Military enlists Invincea to beef up Android security

— -- Android mobile devices, currently under heavy assault by cybercriminals, may eventually be less vulnerable because of a grant from the military.

The Defense Advanced Research Projects Agency (DARPA) has commissioned Web browser security firm Invincea to security-harden ordinary Android tablet PCs and smartphones so soldiers can use them securely in combat — and in the barracks for personal activities.

Invincea has been testing software that locks down data on Android devices used by 3,000 soldiers in Afghanistan, so information on lost or captured devices can't be accessed.

The $21 million grant supports development of technology that isolates malicious Web apps disguised as Android-based games, text messages and social-networking add-ons. Typically, such bad apps enable the attacker to take control of the device.

"Our technology limits any app running in our bubble from gaining access to data or things like the GPS, microphone or camera," says Anup Ghosh, company founder and chief executive,

The research comes as security firms are tracking an explosion of malicious Android apps spreading across the Web.

Malicious Android apps tracked by security firm Webroot rose 250% to more than 1,400 samples in January of this year, up from 400 circulating in July 2011. That's been followed by a 900% rise in the first six months of 2012 to the roughly 12,000 bad apps that Webroot tracks today.

"Crooks realize there's valuable data they can access once they break into your device," says Grayson Milbourne, Webroot's director of threat research. Android devices are "the golden key to being able to leverage stolen personal data."

Criminals also know that people intensively use their mobile devices for work and socializing. Devices built on Google's Android operating system have emerged as best sellers globally because of the platform's open design and Google's comparatively lenient app distribution policies, says Vic Alston, chief executive of network testing firm Ixia.

By contrast, Apple tightly controls iOS, the platform of iPhones and iPads.

What's more, many, if not most, mobile device users are ignorant about the rising threat. Fewer than 50% make use of data security features that come with the apps they install on their devices; 72% routinely make connections to insecure Wi-Fi networks, according to a Juniper Networks survey of 4,000 mobile device users.

"Education for users is the first step to reducing their threat exposure," Alston says. Being diligent about using device and app passwords is a good place to start, he says.

Because many device users are in the habit of doing what's most convenient, the military research could be a big help. DARPA has a mandate to translate military research into consumer benefits. And Invincea hopes to introduce Android security software for consumers, based on its military work, in one to two years, Ghosh says.

"It could help in the consumer market much sooner than people think," Alston says. "When it comes to online security, good ideas will always win out."

The military research could also be a boon to Google in a key strategic area: selling more to large corporations.

Android has made good inroads into the business market, but many corporations want more assurance of tight security, says Chenxi Wang, principal security and risk analyst at Forrester Research.

"This secure version of Android, if it ever makes it into the commercial space, will help Google in the enterprise market more than anything else," Wang says.