Google’s Android for Work and Samsung’s Knox promise serious security, but how does they stack up against Apple’s iOS and the rest?
Apple’s iPhone and iPad long ago pushed out the BlackBerry as the corporate standard for mobile devices, in all but the highest-security environments. Google — whose Android platform reigns outside the corporate world — is now trying to push out Apple, with a new effort called Android for Work. And Samsung is upping the game with a new version of its own Android security suite, Knox.
What Android for Work does and doesn’t do
That technology came to market last week, adding new security and management capabilities, plus the ability to do corporate deployments of Android apps from the Play Store.
Android for Work containers — which run business apps in a separately managed workspace on your device — are part of the Android 5 Lollipop OS and support any Google Play store apps. But Android 3.0 Ice Cream Sandwich through 4.4 KitKat requires users to install the Android for Work app, which can run only apps that have the Android for Work APIs implemented.
Either way, you need a compatible mobile management server to handle the policies applied to apps running in the container, such as enforced VPN use or copy-and-paste restrictions. Mobile management vendors supporting Android for Work include BlackBerry, Citrix Systems, Google, IBM, MobileIron, SAP, Soti, and VMware AirWatch.
What Android for Work only partially addresses is the malware problem among Android apps, both due to the high incidence of malware residing in the Google Play Store and to the common file system in Android that lets malware infect apps via data files. For example, the feds have said that industrial-class spyware used in advanced persistent threats has entered the Google Play market. With Android for Work, IT admins can prevent users from installing unapproved apps from the Play Store in the business workspace to better protect the corporate environment.
By contrast, iOS uses rigid sandboxing to keep apps from accessing other apps, and it severely restricts document sharing to block malware. BlackBerry and Windows Phone have small app libraries and a semiporous approach to sandboxing, so malware has not been an issue for them to date — though there have been outbreaks of BlackBerry malware in the past.
Android for Work also does not make encryption the default on existing Android devices (many models, especially the cheap ones, lack the horsepower to handle encryption).
Google promised last October that new Android 5.0 Lollipop would enable encryption by default on all new devices. (Upgraded devices’ encryption state is unchanged.) But there’s no requirement that the devices use a crypto chip, so users could see major performance hits. InfoWorld’s sister publication Greenbot found that Google’s own Nexus 6 slows to a crawl with encryption on, for example.
Of particular concern to IT, Google has quietly backtracked on its promise that new Lollipop devices would be encrypted by default. In fact, several new Lollipop devices are not.
By contrast, iOS devices have been encrypted by default (with no disable option) since 2010, and BlackBerry devices have been encrypted for at least a decade — both have the needed crypto chip to avoid performance hits. But Windows Phone 8.1 devices come with encryption disabled by default, and an admin must enable it. (Windows 8.1 is the first version of Microsoft’s mobile platform to support device encryption.)