Are federal agencies moving too quickly to adopt Android?
Editor's note: This story has been modified to clarify the authorship of a GovLoop post that it cites.
The popular Android operating system now powers many smartphones, and other handheld devices such as Amazon's new Kindle Fire, making its presence in federal agencies likely. But A former chief technologist at the Defense Intelligence Agency is sounding an alarm warning that Android’s security vulnerabilities should cause government agencies to think twice before adopting the platform.
Technology analyst Bryan Halfpap at CTOvision.com raised the concern in a blog post on GovLoop, detailing the problems security researchers have uncovered with Android. (Due to a peculiarity of the RSS feed, the post appears to be by Bob Gourley, former CTO at DIA and currently CTO at Crucial Point LLC, but a comment from Gourley clarifies the authorship.)
Secure Android 'kernel' could make for classified phones
“There are some very serious security issues with this platform,” Halfpap wrote. “They are so serious the government should think twice before rushing to Android as a most favored mobile platform. In fact, a case can be built that it should be excluded from government use unless guidelines are followed in order to mitigate the issues.”
According to the post, security researchers have found that “nearly all” of Android’s security features have exploits or bypasses. Some, such as the application permissions model, could need “significant overhauls in order to maintain security."
“Android may be the most common, most easily extendable platform, but with its security concerns, very careful planning is recommended so that mistakes aren’t made in its deployment,” Halfpap warned.
But despite the cautionary advice on Android security, several federal agencies are moving forward on enterprise mobile deployments.
Los Angeles National Laboratory has developed use cases for Blackberry, Android and iPhone mobile enterprise deployments. Anil Karmel, solutions architect at Los Alamos, made a presentation at FOSE on those programs earlier this year. Key drivers of smartphone applications for workers include rapid innovation and demand for mobility, while malware is a key concern, Karmel said.
Several industry sources also are more optimistic about Android’s future in government.
“Android is not as secure (as other mobile platforms) but it can be dealt with,” said Tom Suder, founder of MobileGov, a company developing mobile solutions for government agencies. “People like Android, and there are ways to deal with the security issues.”
Another industry source was skeptical of Halfpap’s argument that federal agencies are moving too fast on Android. “The feds do not move too fast on anything,” the source said, adding that security consultants’ advice on security tends to be self-serving by nature.
Google and the National Security Agency currently are working to make Android much more secure. The search giant and the federal agency have developed a hardened kernel for the Android 3.0 operating system, which could help accelerate wider use of smartphones in the military,
Also, at the General Services Administration, security of mobile platforms is an issue that arises in the ongoing debate on whether it is preferable that agencies develop “native” mobile applications—applications specifically made for iPhone, Android or other platforms—or whether they should create mobile websites that can be accessed by all platforms.
For example, the Transportation Security Administration developed its MyTSA application for the iPhone, while the National Weather Service for several years has maintained a website designed for all mobile platforms.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.
Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.