How to secure a Google Android phone

Two years ago almost nobody had heard of Android. Now it's nearly ubiquitous among smartphone users and it's on track to become the most popular mobile operating system in the US. When it comes to business use, though, Android still has some growing to do. Here's how to keep your Android phones and tablets safe from malware and hackers.

Some security concerns, such as the nefarious wallpaper apps issue (in which the apps allegedly collected personal information and sent the data to a website) or the compromise of sensitive information via apps are more hype than reality, but there are still plenty of legitimate problems that you should be aware of.

Android smartphones typically have 16GB or 32GB of internal storage, and many have SD Card slots that enable users to extend the data capacity. That means users could potentially walk around with 32GB or more of business data in a handheld device that is vulnerable to loss or theft.

Android's ability to encrypt data on removable storage depends largely on third party software-based encryption, which is inferior to hardware encryption. IT admins also don't appreciate Android's lack of a remote tracking capability, as well as the inability to impose standard sets of apps (or other IT and security policies) remotely.

To sync contacts from Lotus Notes or Microsoft Outlook to an Android smartphone, you must first sync the data with Google's cloud. But incidents such as a hacked Google Apps account resulting in a serious security breach at Twitter, along with general concerns about cloud security, give IT admins good reasons to be apprehensive. The requirement that sensitive data be stored on the web with Google could be reason enough for some IT departments to ban Android devices altogether.

Android does have some useful security controls and remote management capabilities built in, and you can overcome most security concerns with a bit of planning and some good app downloads. Here's how to lock down your phones.

Working with Android

As with the Apple iPhone, the primary framework for remote configuration and management of Android smartphones is Microsoft Exchange Server and ActiveSync. Using Exchange, IT administrators can impose configurations and enforce policies, up to a point. Let's examine some of the pros and cons of managing Android devices with ActiveSync.

Researchers have found that the connect the dots pattern screen for unlocking an Android smartphone is vulnerable to cracking: A thief could trace over the fingerprint smudges on the display to unlock the phone. Fortunately, Google has added PIN and alphanumeric password options to Android 2.2 (aka Froyo) and IT admins can select and enforce a password policy across Android devices using Exchange ActiveSync. Unfortunately, only about a third of Android devices are currently running version 2.2.

Another useful Android security feature gives you the ability to remotely wipe the data on a device in the event that it is lost or stolen. Using Exchange ActiveSync, IT admins can remotely reset an Android device to factory defaults, in the process removing any sensitive or confidential data stored on it.

However, although Microsoft Exchange and ActiveSync can also disable functions such as the smartphone camera or Bluetooth connectivity, those security controls are not available to Android. If your organisation is concerned about the security implications of smartphone cameras or the possibility that an attacker could hijack the smartphone's Bluetooth connection and use it to access the other network resources the device is attached to, those shortcomings are crucial.