Google Now draws caution among security experts

Google Now, the smart assistant in the latest upgrade of the Android operating system, draws an uneasiness among security experts evaluating the risks the search-based feature for mobile devices brings to businesses.

Google introduced Now on Wednesday in unveiling Android 4.1 Jelly Bean at the company's I/O developer conference in San Francisco. Now is designed to use a person's search history, calendar, location and Google Maps to deliver useful information, such as the next bus for that appointment downtown or a weather warning on the day you plan to bike to work.

Several security experts told CSO they were concerned over Now, while acknowledging it was too early to say for sure whether there are risks to businesses. Like companies, consumers may also be uneasy with the amount of information going to Google and what the company can do with it.

Jon Oberheide, chief technology officer for mobile security vendor Duo Security, said: "I'm sure there will be opinions on both sides of the aisle: Privacy-focused users who are spooked by knowledge of Now and everyday users who are impressed and drawn to the utility of Now."

While consumer advocates worry about privacy, corporations will be thinking about the implications of having Now on the same device an employee is using to tap a company's web application or email server. At the very least, companies will want to have control to shut off the feature.

"Google states that you must opt-in to use these services, but it is unclear whether the management APIs (application programming interfaces) provided by Google will allow centralized control of these settings," Chester Wisniewski, security research analyst for Sophos, said.

Besides control, there's the question of third-party apps that will have access to Now and an employee's personal information, which could also include some corporate data. In addition, those apps could also be tied to the device's native Web browser, a favorite entry point for hackers.

"This could be especially concerning for corporate web-based apps if they depend on the native browser," Stacy K. Crook, analyst for IDC, said. "So a recommendation there would be for companies that have mobile web applications to look into secure browsers that they can have some control over to launch those apps in."

The challenge of securing mobile devices in light of the growing number of features is likely to push more corporations toward adopting security tools used in online banking today, Gartner analyst Peter Firstbrook said. Like banks, companies won't know in advance whether a device is infected with malware when it connects to web applications. As a result, companies will also need authentication, encryption, database monitoring tools and browser isolation software.

"We anticipate the bring-your-own-device (BYOD) trend will force organizations to use the same types of tools," Firstbrook said.

In the meantime, Wisniewski has found his own way to use features like Now and still keep corporate data safe. He uses a Research In Motion BlackBerry for business and an Android smartphone for his own use. "Personally, I hate carrying two devices, but I don't see a lot of safe alternatives," he said.

Read more about data privacy in CSOonline's Data Privacy section.

Lower costs help NZ pip Australia for F5 Networks support centre

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.