Android is the leading mobile operating system, but there some important things for enterprise adopters to consider, according to a mobile forensics expert.

Smartphones and tablets have become indispensable for business,

but enterprises should proceed with caution when deploying devices running Android, according to Michael Spreitzenbarth, team lead and IT security consultant at Siemens Cert.

“With around 300 security vulnerabilities reported in Android in the first nine months of 2015 and more than 200 vulnerabilities found in 150 apps tested, enterprises need to think about the risks as well as the benefits,” he told the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.

The biggest benefits of using Android in the enterprise include the fact that Android devices, accessories and apps tend to be less costly than those for competing operating systems, and with more than a million apps in the official Android app store there is an app for every use-case.

“This means offers enterprises with huge cost savings as they are unlikely to need to develop any apps themselves to meet their business needs, and a larger proportion of apps in the Android app stores are available free of charge,” said Spreitzenbarth.

However, he said enterprises should be aware that many manufacturers do not talk about security vulnerabilities in their devices, patching is poor, there are few security advisories available, and research shows 87% of Android devices are vulnerable to at least one critical attack.

“Although Google patches fast and diligently, manufacturers tend to patch only if media pressure is very high because it takes time and money to update all versions of Android in use on their devices, and service providers have to approve and sometimes modify each patch,” said Spreitzenbarth.

As result, security updates can take weeks, months and even years to be distributed and applied.

Read more about Android security

Manufacturers also tend to be slow to respond to reports of security vulnerabilities, he said, citing one case where it took a manufacturer nearly a year to roll out security patches after being notified of a severe vulnerability affecting several devices.

Another key security challenge to enterprises using Android devices is that there is no general device management application program interface (API) for mobile device management (MDM) systems that can be used for all devices.

“There is often even no device management API for all devices from the same manufacturer or the same version of Android, which makes it difficult to create and apply a company-wide security policy, which is particularly challenging for multinational companies,” said Spreitzenbarth.

Third-party applications also represent a danger, he said, with many of these apps containing code designed to collect sensitive or personal data from users.

In light of the risks, he said enterprises using Android devices need to pay particular attention to user awareness, device hardening, vulnerability management and application testing.

“Users tend to install anything and everything, so companies need to ensure employees understand the threats and the importance of abiding by mobile security policies.

“They need to treat corporate data the same way as personal secrets and treat data on mobile devices the same way as data on laptops and desktops.”

Spreitzenbarth said companies should create and maintain guides for hardening all Android devices in use by employees and ensure those guidelines are enforced.

Enterprises should also ensure that they are aware of the security risks associated with all devices in use by employees and to take steps to mitigate these continually emerging risks.

“Organisations should test every business app to ascertain what data it is able to access. Automated tests are a good place to start,” said Spreitzenbarth.

On a positive note, he said Google is working to improve the situation with initiatives such as Android for Work, which is designed to enable IT to manage and secure business applications on a work-specific profile, better APIs for MDM, and the introduction of the Nexus Security Bulletin, which is the first public Android security advisory.

Other Android security initiatives include Samsung’s Knox, a set of enterprise mobility management services that offers mobile device and data protection and management.