Almost 40% of organizations surveyed in a recent Verizon report said they had experienced a mobile-related security compromise. Of those, 66% said the impact was major. Major security breaches cost organizations time, money, and public trust. Android security is critical, particularly in Bring-Your-Own-Device (BYOD) environments. You have more control over corporate devices, but all devices used for business purposes need to be secured from hackers. Learn more about Android threats and how to improve mobile security.
Android Threat Landscape
Hackers take advantage of multiple points of vulnerability, including:
- Apps — Apps offer hackers a wealth of opportunities. These include threats, where malware is embedded in a malicious app, and vulnerabilities, which are flaws in otherwise benign apps that hackers manipulate. Both threats and vulnerabilities could be used to access company data. Ransomware is another possibility, where the phone is locked until a ransom is paid. Phones are also being used for crypto-jacking, where a device is used to mine cryptocurrency, which drains the device and causes other performance issues.
- Data leakage — Users may inadvertently download either malicious apps or benign apps with security vulnerabilities. Either of these could leak confidential company information. They may also unintentionally make mistakes, like transferring company files to the wrong place or copying and pasting proprietary information into the wrong field, which hackers could take advantage of.
- Unsecured Wi-Fi - People tend to save on cellular data usage when wireless hot spots are available. The same features that make Wi-Fi hotspots easy to use for consumers make them a fertile breeding ground for hackers. The fact that authentication is not required to establish a network connection creates an amazing opportunity for the hacker to gain access to the network and consequently also to insecure devices on the same network.
- Phishing - According to the CSO, mobile users are more vulnerable to phishing attacks because they follow email frequently and open and read emails as soon as they are received. In addition, the messages received in mobile email applications hide some of the information about the source of the message more than on a PC, which can lead to confusion and opening of messages from unverified sources.
- Social engineering — Even if you’ve educated your end-users on cybersecurity, they may still be vulnerable when checking email on their phone. It’s harder to see the “to” and “from” email addresses and other details when checking email on a phone, meaning end-users may respond or click links without scrutinizing them.
- Physical device breaches — Phones are easy to lose or leave unattended. If that’s combined with the surprising number of users who don’t practice good password hygiene, you have a recipe for easy access to your organization’s data.
Android Security: Essential Steps to Take
Combat these threats, and more, by developing clear policies. Train your end-users on these policies and how to implement them. Follow up with your end-users regularly to ensure your organization’s policies are being followed. Policies to consider include:
- Phone locking — While it might seem simple, many find taking the extra step of unlocking their phone annoying, so they don’t do it. A PIN of more than four digits is the best way to secure a phone. It protects both company information and personal information of the employee.
- Install security updates — Remind end-users not to put off an Android security update. These are critical, but they’re released by phone manufacturers, so not all employees will have Android security updates at the same time.
- Only using reliable apps from the Google Play Store — The Google Play Store takes measures to verify apps and scan apps for security. End-users should stick with these verified apps.
- Confirming Google Play Protect is working — Google Play Protect is Android’s security system. End-users can confirm it’s working by visiting Security in their phone settings and tapping “Google Play Protect,” than ensuring all the toggles are activated.
- Enabling Find My Device — For end-users to know whether their phone is misplaced or lost, have them enable Find My Device. It can be turned on in the security settings, and there’s also an official Find My Device app.
- Add emergency contact info — End-users can add an emergency contact to their phone in case it’s lost. They can find it in system settings, and can also add a lock screen message directing people on how to access your emergency information.
- Use Chrome’s safe browsing mode — The Chrome browser on an Android is the most secure option for web browsing. It has a safe browsing mode, and users can confirm it’s on by looking in their Chrome settings.
- Using VPNs — You may want to recommend a specific VPN for your end-users to use, as there are many options. You should also address when and how to use it, like when they’re using free Wi-Fi at a coffee shop.
Another way to secure BYOD devices is by using an Android work profile. This sets up a second profile that runs alongside a user’s personal profile. Their personal information stays private, while your corporate information stays secure. You can also implement policies like screen locks, encryption, and not allowing employees to copy and paste from work to personal apps and VPNs. All employees need to do is download this type of Android security app and sign in with their corporate credentials.
All of these steps can be enhanced by deploying Deep Instinct’s advanced mobile security solution. It’s the best security app for Android, offering multiple layers of protection driven by deep learning, the most advanced AI technology.