Will Android Ever Be Ready for the Enterprise?
Full disclosure. As of the writing of this article, I am a current user of the Android platform.
The use of BYOS (Bring Your Own Smartphone) in business environments has steadily increased for years. More than 54% of the current smartphones in use are powered by Android. As our dependency increases on these devices to stay updated with our jobs, access company resources, and authenticate ourselves, more attention should be paid to how many of these devices are present in our environments and how current they are.
Android use is a double edged sword. While it provides business and consumers an array of choices for devices to fit their need, it also presents a significant amount of fragmentation for OS updates. Updates are often controlled by the manufacturer who limits updates by some arbitrary timeline they’ve developed. Deployment of these patches can be further exacerbated by carriers who want to make their own modifications. These timelines are often not disclosed or otherwise made readily available for consumers to make informed decisions on their phone investments.
The consequence of this type of system means that Android devices can pose a potentially significant risk to the business environment. The first half of 2018 shows that the “Oreo” version of Android was at under 20% adoption. This means a potential 80%+ of the devices in the wild are potentially exploitable. That can be a significant attack surface for a threat actor to find ways to find ways into your environment.
To the credit of Google, they have been looking for ways to address this problem. One way is through their Android Enterprise program, which requires manufacturers to provide security patch updates for 5 years after release of a device, and that said updates must be made within 90 days of vulnerability identification. Unfortunately, only a handful of manufacturers have signed up, and of those, few have enrolled all their phone models. One of the largest Android smartphone vendors, Samsung, has yet to sign on to the program. From a high level, the 90 days sounds pretty standard. However, dependent on when an exploit was discovered, reported to Google, and then patched, and where it falls on the deployment cycle of your chosen manufacturer means that we can reasonably expect that devices could be at risk for more than 90 days. This could set many devices to be out-of-compliance with vulnerability risk controls of the environments that they are on.
See Devices that are qualified for Android Enterprise:
The other solution Google offers is their own line of Android smartphones called the Pixel that they sell online and through Verizon Wireless. The phones are compatible with providers other than Verizon Wireless, but to obtain an “unlocked” phone, you have to purchase directly from Google for the best experience. These devices are generally the most updated and can easily check the box in terms of meeting compliance rules. Whether they meet the needs of your users however, is another consideration entirely. If your business issues phones to employees, the limited distribution of these phones may present a supply chain issue should you not have a supply of them and a replacement is needed.
Even with this progress, I’d like to see Google do more to secure the Android platform overall by obligating manufacturers to follow the patching guidelines instead of voluntary adoption. Transparency in allowing consumers to know up-front how long they will get updates and at what frequency will help build additional trust in the platform and help make informed decisions on how long the phone investment will last them.
So should you throw your Android phone away? It really comes down to the risk you are willing to accept. You can mitigate some of your risk on the patching timeline by purchasing unlocked phones from manufacturers directly, but you should confirm with your carrier if that will prevent you from using certain functionalities like wifi calling or whether the phone can be insured under their program, if desired. Android security continues to improve through each major release, which means that the potential for exploitation will get more difficult to achieve. Though at the end of the day, most businesses are far more likely to have a user cause a breach rather than the mobile phone they are using in their hands doing it without their knowledge. No platform can substitute good user training on how to be smart about security on their mobile devices.
 Statista – Mobile OS Market Share in US from 2012 to 2018
 Statista – Android Usage Worldwide by Version