People love the Android platform for the choice and versatility it offers, from diverse form factors—smartphones, tablets, “phablets” anyone?—to a broad ecosystem of apps and tools. But if you’re not careful, the Android devices people bring to work can also leave your organization exposed to serious threats. Do you know the top Android security gaps—and how to secure these mobile devices and BYOD?

It’s important to understand that it’s not always up to IT to decide whether to allow these devices into the enterprise environment; in most cases, they’re already present. That makes it even more crucial to understand their security implications and put a mobility strategy in place. Here’s what you need to know about the Linux-based Android mobile OS:

  • Android is open to rooting and unlocking. As an open platform, Android makes it fairly simple for people to become root, or to modify the bootloader to allow alternate versions of the OS and apps to be installed. This can open the door to all kinds of malicious software on the device—which means you can never assume that an Android device as a whole is “clean.”
  • Any file shared between apps is world-readable. The Android permissions model allows two options: readable by a specific app, or world-readable. Before you expand a file’s readability beyond a single app, think carefully about all the other apps that might be on that device.
  • Upgrades aren’t always timely. It can take time for the latest version of Android to become available for a particular device. In the meantime, known security issues may still persist. Don’t ever assume the platform itself will provide adequate security—it’s essential to go beyond with your own enterprise security tools and strategies.
  • Active content can open gaps. Malware can take advantage of Android’s support for Flash, Java, JavaScript and HTML5 to sneak onto the device. Make sure your security solutions are configured to protect against active-content attacks.
  • Hackers love Android. Mobile malware writers flock to the open platform, rogue app stores and rooted devices that characterize the Android world. It’s especially important to harden Android devices and stay on top of your anti-malware tools to keep them at bay.

Fortunately, there are many ways to strengthen the security of the Android devices used in your environment. The platform’s architecture can be configured for strong enough security to satisfy the U.S. Department of Defense, and the Security Enhanced (SE) Android model brings SE Linux OS to the Android kernel. Samsung, the top Android device company, also offers SAFE and KNOX security technologies. As a rule, you should also complement any device-level security with measures like mobile application management (MAM) and secure access control to secure the apps and data used on mobile devices.

Here’s a quick highlight of the security implications of a few of the latest Android features.

Android new and notable security features

You can learn much more about securing Android and other mobile platforms in the new white paper put together by myself and Kurt Roemer our chief security strategist.  The paper is titled “Delivering enterprise information securely on Android, Apple iOS and Microsoft Windows tablets and smartphones.”

Be sure to check out the security and compliance solutions page to learn more about how Citrix enables our customers to embrace mobility and adopt Android—or any device—while protecting what matters most.

Follow @CitrixSecurity on Twitter.

About the author

Stacy Bruzek Banerjee is the director of solutions marketing for Citrix and is responsible for global security, business continuity and BYOD solutions. Prior to Citrix, Stacy worked to build Guidewire to explosive growth and a successful IPO. She has held marketing leadership roles at Oracle, Symantec and VISA, where she focused on data management, security and collaboration. She holds a bachelor’s degree from the University of Minnesota. Feel free to read more of Stacy’s blogs.