What Android 4.4 KitKat needs for security

In the soon-to-be-released update of Android, Google is likely to continue its mission of having a mobile operating system as secure as Apple's iOS. Google hasn't said how far up the security ladder it plans to take Android 4.4 KitKat, but one anti-virus vendor is offering a wish list.

Little hope for AV scanners

Topping Bitdefender's list is giving AV vendors more access to the operating system. Google has chosen to treat AV apps like the rest and not let them muck around with other apps. Exceptions are made, but scanning for malware isn't one of them.

Bitdefender wants an application programming interface (API) for AV scanners, saying vendors can't do their job properly without it. Evidently, Google doesn't believe their job is that important.

In 2011, Chris DiBona, open source program manager for Google, made quite a stir in the blogosphere when he wrote on Google+ that AV vendors were "charlatans and scammers" playing on people's fears. While that wasn't Google's official position, you had to believe there was some sympathy in the company toward DiBona's tongue-lashing, which was in response to AV vendors' seemingly endless number of studies on the threat of Android malware.

android-44-kitkat.jpg

Since then, Google has gone on the offensive with its own study. Earlier this month, the company released its own analysis that found less than 0.001 percent of applications were able to evade the multi-layered defense in Android and cause harm to the user.

Put all this together, and I would be mighty surprised if Bitdefender got the first item on its wish list. The others may have a better shot.

What else

Bitdefender would like Android users to have the power to accept or deny permissions for applications after they are installed. Google headed in that direction in version 4.3, which gives some control over permissions before installing the app.

To protect people who download apps from third-party app stores, which is where most malware hides, Bitdefender is asking for a special sandbox. If an app is downloaded from an untrusted source, the user would get the option of running it in the enclosure, where it would be monitored for data leakage and misbehavior.

For businesses, the vendor would like Google to keep anti-theft applications on the device, even when it is wiped of data through a factory reset. This is what crooks do after stealing a phone, so keeping the utility alive would make it possible for the victim to still control the phone remotely.

Finally, the AV maker wants separate profiles built into Android devices, one for personal applications and the other for corporate data and apps. Such a feature would make the device safer for businesses that allow employees to access the corporate network on their smartphone.

I have no problem with the recommendations above, except for giving AV vendors more access to the operating system. They have not shown that the protection they offer is worth the risk of having AV scanners slowdown performance and reduce battery life. As long as a person sticks with Google Play for apps, then the chance of infection is minuscule.

Something I would like to see is Google taking a tougher stand against overly aggressive adware, called "madware." The over-the-top behavior of free apps that make money by serving ad networks include placing ads on notification bars, collecting the device phone number, prompting to install other apps, adding icons to device screens and changing browser bookmarks, according to a recent report from Symantec. A few apps have been known to go so far as to play an audio ad after dialing.

With Android KitKat right around the corner, what security features would you like Google to add? Drop your ideas in the comments section.  

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.