Locking Down Android

By Brian Albright, Field Technologies

The enterprise is ready for Android-based devices, but is the OS secure enough?

While Windows CE and Windows Embedded Handheld hold the lion’s share of the rugged enterprise mobile computing market, Android is making inroads. A number of vendors now offer rugged Android tablets and phones, and even consumer-grade Android smartphones have been deployed for field sales and service applications.

But is Android ready for the enterprise, especially when it comes to security? According to the companies that Field Technologies contacted for this feature, the answer is yes. “With broad recognition that legacy embedded Windows [operating systems] were approaching their end of life, our Android sales volume grew more than 400 percent between 2013-2014, and it shows no sign of slowing down,” says Michael Petersen, director of enterprise mobile computing global product marketing at Zebra Technologies. “By the end of this year, Zebra expects roughly half of our rugged knowledge-worker products to be sold with an Android operating system, and a large percentage of our traditional line-worker products will also be on Android.”

As the OS has improved, enterprise users have matured in their thinking and acknowledgement that Android can be enterprise-ready with the support of specific extensions for improved security, scanning, and Wi-Fi performance. That advancement has been helped as Android’s share of the smartphone market topped 80 percent. The input of millions of end users has helped improve the platform, while the development of new enterprise applications has opened up new markets.

“There is both scale and collaborative development, and as a result, Android has become a very good user-focused operating system,” Petersen says.

So far, Android adoption has skewed toward products serving applications that don’t require a keyboard, and perform better using all-touch devices. Field sales deployments typically rely on smartphones, while skill-specific applications, like field service or home healthcare, gravitate toward tablets.

There is also an emerging class of “inbetween” devices that split the difference between portability and screen size. “Some use cases don’t demand a large 10-inch tablet, but a smartphone may not have a screen for training videos,” says Marco Nielsen, vice president of managed mobility services at Stratix. “The ‘phablet’ form factor is still fairly portable and can bridge both formats for some business requirements. I would recommend looking at all sizes to understand what form factor is best for your needs, including more rugged variants now also on the market.”

Android Security Matures To Enterprise-Grade
Early versions of Android were not as feature-rich when it came to security. Over the past several years, however, the platform has matured into a solution that can support enterprise-level applications and security requirements.

“Android is newer than Windows and incorporated security capabilities early in its development,” says Bob Ashenbrenner, vertical solutions architect at Xplore Technologies. “Android is also an open operating system. In the context of security, it means many more people have looked at the capabilities and contributed to address those vulnerabilities. The biggest vulnerability is with apps, but the Google Play Store does a very good job of screening for potential issues. Android apps run in a secure sandbox, so the app has little access to the device’s data. In Android 4.4, Google added SELinux (Security Enhanced Linux) controls. This provides an additional layer control for processes and applications.”

According to Petersen, the new Android Lollipop release is more secure compared to Windows or Apple iOS, and without the intrusive data-sharing limitations that consumer-grade iOS deployments encounter. “Without question it has improved, and Android L (Lollipop) represents a firm commitment by Google to support enterprise customers,” Petersen says. “One specific example is Android for Work (AFW), which represents a significant step forward for Android unification and improving Android enterprise readiness.”

AFW uses a containerization system to keep business apps in a separately managed and secured workspace. Specific device manufacturers have also developed enhanced security features like Samsung’s Approved for Enterprise (SAFE) and KNOX solutions.

“While we are seeing Android security concerns diminish in our general customer base, our security team continues to innovate and implement the highest levels of security for all our customers, including the government and other regulated industries,” says Nick Rea, vice president of technical presales at Samsung Electronics America. “With the investment in security for Android from both Google and select OEMs, we continue to see these concerns decrease for the average enterprise customer.”

Android Fragmentation Doesn’t Affect Security
Despite the security improvements, not every Android device runs with default encryption. And in some cases, turning on the encryption can bog down the performance of a tablet or phone. OS fragmentation has been an ongoing problem with Android, but Ashenbrenner says that Google has mitigated most of those issues, and that the variation among manufacturers doesn’t pose a security risk.

“The Android fragmentation issue has been misunderstood to a significant degree,” Ashenbrenner says. “A few year ago, Google realized that they had to address the issue, so they moved the key parts of the application APIs and the security bits to Google Play Services. This ‘app’ is really the core of the OS, and Google Play Services is automatically updated. So whether the Android version is 4.1, 4.4, 5.0, or soon 5.1, the underlying OS capabilities are the same. So while the GUI is different between Android versions, the security level is up-to-date.”

Because of that, Rea says end users should feel comfortable deploying an Android device from just about any manufacturer. “For customers who place a high priority on security, some OEMs stand out among the crowd, and OEM standardization is a consideration in those cases,” Rea says. “That said, truly enterprisefocused OEMs will place a higher priority on continuing to advance ahead of security risks by responding to threats quickly. In regards to rugged devices, security is no different in this category, as the core hardware elements that are a part of the security stack on nonrugged devices are still present.”

Even though rugged devices do tend to have slower release patterns than consumer-grade devices, Android Lollipop will likely make it easier to keep these devices updated moving forward. Other improvements have helped reduce the security risks previously associated with Android. There are now more constraints placed on apps entering the Google Play Store, for example, and features like dm-verity (which ensures OS integrity at boot time) and Security Enhancements (SE) for Android (which provides a secure environment at run time) have further secured the platform.

When selecting Android devices for enterprise deployments, users should look for devices that are able to isolate traffic to specific apps or groups of apps to improve VPN performance. OEMs should also be able to securely deploy the devices in large quantities over multiple geographies.

“Additionally, third-party app providers have the option to integrate their solutions with hardwarebacked security mechanisms (like those found in Samsung KNOX), which helps mitigate mobile deployment risk,” Rea says. “ Overall, Android’s flexibility will allow it to thrive in a security-conscious ecosystem by providing the tools and support for both developers and customers. This will enable the creation of a unique experience for enterprise customers and their employees without sacrificing security.”

Evaluate Android For Today (And The Future)
There are still a few drawbacks to Android. Most notably, users who have already invested in Windowsbased applications will incur switching costs if they change platforms. However, the platform’s flexibility and the new generation of applications built for Android could mitigate those costs, particularly since Microsoft’s shifting mobility strategy will also require some reinvestment on the part of its end users.

“I would suggest looking at the new features in Lollipop (and perhaps what the Android M road map will entail), what Android for Work brings to the table, the MDM (mobile device management) and MAM (mobile application management) integrations, and even OEM layers on top of that (like Samsung KNOX),” Nielsen says. “Then you can make the right decisions, directions, and business activities. [Android is] a larger ecosystem, a tad more complex, but running the majority of mobile devices on the planet today.”

There is still one major security risk (not exclusive to Android, actually), and that’s using third-party websites to download apps and ignoring Android’s security warnings during installation. “While Android can be configured to allow this, why would you?” Ashenbrenner says. “Enterprises can require the use of only specific apps from the Google Play Store; using these delivers a high level of security. As an analogy, in your home you could choose to let strangers come in to stay and give them keys and the security code. They may do nothing harmful, but most of us would agree this is an unacceptable risk to take. Same with apps from third-party sources — don’t install them.”

Android for the enterprise is still in its nascent stages, but phone and tablet manufacturers — even those with a long history of supporting Windows — clearly see the potential of the OS for line-of-business deployments in the enterprise. According to Petersen, companies should also evaluate Android in the context of future application and workforce needs.

“Security should always be a primary consideration for any IT decision maker,” Petersen says. “And while no OS is perfectly secure, Android is absolutely ready for the enterprise. But just like making any business decision, decision makers also need to look forward and see what will enable their business to drive growth. Younger workers join the workforce every day, and they can help businesses prosper if they are working on a modern device that they are inherently familiar with and that offers the latest features, performance, and user experience.”