Why Android devices are a security nightmare for companies

Why Android devices are a security nightmare for companies

February 06 2014 | Published by Graham Cluley | Blog Industry News

Fiery arguments between the rival camps of Android and Apple iPhone lovers about the merits of their respective devices aren't likely to be extinguished any time soon, but there's one thing that's clear: Android is a lot less safe than iOS.

Why do I say that? Well, not only because new money-making malware is being written and distributed by criminal gangs every day for Android devices (some of which gets into the official Google Play store), but also because Apple has been much more successful at keeping its customers updated with the latest security patches and OS updates.

New statistics reveal that the latest Kitkat version of the Android operating system is installed on less than 2% of all active devices.


Yes, a mere 1.8% of all Android phones and tablets are running Kitkat 4.4, despite it being released four whole months ago.

Compare that to iOS 7 (released in September) which already has an impressive 80% usage.

Some Android devices are only now receiving an update to the previous incarnation of the Android OS - Jellybean 4.3 - with no clear timetable for when they'll be able to benefit from KitKat.

Astonishingly, some 20% of devices are still running creaky old Gingerbread - a version of the Android OS not updated since September 2011.

It's clear that Android devices simply aren't being kept up to date with fixes, enhancements and OS updates anything like as well as iPhones and iPads, and that's a potential opportunity for cybercriminals and bad news for businesses.

Because there's little that your company can do about it, if your users insist on bringing their Android devices into work, and accessing work data, emails and your network via it.

Even if you *want* to upgrade the OS on your staff's Android devices you might not be able to, because no Android update is going to be available for those devices without the assistance and goodwill of the manufacturer and mobile phone carrier.

And it's not as if your company is going to be comfortable with users rooting their devices and installing a home-brewed version of Android OS they downloaded from some unofficial website...

You have to suspect that some Android manufacturers and carriers have no interest in actually pushing out new legitimate versions of the operating system, preferring their customers to buy new devices instead.

All of these headaches against a growing backdrop of Android malware, including many instances of the Google Play store being infiltrated by criminals spreading malware, adware and other dodgy apps.

To reduce the risks, mobile devices in the workplace have to be carefully managed, and policies enforced. If a device isn't compliant, or risks putting your data at risk, then you have to consider whether you want it going anywhere near the data on your network.

And, with the current state of Android OS fragmentation, it's easy to understand why some companies consider Android a real security nightmare.

What do you think?  Do you think Androids are better than iPhones in the enterprise?  Or are both types of device as bad as eachother?  Leave a comment below and let us know your thoughts.




Independent security analyst, www.grahamcluley.com

Graham Cluley is an award-winning security blogger, researcher and public speaker.  He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's.  He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

In 2011 he was inducted into the InfoSecurity Europe Hall of Fame.