Businesses have specific security requirements for Android devices

Editor

AV-TEST, a widely recognized independent testing organization, has launched a new type of comparative test of IT security products: Android security apps aimed at corporate users. We sat down with Head of Threat Detection Labs, Jiří Kropáč at ESET, to ask him a few questions about the new test.  


Why has AV-TEST come up with a separate test of Android security apps for corporate users? Provided that all security apps should stop all Android threats – what’s the purpose of having two different tests?  


The reason is simple: the requirements of business users and business environments differ from those of consumers. As AV-TEST puts it, the testing environment for evaluating apps for consumer users is not ideal for protection apps in the corporate computing field. Let me emphasize that this is not specific for Android malware: in the Windows world, corporate solutions are regularly tested separately from consumer products.  

If we get back to basics, you might even ask why both business- and consumer-oriented security solutions exist at all. Naturally, the same answer holds true: the requirements of the two types of users differ. We can divide these differences into two groups.

The first relates to types of threats. Sure, the set of threats out there is finite, and in theory, any user might encounter any of them. In reality, however, business users are more likely to find themselves in the crosshairs of advanced threat actors who may launch a highly targeted attack. In contrast, consumers are typically subject to mass-spreading threats.

Second, while consumers typically take care of their security themselves, businesses tend to manage the devices allowed onto their networks. As such, organizations need to be able to manage any company-owned mobile devices remotely because they often contain scores of sensitive data, particularly in emails. An IT admin can monitor the device’s health and, for example, update its operating system. The ability to control a device remotely is useful if a security incident is detected. Some solutions even allow for remotely wiping the device.

Regardless of the reason, the new test by AV-TEST is here. How does it differ from its older cousin?

In principle, the test structure remains unchanged: both tests measure protection, usability, and performance. Naturally, each security app is required to identify malware, including potentially unwanted apps, while triggering no false alarms. However, the main difference lies in the set of samples used. For example, instead of infected game apps, the testing set contains threats known to target corporate users.  

Another difference is that the corporate version of the test pulls apps exclusively from the official Android app store. This eliminates the need to tune the protection for some obscure types of threats that a corporate user won’t encounter.  

As for performance, it’s a factor that may seem insignificant – but road warriors who work outside of both home and office would disagree. Business users of mobile devices demand long battery life, so the mobile endpoint solution must be easy on hardware resources. The new test evaluates the impact on website loading, document reading, and network traffic. The point is that if the protection app consumes too much energy, it’s an issue – all the more so since corporate users can’t compromise on security and may be fully dependent on their devices.

Apart from protection, usability, and performance, the corporate test also contains an assessment of enterprise mobility management and its features. 

Overall, you seem to be enthusiastic about this new test…

Absolutely! It makes sense. It was a question of when, not if, testing organizations would recognize the need for distinguishing between these two use cases for Android protections.

Look, nowadays, corporate internal systems tend to be accessible from mobile devices. In a typical organization, security folks try to prevent this from happening because of security concerns. But they fail because top management simply requires the convenience of mobile access. And with top managers in, you can no longer keep others out…

Combine this with the trend of allowing personal devices into corporate networks (known as Bring Your Own Device, BYOD – editor’s note), and what you get is an urgent need for a reliable corporate mobile security solution.  

Where there is a need for reliability, there is also a need for independent evaluation and, ultimately, tests. To sum this all up, dedicated tests can be considered a sign of maturity for that particular technology – and mobile security is no exception.  

The results of the first edition of the test of Android security apps for corporate users can be found here.