Want secure Android devices? They’ll cost you

Android smartphones have quickly become popular among consumers, but their reach in business has been stymied by the fundamental lack of security and manageability features in the OS. Thus, 15 months after Apple introduced such capabilities in iOS 4, iPhones became mainstays in many enterprises, while Android is usually disallowed access to basics such as email because it can’t encrypt data at rest or support complex pasword policies. (However, the “Honeycomb” tablet OS version of Android supports these security mechanisms, as do some Android smartpohnes from Motorola Mobility.)

The Android smartphone security gap is about to change. Last year, Motorola Mobility bought a startup called 3LM that was developing the kind of security and management features that the Research in Motion BlackBerry and Microsoft Windows Mobile (but not the newer Windows Phone) platforms have long had, and for which Apple added support in iOS 4. These include complex passwords and other password management policies, on-device encryption, and policy-based management of cameras, Wi-Fi access, and the like. Google is now buying Motorola Mobility and, with it, 3LM.

[ Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld’s 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]

3LM plans to make its technology available soon, for a fee of course, to enterprise, both directly and via licensed mobile device management (MDM) vendors, beginning with BoxTone, that incorporate the 3LM protocols into their multi-OS MDM tools. The reason for offering the security via MDM intermediaries is so IT has a single pane of glass for managing most mobile devices. BlackBerrys are the exception, as RIM hasn’t opened up the protocols used in its own BlackBerry Enterprise Server MDM tool for use by other vendors.

Security capabilities won’t be universal for Android devices But there’s a catch: These security and management capabilities will not be baked into the standard Android OS. Instead, device makers, including Motorola Mobility, will need to license the technology from 3LM. There’s no fee to the device makers, as 3LM seeks to create a critical mass of devices against which to sell its service.

That’s probably good for Google, which really dropped the ball on the security front and may soon be able to claim the situation is about to change for the better if 3LM gains traction.

The risk in 3LM’s technology not being baked into Android itself is that the Android market will add a new dimension of fragmentation around security and, thus, business fit. Some Android devices will be securable, but others won’t. That’ll confuse users and confound IT for sure, especially compared to the approach taken by Apple and RIM.

Plus, let’s not forget, the 3LM technology requires that you buy an MDM service from it or other provider. It won’t work out of the box with Exch ante servers, as iOS and Windows Mobile do, for the core set of security capabilities.

3LM CEO Tom Moss says that most Android device makers have signed up to use the 3LM technology, so he figures that and market pressure will quickly make securable Android devices the norm. He may be right, but many of the device makers in the cellphone space have comfortably offered products of varying quality at different prices for years, without worrying about possible confusion or brand damage. It may be the “smartness” of a smartphone — of which a big part is its ability to connect to network resources — means security can’t be a variable attribute. However, I’m less convinced the device makers will see it that way, as their costs could go up to add the better chips that support 3LM capabilities such as on-device encryption.

Even if the device makers sell both securable and nonsecurable Android devices, a rash of angry customers who tried to use their smartphones at work only to get an error message from the server may convince the device makers or cellular carriers to label the securable models as business-capable, so customers will know which to buy. I also bet the carriers will charge a higher data-access fee for those models, as they do now if you slip and say you’re connecting to Exchange or Lotus Notes email.

As its own company and even as a subsidiary of Motorola Mobility, 3LM naturally would make its technology available only on Android devices whose makers signed up for a license. After all, 3LM was not part of Google and, short of a license to Google, couldn’t be a universal Android component. But as 3LM becomes part of Google, that barrier is gone. It stands to reason that Google would make the 3LM technology part and parcel of Android, not a separate deal. If Google really wanted to secure Android in practice, it would do as Apple did and make it Exchange-compatible so smaller businesses can easily adopt Android (large ones will use an MDM too regardless, for other reasons). That means Google loses some MDM revenues or, better, charges all the device makers a license fee to use Android.

If that means moving away from the “Android is free” model, so be it. 3LM’s licensing of its technology is already a step in that direction, so why not do it universally and cleanly? After all, why should it be free? Microsoft is pocketing Android license fees, and Oracle is suing Google for Android revenues over an intellectual property dispute. Google should charge for its technology, like everyone else does. After all, most of the companies making Android devices pay Microsoft for Windows Phone licenses, for an OS that has nearly no security or management capabilities.

Perhaps charging for a business-security premium is ultimately the plan, or perhaps the idea is to make security native and broadly accessible as in iOS. As Google’s acquisition of Motorola Mobility is not final, none of the three companies can commit or comment on what the endgame is. I guess we’ll see.

The other open question is what of 3LM’s security capabilities will be made native to Android when the “Ice Cream Sandwich” Android 4.0 version comes out later this year; 3LM’s Moss said only that 3LM’s technology would “complement” whatever Android itself includes and what device makers such as Motorola Mobility offer. That suggests Android 4.0 will continue to be insecure.

What does 3LM’s technology actually do for Android? Because the Android OS itself lacks the same kind of security and management APIs found in iOS, Windows Mobile, and BlackBerry, there are a bunch of tools already available to fill in part of the gap.

For example, you could install a client app such as NitroDesk TouchDown that provides a secured Exchange-compatible Outlook-style functions, using the Exchange ActiveSync (EAS) protocol supported by Exchange and other email servers such as corporate Gmail. Or you might find a similar app from one of the MDM vendors that ties to their MDM server.

One forthcoming option that looks promising for such management is the beta Divide app from Enterproid. It creates a separate “partition” on Android with its own EAS-managed email, contacts, calendar, tasks, and messaging apps, plus lets specified apps be installed only in its environment, so corporate and user environments are kept separate. And it lets IT wipe and set EAS policies on the Divide environment, in the same way TouchDown allows within its app despite the lack of native Android support for those policies. Thus, the user apps, data, and communication are segregated from the business’s apps, data, and communications. Divide’s potential pitfall is that it uses its own management console, so using it is a separate activity from managing other devices. But Enterproid says it will license the Divide APIs so other MDM vendors can incorporate it. (Divide is expected to ship in 2012.) AT&T plans to resell the app and service under the Toggle brand, initially just for Android 2.2-based smartphones, in early 2012.

Or you could use Motorola Mobility’s current line of business-oriented Android smartphones that bring Android 2.x smartphones up to Android 3.x tablet levels of encryption and security.

Why even bother with Android devices that implement 3LM’s technology? The obvious reason is that it is made native to the device, so it works outside a single container (which is how NitroDesk and the MDM client apps work). And it does the kinds of things that iOS can do if used with an MDM tool, but not Android today, such as remote application install, application locking, selective as well as total device wipe, credentials management, manage applications’ access to corporate resources such as networks and data, and VPN access management.

The 3LM security layer also promises to add a few capabilities not found in iOS or Windows Mobile:

• It provides mobile application management (MAM) capabilities in addition to MDM capabilities — high-end MDM tools as well as specialized MAM tools do this today for some mobile OSes, but MAM is not yet broadly deployed in most MDM tools nor often accessible via mobile OSes’ native APIs.
• It will do selective encryption, such as for individual apps’ workspaces, in addition to the whole-disk encryption supported in Android 3.0 tablets (but not Android 2.x smartphones other than some Motorola models) and in iOS.
• It will do “breadcrumb” tracking of device access and location.
• It will monitor the device status, such as for troubleshooting and maintenance (some MDM tools, such as BoxTone’s, already do that today via their client apps).

None of these capabilities are of the “whoa, Nelly!” variety, especially without EAS support, though they’ll be appropriately welcomed by IT. But they bring me back to my original question: Why isn’t this part of the Android OS itself? It should be. With 3LM becoming part of Google, it now can.

By the way, if you’re curious what the name 3LM means, it comes from “three laws of mobility,” a take on sci-fi writer Isaac Asimov’s “Three Laws of Robotics,” which is the guiding principle behind 3LM’s approach to security, says CEO Moss. It’s the right approach in a “consumerized IT” context. But as with those smart robots in Asimov’s fiction, it needs to be universally deployed, as part of Android itself — whether or not 3LM remains a Google-owned company.

This article, “Want secure Android devices? They’ll cost you,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.