The Android Community Responds to Security Challenges

Carl Weinschenk

Android seems to be constantly in the process of discovering and defining itself. That's part and parcel of both of the specifics of how open source works and, more generally, that a massive deployment of an operating system based on that approach to intellectual property is unprecedented and sure to raise many issues.


That's a long-winded way of saying that Android is a thrill a minute. Earlier this week, I posted on the conflicting views on Android fragmentation, which is the tweaking of Android by different vendors to such an extent that it becomes a non-interoperable platform that is, for all intents and purposes, a set of related but different OSes.


The subject of today's installment of As the Android Turns is security. The openness of the Android platform creates challenges at multiple levels, including in the OS itself and in the Android Market. This week, Google revealed a service it uses called Bouncer. According to Android Vice President of Engineering Hiroshi Lockheimer, it has been in place for a while. The cyber proctor seems to be ubiquitous:


Here's how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.


Bouncer bounces into a very competitive world, and the Reuters story on the announcement does a fair job of juxtaposing Android and its major competitor, Apple's iOS:


Bouncer marks a new direction for Google, which until now has trumpeted its laissez-faire approach to managing the apps market - as opposed to Apple Inc, which famously subjects apps to a rigorous evaluation process before they can be downloaded.



The freedom of the Android market - and developers' preference for its openness - has helped boost the platform's swift growth and sharpen its competition with Apple's iOS mobile platform. In December, less than three years after it was launched, Android Market reached 10 billion total downloads.


That's not all the news there is on the Android security front. Last month, the National Security Agency released SE Android. The release is a product of the SELinux Project. The government wants to feel safe in its use of Android. The story at The H put it succinctly:


SEAndroid is the name of both a project to identify, and find solutions for, critical gaps in Android security and of a reference implementation of a security enhanced Android. The project is currently focusing its efforts on enabling SELinux functionality in the hope that it can limit the damage done by malicious apps, but hopes to widen its scope in the future.


In other words, the government feels that there is a lot of work to do before Android is ready for top security primetime. Military & Aerospace Electronics makes the same point in relation to Android's battlefield use. To be fair, an off-the-shelf version of iOS or Windows Phone or any other mobile operating system wouldn't pass muster for such uses either. The sense is, however, that Android is further away from being ready.

Android is fascinating at every level. How its proponents deal with security issues is a particularly interesting-and, perhaps, pivotal-topic that enterprise managers should closely track.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.