Symantec: Google Android has a number of security strengths

The paper – titled 'A Window into Mobile Device Security' by Carey Nachenberg, vice president and fellow of the IT security vendor – makes the interesting point that smartphones and tablets significantly complicate the security picture.

According to Tom Parson, Symantec's response centre manager, the problem with smartphones is that most office workers now have them, and they understandably bring them into their working environment.

And, he told Infosecurity, whether you like it or not, there is a strong risk that some element of corporate data will find its way on to the smartphone or tablet computer.

This, he explained, is not always bad, but the real risk – security-wise – he says, is that this data may leave the control of the enterprise, and that is when potential problems start.

"Safe browsing helps a lot, but it's worth noting that the Android platform actually has a number of security features", he said, adding that Android 3.x, Honeycomb, now has an encryption feature for all data on the device.

Then there is the area of permission-based security settings, he went on to say, noting that this security feature works a lot better on the Android platform than it does on iOS, the operating system of the iPhone and iPad.

"There have been more than 200 operating system vulnerabilities on the iOS platform, whereas Android has only had 18. That point is often missed", he said, adding that, whilst the media has focused on the security weaknesses of Android, there are a number of strengths too.

According to the white paper, Android is a marriage of the Linux operating system and a Java-based platform called Dalvik, which is an offshoot of the popular Java platform.

Essentially, says the paper, software developers write their apps in the Java programming language and then using Google tools convert their resulting Java programs to run on the proprietary Dalvik platform on Android devices.

Once converted, these apps can then run on any Android device, although it is unclear why Google chose to use a non-standard Java platform to run its apps.

Each Android app runs within its own virtual machine – just as Java applications do – and each virtual machine is isolated in its own Linux process.

This model, says the Symantec paper, ensures that no process can access the resources of any another process, unless the device is jailbroken.

Whilst Java's virtual machine was designed to be a secure 'sandboxed' system capable of containing potentially malicious programs, Android does not rely upon its virtual machine technology to enforce security. Instead, all protection is enforced directly by the Linux-based Android operating system.

Against this backdrop, Nachenberg's paper notes that the Android security model is primarily based on three of the five security pillars: traditional access control, isolation, and a permission-based security model.

However, he says, it is important to note that Android's security does not simply arise from its software implementation. Google releases the programming source code for the entire Android project, enabling scrutiny from the broader security community.

Google, he says, argues that this openness helps to uncover flaws and leads to improvements over time that materially impact the platform's level of security.

"Today's mobile devices are a mixed bag when it comes to security", says Nachenberg, adding that, whilst more secure than traditional PCs, mobile platforms are still vulnerable to many traditional attacks.

"Moreover, enterprise employees are increasingly using unmanaged, personal devices to access sensitive enterprise resources, and then connecting these devices to third-party services outside of the governance of the enterprise, potentially exposing key assets to attackers", he explained.

What’s Hot on Infosecurity Magazine?