Android Is Catching iOS in Mobile Security, But Enterprises Don’t Yet Know It
In many organisations today iOS may be the dominant mobile operating system, but it’s the only game in town when it comes to deploying apps for employees. Most enterprises eschew Android altogether and take an “iOS first and only” route. This could change over the next few years as IT departments become aware of recent efforts by Google to improve Android’s enterprise standing.
Last month I attended Google’s annual I/O developer event in Mountain View, California. Reflecting on my experiences there, I’ve concluded that Google is not only making solid progress in the enterprise market under new boss Diane Greene, but is also catching up to Apple in terms of Android’s overall readiness for use by enterprises, most notably in security and manageability.
Google announced a host of improvements in Android for Work and its next Android release, Android N. They’ll take time to hit the market, but they bring important benefits to companies investing in mobility.
Android for Work Enhancements
Android for Work is Google’s enterprise security and management platform for Android devices. It enables Android devices to be used in a variety of modes, including a work profile that separates and encrypts data within the operating system. It can be used for corporate-issued or employees’ own devices, and for deploying single-use devices such as kiosks, for example.
Some of the Android for Work enhancements announced at I/O 2016 included an always-on VPN; the ability for users to switch off the work profile on the device, including work notifications and all background synchronisation of work data; and QR code-based provisioning of Android corporate-liable devices. Google also announced the ability to set a security password when opening apps in the work profile; greater control over the lock screen; and a feature that separates location functions in the work and personal profiles.
Android for Work hasn’t been without challenges since its launch for Android 5.0 Lollipop in early 2015. Barriers include sluggish adoption of compatible devices as well as general enterprise confusion about Android security overall, especially as it relates to Samsung’s Knox. Additionally, limited marketing and awareness of Android for Work has also held it back, despite several partnerships with leading enterprise mobility management providers including Google’s own Apps for Work solution.
The enhancements announced at I/O should help to improve the appeal and awareness of Android for Work as it receives much-needed marketing muscle from Google in 2016. It’ll also receive a boost from new devices available later this year and into 2017 which will carry important new security features embedded in Android N.
Android N’s Security Foundation
Android suffered a string of bad publicity about malware in 2015, including the high-profile Stagefright exploit. Although Google has stated that it has not observed Stagefright affecting users, news of the exploit reinforced the public’s perception of weak security. It therefore came as no surprise that Google emphasised at I/O the significant focus on improved security in Android N.
Some of the new capabilities arriving in Android N include regular automatic updates for Android, media-server hardening, file-level storage encryption, touch-based authentication and secure boot.
These improvements are sure to be welcomed by enterprise IT departments investing in Android devices. However, Google’s decision to deliver monthly software patches for Android N, which it already does for Chrome OS, is arguably the most important move.
The lack of regular patches and update controls for Android has been a consistent and long-held enterprise criticism of the platform. The long periods it takes Android device manufacturers, network operators and users to update their products to the latest version of Android has been a real problem for businesses. For example, seven months after the release of Android 6.0 Marshmallow, just 10 percent of Android devices are running it. Along with Android’s fragmentation, this has been one of the main reasons why iOS has been preferred by IT departments — although managing iOS updates hasn’t been a bed of roses, either.
The need for regular patches has prompted enterprise-focused device makers such as Samsung and BlackBerry to launch dedicated update services for certain handset models in conjunction with Google and operators over the past six months. Devices running “pure” Android N, such as Google’s Nexus line and some models from other manufacturers will be able to receive automatic patches and updates in the background, making the process quicker and easier for users.
Google’s move validates a CCS Insight prediction from 2015 in which we stated that Google would be obliged to launch a dedicated Android update service for security updates (see CCS Insight Predictions for 2016 and Beyond).
Market Education on Android Security
The large focus on security in Android N also addresses Google’s need to raise enterprise awareness of its ongoing commitment to Android security and educating the market about Android risks. A report published in April 2016, titled Android Security 2015 Year in Review is an example of a step in this direction. In the second of these annual reports, Google highlighted that it runs more than 400 million scans per day across 1 billion Android devices globally, making it, according to Google, “the largest provider of on-device security services.”
Google also revealed in the report how rare Android malware is outside Russia and China: in 2015, just 0.1 percent of devices running Play had a potentially harmful application installed, according to the company. Google will need to continue carrying out this type of education for enterprises.
DevHub and Accelerating Enterprise Android App Development
Another important announcement at I/O 2016 was the Android for Work DevHub, a community for developers to collaborate and share best practices on Android enterprise apps. Google also announced that standard Android for Work configurations for developing enterprise apps are now publically available through the AppConfig Community.
The creation of Android for Work DevHub and support of the AppConfig Community are important moves to address the next aspect of Google’s enterprise mobility strategy — accelerating the development of Android apps for enterprises.
Apple’s continued courtship of software providers and systems integrators through its partnerships with the likes of SAP and IBM as well as through its Mobility Partner Program over the past few years has only strengthened businesses’ preference for deploying corporate apps on iOS rather than on Android.
This preference should diminish as developers place more confidence in Android for Work and it becomes more widely adopted in the business market. Google’s continued focus on its enterprise cloud and developer capabilities such as its machine-learning technology, Android Studio development tools and its cross-platform mobile back-end-as-a-service platform, Firebase, will also help in this regard.
Telling the Story
Overall, the enterprise-related announcements at this year’s I/O event underline Google’s growing commitment to the enterprise market and to enterprise mobility in general.
The challenge from here is telling this story to raise enterprise awareness and most importantly, to encourage firms to build and deploy corporate apps on Android with confidence as a result.
Android’s enterprise story has been quietly building over the past few years but it now must be made more audible by Google directly to the wider enterprise market; many companies simply are not yet aware of Google’s investments, particularly in mobile security.
Android has some advantages that more companies can benefit from as Google makes progress in raising awareness and confidence levels. Most noteworthy is the sheer range of uses that Android devices can address for businesses, including bring-your-own device environments, corporate-owned, personally enabled devices, kiosks, single-use devices, field services, rugged devices and, perhaps most critically, affordable devices.
Google has done well over the past 24 months to catch up with Apple in mobile security and management. This commitment will continue, raising questions about its future alignment with enterprise-focused manufacturers, most notably Samsung, which has made its own heavy investments in security. It also poses an ambiguous future for several suppliers of Android mobile security software.
Above all, Google must continue to focus on raising enterprise awareness of Android’s capabilities while addressing a critical gap in enterprise Android app development. This is a process that should be accelerated over the next 12 months if Android is to properly emerge from the shadow of iOS in the enterprise.