Mobile security1

Apple's walled-garden approach to iPhones and iPads - along with significant enterprise enhancements to its operating system, especially in the latest version iOS 7 - has been a security nirvana for CIOs. In contrast, Android's open source environment has been viewed as a breeding ground for malware and risky apps.

However, signs now point to a changing of the guard. Samsung, for instance, has become the dominant Android player - more than 60% of the market, according to Localytics - and has gone on an enterprise offensive with security offerings such as Knox, a containerisation technology for Samsung's high-end devices.

"It is neck-and-neck between Samsung Knox and Apple iOS 7," says CEO Pankaj Gupta at Amtel, a provider of cloud-based mobile device management services. He adds that Samsung has taken "security up a notch, supporting many types of secure access via VPN, dual persona and containerisation."

The idea that Android could get on par and perhaps even overtake Apple in the enterprise security space would have been outrageous only a year ago. In the fast-moving world of mobility, though, anything can happen.

Samsung leader of the Android pack

The emergence of Samsung as Android leader helps defray some of the concerns over multiple Android flavours, and Android's natural openness gives developers access to the OS and a deeper security level than Apple currently allows.

When Samsung unveiled Knox earlier this year, it became a serious mobile security player in the eyes of many CIOs and put Samsung ahead of Apple in the courtship of enterprises. After all, containerisation appears to be the way mobile security is heading; Apple later built containerisation into iOS 7.

While Knox will work only on a few high-end Samsung devices such as the Galaxy S4 and Note 3, the technology eventually should make its way into future Samsung devices, Gupta says. "The ecosystem can benefit more by having the innovations trickle down into the standard Android platform."

By having access to the Android OS, developers can build security extensions, such as Knox, at the application layer. At its core, Knox is a secure container for work apps to reside on a device separate from personal apps. In contrast, another extension is AppConnect from mobile device management (MDM) vendor MobileIron, a technology for wrapping individual apps and data in a kind of security blanket.

At the application level, Android developers can add security features, such as disabling screen capture and copy-paste controls on a per app basis. That's not the case with Apple, which doesn't give developers this capability, probably because it interferes with usability.

"The more fragmented Android handset space is less consistent in terms of hardware capabilities, but many modern handsets expose access to a trusted execution engine based on the ARM processor's TrustZone capabilities and this allows app developers to have access to security hardware that is very powerful," says Nicko van Someren at Good Technology. "Apple may have similar hardware but does not give developers access to it."

CIOs learn to COPE with mobile devices

Two mobile market trends play in Samsung's favour.

First, Samsung's dominance in the Android market means that CIOs can invest in Knox and support a good chunk of their Android devices rather than only a handful. Second, a new mobile model called company-owned-personally-enabled devices (COPE) threatens to derail BYOD movement, and so companies can issue Knox-enabled devices while still keeping employees happy with a popular consumer choice.

While this bodes well for Samsung and Android in the long run, Knox still has a way to go. Knox supports only a handful of apps on Google's Play Store. Not all carriers support Knox. And you'll need a Knox-supported mobile management server from an MDM vendor. There's also an annual activation fee.

Then there's the fact that it's not widely available yet. While Knox was announced nine months ago, "the truth is it doesn't fully exist".

Apple fights back with iOS 7

Apple hasn't exactly been standing idly by, either. Apple's newly introduced iOS 7 is full of enterprise security features no doubt meant to counter Samsung's professed love for the enterprise, says Andrew Borg, research director at Aberdeen Group.

For starters, iOS 7 provides single sign-on, which allows user credentials to be used across enterprise apps for data protection, and "open in" management. Each enterprise app can be configured to automatically connect to a specific VPN upon launching, Gupta says.

Apple is also expected to release a critical "supervised device" service for auto enrollment in MDM and configuration with corporate settings and policies.

Gupta is quick to point out that both Apple and Android have certified FIPS 140-2 compliance, making them both eligible for secure enterprises. Van Someren agrees that Apple and Samsung are both fairly secure.

So who's more secure in the enterprise? It depends on what threats concern you, van Someren says. But one thing is clear: Samsung has helped shake the reputation of insecure platform that had weighed heavily on Android in the enterprise.