With the growing popularity of Android, IT administrators are facing demands to support smartphones from employees that use the open source mobile operating system. But while security of Google Android is improving, IT pros say it hasn't quite caught up to the more mature platforms.
"Android still needs to make some improvements in its security model," says Randy Nunez, mobile computing lead at Ford Motor Co., which supports employee use of iPhone, BlackBerry, Symbian and Windows Mobile, but does not currently support Android. "Windows Mobile and BlackBerry had a head start and they have some very mature products in the space."
The iPhone as well has become an accepted enterprise device, even though it was initially aimed at consumers.
Android is "following a parallel path with the iPhone," Nunez says. "With the iPhone 2.0, once they released support for Exchange ActiveSync and the passcode and security policies, it made it more difficult to say no," Nunez says. "And Android, with their 2.2 release, is following in the iPhone's footsteps in that way."
David Glenn, director of enterprise operations for Del Monte Foods, a San Francisco-based food production and distribution company, says smartphones need to provide at least three key security features in order for his company to support it. The phone must force users to type a password in order to bring it up from an idle state; IT must be able to remotely wipe data from the phone; and data on the phone must be encrypted.
"It has to meet those requirements or we cannot roll it out," Glenn says.
Del Monte Foods has approved employee use of a limited number of Android phones. Glenn himself uses a Motorola Droid X.
"We do support the Droid X and we're looking at the Droid 2 right now," Glenn says.
As Nunez mentioned, the 2.2 version of the Android operating system has bolstered security. Motorola has even launched an Android phone aimed at the BlackBerry market, called the Droid Pro, with security features including the ability to remotely wipe data from the phone and the MicroSD card. (Play the Google Android quiz.)
Google's Android now supports numerous features in Microsoft's Exchange ActiveSync, including SSL encrypted transmission and remote wipe.
"Android 2.2 provides a number of enhanced Exchange features, like the addition of the numeric pin password options, remote wipe capabilities, things like that which make it more palatable for enterprises to adopt," Nunez says.
Although software-level encryption in Android 2.2 is an improvement, Android still does not support hardware-based encryption, according to Kaspersky Lab virus researcher Tim Armstrong.
With software-level encryption, it's easier for a hacker to take data off a Micro SD card, whereas with hardware-level encryption the data on the removable storage card is "really locked to a chip on the electronics within the phone," according to Armstrong.
Software encryption is "less of a roadblock, basically," he says. There's been talk of adding hardware encryption in Android 3.0, but for now that's "all speculation," Armstrong says.
Android app concerns
The Android Market may also open up security holes, Armstrong says. Whereas Apple reviews the code of apps before they go on the iPhone App Store, Google does not, he says. Further complicating matters is that Android lacks the kind of back-end administrator-level policy enforcement that would let IT shops block installation of certain types of applications.
"You can't really lock the phone down like you can with iPhone and BlackBerry," Armstrong says.
Locking phones down is important because "data leakage is a big challenge," Nunez says. "These phones are very easy to lose. If we don't have a way of securing the data there is a chance for misuse of the data."
The reality IT shops face is that users who own Android phones may attempt to hook them up to Exchange so they can access work e-mail, even if the IT department doesn't technically support the phone.
If an IT department sets strict security policies, Android owners who try to hook their phones up to the company's Exchange server may receive an error message saying the server requires security features the phone does not support.
However, there are third-party e-mail applications that convert Outlook Web Access into a standard-looking smartphone e-mail interface. This means Android users can get push e-mail, store e-mail messages on their phones, and get new e-mail without having to type in a password each time, even if their IT departments don't support Android.
This type of activity is more worrisome to IT than a user accessing Outlook Web Access on a phone's Web browser, because the browser doesn't store e-mails and it forces the users to type in a password each time they navigate to the site.
Businesses are, however, increasingly spending money on Android phones, in addition to BlackBerries and iPhones. A ChangeWave survey of 1,600 corporate IT buyers found that 16 per cent are providing Android to users, up from three per cent last November.
While BlackBerries are typically issued to employees by IT departments, the advent of the iPhone and Android has consumers demanding to use their personal smartphones at work. Ideally, Nunez says IT departments should be able to enforce separation of personal and business data. But that probably won't be a deal-breaker when it comes to deciding which phones are approved for corporate use. "The separation of personal data and business data is ideal," Nunez says. "But as long as the enterprise IT department can manage the device and secure the corporate data and wipe the device, it can go a long way toward enterprises adopting personal devices for corporate use."
Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin
Read more about anti-malware in Network World's Anti-malware section.