Tuesday, September 25, 2012

BYOD and Android: Are You Vulnerable?

In the BYOD environment, Android-powered devices are a boom to both employees and organizations. With a seemingly endless array of apps designed to increase productivity plus a high level of functionality; Android devices in theory, give everyone what they need.
For all of the benefits of using Droids for work, there is one major drawback: increased threats to security. Thanks to malicious attacks from cybercriminals using malware, organizations that allow BYOD on Android phones are subject to having their data compromised. This is the result of the lax security protocols on Android apps.

Unauthorized Apps

These days, there’s an app for almost anything – including wiping out your employer’s entire network or exposing sensitive company data to criminals, albeit inadvertently. When employees are allowed to use their own personal devices for work, they don’t hesitate to add apps; after all, it’s their phone or tablet and they can do what they want with it after hours.

The problem is that addictive new game that you downloaded from the web could, in fact, be malware that will compromise the security of your employer’s data. Chances are that when you purchase an app from an online store like Google or iTunes, it’s legitimate, but when you go outside of the traditional stores, you’re playing with fire. That QR code that you scan for a fancy new app could be hiding something far more sinister and you probably won’t know until it’s too late.
According to a recent study, the most common type of malware on Android devices is fake apps, followed by data stealers. Other common types of malware that attack Android devices are adware and malicious downloaders, as well as RAT/Rooters and premium service abusers. In general, the malware that attacks mobile devices uses Trojans and worms that spread easily, and may perform tasks such as logging dialed numbers and e-mails sent, recording calls, sending SMS messages to everyone in the contact list and stealing financial information, among others. Clearly, these breaches are dangerous for any organization.
In general, the Android app marketplace is far more likely to contain malware or other problematic apps than Apple or Blackberry. Until recently, there was little to no policing of Android apps, meaning that anyone could develop an app to do just about anything and sell it without approval. Apple and Blackberry, on the other hands, have strict controls in place and the apps sold for those devices have generally been vetted to ensure security.  Android has made strides in the area of policing apps, but experts still estimate that as many as one in twenty Android users is affected by some type of app-based malware.


What Organizations Can Do

Because Android apps tend to be more dangerous than others, one solution to protect your BYOD environment is to allow the use of iPhone or Blackberry devices only. However, that may not be a practical solution, as employees may prefer their Android devices and could be unwilling to change.
The impracticality of limiting BYOD to certain devices is why Trend Micro and other security experts recommend that organizations develop strict and detailed policies regarding BYOD. Employees using their own devices must cede some control to their organization’s IT department, if they wish to store or access company data on their device.  Savvy IT managers will install malware detectors and additional security controls on personal devices to ensure that there is no loss of data in the event of a breach. For example, if the employee loses his or her device, IT needs the ability to lock or wipe the device remotely to prevent data loss if it falls into the wrong hands.
BYOD has plenty of benefits for both employees and organizations alike, but without proper management, BYOD can also spell disaster. Whether your organization is specifically targeted by criminals, or you are simply a victim of a broad-based attack, the results are the same: the loss of time, money and in some cases, competitive advantage and reputation. Tightly controlling the types of devices that can access your network and data, and insisting on sophisticated security measures is the only way to keep your company safe and secure in this new environment.

About the Author:  Kelly Tuttle is a certified internet security professional and freelance consultant from Vancouver. He works with organizations of all sizes to develop BYOD security plans.

1 comment:

  1. As a business owner in addition to an Android owner, this article was a great resource for me. Answered several questions I had.