Experts weigh in with wish lists for Android 4.4 KitKat security

With Android 4.4 KitKat, Google has an opportunity to show that when it comes to security, the next version of the mobile operating system is ready for business. While we don't know whether Google will take up the challenge, security experts provided Wednesday their wish lists of enterprise-pleasing features.

[Android now mobile world's equivalent of Windows for hackers]

The longed-for enhancements range from more application programming interfaces (APIs) for controlling Android devices to a 64-bit ARM architecture, which is what Apple introduced in September with the iPhone 5S. Whether any of this becomes reality won't be known until the OS hits the market, which is expected to coincide with the release of Google's Nexus 5 flagship smartphone early next month.

The new APIs favored by Daniel Ford, chief security officer for Fixmo, would provide more information to IT staff sitting behind a device management console. Useful data would include whether an app came from Google Play or a third-party online store, which is where criminals often hide malware.

Android devices should also provide notifications to when a browser engine is modified, a sign of infection, or if the mobile carrier is sending/requesting data, an indication of a hijacking of a femtocell base station used by service providers to extend coverage indoors.

Another useful API would let IT staff set policies for app-to-app communications. "The default rule should be that no app can communicate with another app unless explicitly permitted," Ford said.

Other features favored by experts include control over individual app permissions for accessing device services and data encryption by default. Jon Oberheide, chief technology officer for Duo Security, would also like to see Google take Android from a 32-bit ARM architecture to 64-bit.

The latter architecture vastly improves the effectiveness of security techniques such as address space layout randomization (ASLR), which helps defend against buffer overflow attacks.

Oberheide also favors adoption of the secure computing mode (seccomp) framework for sandboxing. Seccomp is used in Google's Chrome OS and can provide better protection to the mobile browser in Android.

Experts also want Google to go much further with the user profiles currently in Android and the policies available for parents to restrict children's mobile phone use. Rather than stop with consumers, Google is being encouraged to go much further to allow companies to set policies for downloading apps and sharing data. This would make securing a device much easier when employees want to use their smartphones to access corporate networks.

Samsung has introduced technology called Knox that creates a wall between personal applications and data and those belonging to companies.

[10 tips for Android security]

Meshing the needs of business and consumers within Android would be a win-win for Google and companies, experts say.

"Android is the least secure of the major smartphone platforms," Jack Gold, analyst for J.Gold Associates, said. "Adding enhanced security targeted at the enterprise would accelerate adoption and also provide a uniform security environment."

Tags: Google, security, Mobile OSes, mobile

Financial services firms to increase cyber security budgets this year, PwC claims

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.