What’s in a Jelly Bean: is Android 4.1 going to help with BYOD?

Google recently announced Android 4.1 ‘Jelly Bean’ at its I/O conference in San Francisco. The latest flavor of the world’s #1 mobile OS promises better user experience and sexier UI. But does it really make any easier for IT to secure and manage those personal devices used for work?

Generally speaking, 4.1 is an incremental release that takes Android one step closer to Apple iOS, which has been in the market for 5 years now. From a corporate IT perspective, nothing is dramatically different or better.

The many improvements are all consumer-oriented and mostly pertain to usability and overall end-user experience – key is the new extended vsync timing. From a BYOD perspective, not much has changed either. In fact, there are new reasons to worry about the potential security implications of some of the new consumer-oriented features related to Wi-Fi connectivity and data exchange. These include Wi-Fi Direct, a technology that lets apps discover and pair directly, over a high-bandwidth peer-to-peer connection and the Android Beam that allows Bluetooth data transfers from one device to another triggered by NFC.

On the other hand, IT managers will welcome the new Network Bandwidth Management API and the Smart App Updates functionality. The Network Bandwidth Management enhanced functionality may help corporate IT curb mobile data costs when the device is connected to a metered (read commercial) network, including tethering to a mobile hotspot. Apps can query whether the current network is metered before beginning a large download that might otherwise be relatively expensive to the user. However, this new API requires Mobile Device Management (MDM) and/or Telecom Expense Management (TEM) integration to  get a clear picture of which networks are sensitive to data usage and to manage the network activity accordingly. In addition, the Smart App Updates technology, which makes app updates smaller, and thus faster and cheaper to download, may also help the overall system security by increasing the likelihood that individual end-users will keep their apps up-to-date.

Among the announced new features, two in particular may have a direct impact on  security:

  • App Encryption: When integrated with Google Play, this new feature protect application assets by encrypting all paid apps with a device-specific key before they are delivered and stored on a device. This is more about protecting apps developers from illegal downloads than addressing the legitimate corporate concern about data losses caused by consumer mobile devices connecting to corporate networks. In fact, App Encryption applies only to the application code itself and only if downloaded from the Google official app store. As a side effect, this new technology may actually make more difficult to develop and run independent mobile app reputation services – such as the one offered by Trend Micro – that scan for the multitude of malware affecting all Android stores – Google’s Play included. At the same time, it may also make more difficult for hackers to reverse engineer legit apps to inject malicious code.
  • PDK: the Android Platform Developer’s Kit is the hardware equivalent for OEMs of the software SDK for app developers. Usually SDK’s are released months ahead of product launches because platform vendors want apps developers to make as many apps as possible available for the day of the launch – or soon after. This is a good step in the right direction. But I am skeptical about its actual effect on Android fragmentation, which is mostly driven by the business need to differentiate otherwise commodity products rather than mere technical reasons. Let’s not forget in fact that OEMs – and wireless operators too – have all the interest to get people to buy new devices rather than upgrade to a new version of the OS the ones they already own.

Once more, it appears that Google prioritizes consumer requirements over security and manageability. And that’s what you would expect from one of the most successful consumer brands on the planet. It’s fair to say that, despite some enterprise-grade security and management capabilities creeping into the Android platform over time, the primary target for Google – as well as for the many Android OEMs – is the consumer segment. The focus is on attributes like design, form factor and sleek user interfaces, not encryption, VPN, or MDM support. And unfortunately for the many IT managers cooping with disruptive IT trends such as Consumerization and BYOD, there is still no evidence that this is going to change any time soon.

About Cesare Garlati
Co-Founder, Hex Five Security, Inc. - Chief Technologist prpl Foundation

One Response to What’s in a Jelly Bean: is Android 4.1 going to help with BYOD?

  1. Julian Evans says:

    Tend to agree with your analysis. Also worth pointing out that offline content management was talked about frequently by the Google presenters. Expect ‘offline content’ to be a surface attack area for malware authors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: