| Executives August 12, 2015

August 12, 2015

How Non-Google experience devices are gaining traction, and posing risk to the enterprise

By Aaron Cockerill

The mobile ecosystem is moving toward economical smartphones. They are customizable and much more affordable than the $600 plus Android phones you might see on the market.
This poses a problem for enterprises which, to date, have relied on the app testing and vetting process applied to Google Experience devices, and the fact that app downloads on these devices are by default funneled through Google Play. Non-Google Experience devices introduce much more fragmentation.
Economical Android phones have the wind at their backs
A Google Experience device is one that runs Google’s proprietary system applications and uses the Google Play store as the preferred app store on the device (though other third party app stores may be installed). Enterprises are familiar with these devices because most major handset manufacturers and carriers are members of the Open Handset Alliance, which is committed to creating and supplying Google Experience devices over AOSP, or Android Open Source Project, variant devices which run their own forked versions of the OS.
Newcomers to the scene, however, like CyanogenMod, which just announced it has 50 million users for its forked Android OS, and Xiaomi, which recently raised over $1 billion in funding for its Android-powered handsets, are fervently chipping away at Google’s Android marketshare.
That’s because they have become legitimately beautiful, usable, and inexpensive.
I go to Mobile World Congress every year and I’ve been regularly disappointed by AOSP devices, but my opinion changed this past March. At the conference, phones like Xiaomi’s or those running CyanogenMod were sleek, elegant, and competitive with brand names. They had interfaces that I actually wanted to use and best of all, they were still cheap.
There has been a change in the device winds and I’m not the only one noticing:
Earlier this year Microsoft partnered with nearly a dozen Android device manufactures to pre-install Office -- a favorite among enterprises -- on their devices. Most of these manufacturers were not a part of the Open Handset Alliance, and thus not bound to Google Experience guidelines.
Cyanogen, in addition to its 50 million users, raised $80 million in capital led by some legitimate names: Twitter Ventures, Qualcomm Inc, Rupert Murdoch, Benchmark, Andreessen-Horowitz, Tencent, and more. Microsoft was also a minority investor in this round.
Xiaomi, which has been rising in the ranks as an “inexpensive, but beautiful” AOSP option, raised $1.1 billion in December 2014. It’s valued at $45 billion and is becoming “increasingly popular,” according to the press.
How this affects the enterprise
If you’re an enterprise this means one important thing: These devices, which you’re not used to seeing, are soon going to start popping up on your network as employees bring them to work.
There are a few main concerns here: system applications, vulnerabilities, and third-party applications.
Vetting System Applications and vulns
Enterprise IT managers will need to ensure the system applications, which cannot be removed from the device, and software running on a device has been vetted for vulnerabilities and other security issues. Let’s look at the chain of vetting in a Google Experience device:
  1. Google - Google vets its own software using a number of performance tests to make sure it’s up to snuff and that vulnerabilities aren’t present.
  2. Manufacturer - Third-party manufacturers (such as Samsung) do their own tests to ensure the software meets their specific guidelines.
  3. Carrier - Carriers then do their own vetting, determining that the system applications meet their compliance standards.
Traditionally, enterprises have relied on devices going through two or three of these vetting layers, trusting that security and efficiency best practices and interests are at heart. Forked AOSP devices oftentimes aren’t sold through carriers, however, so their devices only really see manufacturer-level vetting. Without as many layers to control for missteps or overlooked issues, enterprises should be a little nervous.
When vulnerabilities are found -- which will happen -- enterprises then become reliant on manufacturers to push out these patches. However, with numerous manufacturers to rely on, there is little guarantee that the right patch will come in a timely manner.
Third-party applications
Enterprise IT managers will need to know if a risky application has access to a protected network. AOSP devices don’t have to use Google Play as the preferred market for app downloads -- in fact, they don’t have to have Google Play on the device at all. Google has done a good job of keeping most of the bad stuff out of its store. Without the presence of the Play Store, it’s likely that these device owners will download apps directly from websites or third-party app stores, where there is likely not as concerted an effort to vet apps.
Both of these issues can be mitigated through visibility. One of the biggest challenges enterprise IT departments face is knowing what’s running on the network. In a BYOD workplace, you can’t control every piece of software that makes it onto the network, thus knowledge will be key.
Knowing that a potentially risky app or vulnerable device has entered your private, corporate network gives you the power to make fast remediation decisions. Knowing what software accesses your network will also empower you to set policies determining what data can be accessed by that employee.
Visibility is the key to the enterprise security conversation -- mobile or not -- but will become even more instrumental as these new, as-yet-known unknown devices gain popularity for their clear gains in innovation.
Image provided by 月明 端木/Flickr


Aaron Cockerill,
Chief Strategy Officer