Data security

Ageing Androids and the risk to SMBs

Last month the world held its breath when it was revealed that President Donald Trump was using an out-of-date Android phone that could easily be hacked. Now it has been reported that Trump has finally handed in his five-year-old Android-powered Samsung Galaxy to the secret service and instead is using what his predecessor described as a ”toddler’s phone”. This is a phone given to a president because its functions are very restricted in order to protect it from hackers. So, if the president is giving up his old Android, due to the security risks, the question for SMBs is, should you and your employees do a Donald and give up your trusty old Android phone?


Rise of the Android

The Android software developed by Google powers more than 85 percent of all smartphones sold in 2016, and is popular among businesses. While iPhones, which use Apple’s rival iOS operating system, were more popular in the past, Android has now caught up. SMBs have also embraced Bring Your Own Device (BYOD), which allows employees to use their own phone for work of which many will be Android.

Don’t catch that virus!

What’s more, research has suggested that more than 90% of Android devices are running out of date versions of the mobile operating system – and in businesses, it is about 1/3. This means that for small businesses, the popularity of Android phones may pose a significant danger to their cybersecurity. Android phones more than two years old are less likely to have been updated recently, leaving them open to known vulnerabilities that could result in malware infections whether by clicking on a suspicious link sent in an email, or by downloading an app from a dodgy website. Last summer it was discovered that malware known as Hummingbad had managed to install itself on more than 10 million phones that were using older versions of Android.

Google regularly releases new versions of Android, with such unlikely names as Lollipop, Marshmallow and Ice Cream Sandwich. The latest is Android 7.0 Nougat. These updates are vitally important because they fix vulnerabilities in the software that cybercriminals can exploit. Each security update closes numerous holes.

Open but fragmented

That is all well and good, but Android is an example of open source software. This means that any handset manufacturer can use and even modify Android for free. While this has enabled Android to grow quickly and to dominate the market, the downside is what has been called fragmentation. Many of the more than 400 types of Android phones manufactured are released without the latest version of the operating system.

When Google releases a new version of Android, it is up to the manufacturers or the phone networks to provide the update for individual phones – and there can be long delays. Cheaply made Chinese Android phones have been discovered to have malware pre-installed on them that sends personal data back to China without the owner’s permission. Phones over two years old, like Trump’s, may not have been updated at all. The reason for this is that the carrier is not incentivized to update the device beyond two years as they would rather have the customer purchase a new device.

Double-edged Android

Perhaps the biggest security risk with old Android phones is, ironically, one of the key things that attract businesses to Android: the apps. There is a huge number of apps available for Android phones which can be downloaded from numerous sites. This has made Android the key target for malware-makers like the criminals behind Hummingbad. There are even reports of malware within apps on the Google Play Store itself, despite the continued effort by Google to keep the store clean. In fact, 132 apps infected with malware were recently removed from the site.

Yet somehow hard-pressed small businesses, usually without dedicated IT specialists, are expected to keep track of the chaos that is Android. “A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world,” blogs Nicholas Weaver, a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California. “Without exaggerating, hacking a Galaxy S3 or S4 is the type of project I would assign as homework for my advanced undergraduate classes. It’d be as simple as downloading a suitable exploit and then enticing Trump to click on a link. Once compromised, the phone becomes a bug able to record everything around it and transmit the information once it reattaches to the network.”

Avoiding the threat: update or buy new

Yet there are certainly things that a small business can do to allow it to keep these older phones for a little longer, and thus avoid the expense of buying new phones. The quickest solution if you are worried is to go into settings and see if you have the latest version of Android. If not, you can update your phone – and if you can’t, then you may have to buy a new one because the phone will never be safe.

This is because it is up to the handset manufactures, and sometimes the telecom companies, to decide if and when they will provide the latest update to a specific make and model of an Android phone. But since it takes time and money to make sure each new version of Android works with each Android phone, it sometimes isn’t worth them doing it. The rule of thumb is that any Android over two years old is unlikely to be updated.

Management made easier

For the small medium sized business, an Android mobile device management app may well be the best solution because it will allow you to easily check to make sure all the phones on your network are using the latest version of Android. However, they can be time consuming for the smallest of businesses to operate.

Ultimately the most important safety measure for a small business is to make it mandatory for all Android users to install anti-virus software; some of the best packages are free. Monitoring whether your employees have done this is – of course – a lot easier with mobile device management (MDM) software.

Turn off unofficial apps

The simplest way to avoid many of the threats from apps is to simply turn off installations of non-Google Play Store apps, and don’t download apps from untrustworthy sources. Some SMBs that rely on BYOD go as far as compelling Android users to do this if they want to use their phone for work.

However, with Android it is a little more complicated than that. Google have improved the vetting of apps in their own app store, but a relatively small number of apps containing malware do still get through. If you use anti-virus software to do the job for you and keep it and your phone updated, then you should be safe. Alternatively, a team from Florida International University in Miami have just come up with a new way to spot malicious apps in Google Play called FairPlay by analyzing who is writing the reviews: innocent people it seems are being harassed by malicious apps until they leave a “false” positive review. So, if an app rating seems far too good to be true, be wary. It may not be.

“Our phones often become like old friends because we trust them to work and keep our secrets,” says Tony Anscombe, Senior Security Evangelist, AVG Business. “But sometimes, like old friends, they can let us down. It can be difficult for small businesses without resources to manage either company or BYOD phones – even if they have a management plan and follow it. The downside of BYOD is that staff can also be resistant to their company accessing their phones. While there are plenty of things that can be done to keep older Android phones working, in the end it may well be easier, safer and ultimately cheaper to replace them regularly.”

8 essential steps to evaluate the cost/benefit of Android phone.

  1. What is the cost of the phone?
  2. Who is the manufacturer and what network is it on?
  3. What is the reputation of the manufacturer or network for issuing Android updates?
  4. What version of Android is the phone running?
  5. If it is not the current version, how old is it and can it be updated?
  6. What is the likelihood that this phone will be updated?
  7. What role does this phone play in your business: what does it connect to and what data does it collect?
  8. Will you replace the phone regularly or try and hold on to it?

In the end, the decision to buy an Android phone comes down to a combination of factors: its suitability for the task at hand, price, regularity of updates, the frequency with which you replace the phone – and of course the amount of risk you are willing to take with respect to its level of security.

If you have any questions, please ask below!