Source: The Globe and Mail
quote: The latest version of Android 4.x does include full device encryption for data protection and Address Space Layout Randomization (ASLR) for buffer overflow protection; however the fragmentation of the handset market means that Android 2.x is still the most widely deployed and provided on the majority of new handsets. Another side effect of this market fragmentation is that there is no central means of providing operating system updates. Security patches are provided to customers by individual carriers or handset manufacturers. There is an unacceptable delay in this process, meaning that many consumers remain unprotected from critical vulnerabilities for a prolonged period.Android is currently the preferred platform by cybercriminals. With clever social engineering, they convince a victim to install a “useful” application. The user willingly gives permission, and bingo— the device is compromised. Premium SMS fraud Trojans are a costly reminder of unfriendly apps, but what is worse is the data exfiltration function of some of the digital nightmares malware can copy SMS, intercept calls, remotely activate the microphone, or conduct other sinister tasks.Attackers are using Android app stores as distribution mechanisms; they promote their apps through online marketing activities, which include sending out spam messages. This is facilitated through the lack of up-front validation of apps after they are submitted to app stores and before they are made available for download. It is compounded by the third-party app store functionality inherent in the Android app model. This open ecosystem is abused by the bad guys, and this will not stop until app store providers themselves establish strict reputation checking. Advising the user to only download from a trusted source does help to mitigate some of the risk, but this also has a downside. Users tend to see the official Android Market, now called Google Play, as a trusted source, yet multiple examples of malicious code are regularly found being distributed through this official channel.
quote: IT managers should definitely consider adding Android to their set of flexible policies but should probably limit its use to the least sensitive mobile roles.
quote: LOL, two well sourced and unbiased posts get downvoted, the fanboy circlejerk here is hilarious