Android security has come a long way since the days when malware filled the Google Play app store. But as Google preps the latest version of Android—version 4.4 KitKat—it still has gaps to fill. In the recent past, many of the security questions that have plagued Android were solved by third-party security vendors. The likes of Lookout, Kaspersky, McAfee and others have patrolled Android, plugging the holes that Google was too busy to see.
Where are those holes in Android security now? We turned to the antivirus maker Bitdefender for some reference.
Unlike Apple's iOS, the Google Play app store has long been much more vulnerable to malefactors; there's no formal review of apps prior to display like there is at Apple. One consequence: Waves of malware, spyware, viruses and trojans in Android apps (although exactly how much users have suffered remains unclear).
Google has done quite a bit to beef up Google Play security with programs such as "Bouncer," which monitors apps in the store for malicious activity. Google also released the Android Device Manager to locate lost or stolen phones, a long overdue service previously offered only by third party vendors.
Android 4.3 Jelly Bean brought some more security features to the operating system, such strengthening the Android sandbox designed to prevent malicious programs from infiltrating other parts of the OS. Yet those sandboxing capabilities are invisible to users and developers, and limit what security companies can do to protect Android users outside of Google's own solutions.
Google has definitely come a long way on security for Android after the first mass wave of malware hit its app store in early 2011. But malicious hackers never sleep and are constantly evolving to find ways into users phones. With Android on near a billion devices in the world, that is a pretty big target for bad actors to chase. New types of Android malware such as thiefware (in 1.2% of apps in Google Play, according to Bitdefender) and fake antivirus apps are still targeting users ... and their wallets.
Bitdefender has some ideas for improving security on Android. Here are five suggestions that the antivirus company would give Google as it prepares KitKat 4.4:
1. Allow Antivirus Scanner APIs
Currently Android doesn't allow many apps to interact with each other. Especially if those apps were made by different developers. This hampers third party antivirus services because they cannot layer their own antivirus scanning capabilities onto Android apps and protect them from malicious permissions or downloads. Allowing an antivirus scanner API would enable the security companies to get malware at the source and protect users through the life cycle of an app.
Of course, this recommendation from company like Bitdfender is a little self-serving. Of course it wants to allow third-party antivirus scanner APIs in Android because that is essential to its business model. Yet outside of Bitdefender's own business, third-party security APIs from enterprise-grade security vendors would be highly appreciated by IT folks around the world looking to secure and maintain the flood of employee devices on their networks.
2. Control Over Individual App Permissions
When you download an app, Android will show you what that app is allowed to do. Smart users tend to stay away from apps that give way too many permissions for the function that app is performing. For instance, why would a gaming app need access to your text messages or your calendar, or permission to modify your contacts list?
Bitdefender thinks users should have the ability to selectively grant particular permissions to an app before they download it. As long as those choices don't completely disable an app, this freedom would let users safeguard their privacy and keep apps from accessing any more of user data than they need to function.
3. Allow Some Apps To Survive A Full Wipe
If your smartphone is lost or stolen, anyone who finds it can start rummaging around in your digital life—including any services where you have a credit card attached, like Google Play. They can also wipe the device and sell it. There's a good chance that a thief would do both; alternatively, Android itself now allows you to remotely wipe your device to safeguard your data.
Either way, wiping the device also deletes any installed security apps , negating the ability to remotely lock out the thief or using a “Find My Device” feature. If Google were to allow some apps to survive a full wipe in KitKat 4.4, this would negate the advantages that a thief has after obtaining your phone.
The problem with this approach though is that malware could also learn how to survive a full wipe by mimicking the security software. Sometimes it is better to burn all the fields to keep your enemy from being able to sustain itself in your backyard.
4. Built-In Sandbox To Isolate Apps From Untrusted Sources
Do you really know what your app is doing when you aren’t looking? App permissions can allow for some things you never really expected. This is especially true for apps that you download from an untrusted source, like a 3rd-party app store or a side-loaded APK file. Also, many apps employ 3rd-party advertising networks that can bypass permissions entirely, giving them access to your contacts and other information.
Bitdefender thinks that applications from untrusted sources should have their own little private jail to live in (like being quarantined at the airport) to prove they are behaving nicely before letting them play with the rest of the device that stores your confidential information.
5. Separate Profiles For Business & Personal Uses
Do you bring your own device (BYOD) to work? Well, you probably have some company apps on the smartphone, like your accounting and CRM apps as well as some personal apps (Facebook, games, e-books etc.). If Android could create different profiles on your phone for your business and your personal use, then it would protect employees from the information harvesting apps of the enterprise. BlackBerry and several 3rd-party services can do this, but it is not built in on the system level of Android.
Do you have any suggestions for improving security in Android? Let us know in the comments.