supports this feature with a Google Play Protect detection and policy for enterprise enforcement. Even with the feature on, Google specified that users could initiate a scan any time they wanted to. This implies that protection is not 24×7 always-on, but instead is being performed in intervals, potentially leaving windows of opportunity open for malware and attackers.
Also, the new Google Play Protect is primarily an Android O feature, (currently in beta), although it was recently released for Android 7 devices. Yet, Android devices are notorious for not having the most recent firmware versions installed. Basically, Google Play Protect doesn’t help any end user running previous versions. And, as an example, out of 2+ billion Android devices, only about 20% of them were running Android 7 Nougat more than 9 months after its release! Android seems to realize this is an issue, and they’re taking some steps to try and solve it with Project Treble but that’s not a silver bullet, either.
The problem is that Project Treble is tackling one phase (the chip maker) of the supply chain, which means the other phases like the device makers, end users, and carriers, aren’t getting any attention. So, while the chip makers will have an easier time updating some of the hardware, it won’t necessarily make it any easier for an enterprise’s end users to upgrade their devices faster.
As for apps restricting downloads from the official Google Play Store on rooted devices, this could actually have a negative impact on enterprises. Someone who has a rooted Android device has the technical know-how to install their own APK files, which means their response will be to seek out Netflix (and other apps that enact the restriction) from alternate sources which are potentially insecure or compromised. Combine the installation of APKs from 3rd party app stores with users who may have outdated firmware and you’ve got the perfect recipe for malware to thrive.
Another point which might have been overlooked is that the focus of these announcements has been on malicious apps and out of date firmware. This, unfortunately, leaves two major mobile threat vectors completely untouched: malicious networks and configuration vulnerabilities.
Yes, Android is taking some important steps to bolster their mobile security apparatus. Unfortunately, there are still a lot of other issues that require fixing, and a lot of ways for enterprise end users to circumvent (both accidentally or intentionally) some of these new features. Even with these announcements, the best way to keep Android devices safe is still through a trusted Mobile Threat Defense solution. These solutions are crucial for enterprises because (unlike what Google announced) they:
- Run 24×7 (with minimal performance or battery impact) which means there aren’t open windows for attackers.
- Monitor and protect against all major mobile threat vectors (malware, malicious networks, configuration and OS vulnerabilities).
- Use crowd-sourced intelligence to alert users to firmware updates which they can initiate right away.
- Can take automatic mitigation actions based on specific policies that IT defines.
- Integrate directly with existing EMM and MDM solutions.
A comprehensive Mobile Threat Defense solution is still, by far, the best way to fully protect an enterprise’s end users, their privacy, and their data. And while mobile vendors are making some good adjustments, enterprises don’t have the luxury to sit back and wait for them to make all the security enhancements that are required to keep end users safe.