Android may well be its own biggest enemy.

Though Apple’s iOS competes with Android for mastery of high-end devices, Android has emerging markets and much of established markets all to itself. According to IDC, Android controls 78% of the smartphone market, market share not seen since Microsoft’s Windows consumed the PC market.

This is, unfortunately, an apt comparison.

Though Windows never had Android’s fragmentation problems, the two operating systems have managed to dominate even as they offered rampant security holes for would-be hackers to exploit. And while Android’s problems had been a minor consumer nuisance, with the BYOD phenomenon in full effect, Android’s issues are increasingly enterprise problems and may demand an enterprise solution:

Buy Apple.

Fragmentation, thy name is Android

Google’s open-source Android strategy has always been a bit Wild West. Though some complain that Android is open source in name only, the reality of its unmetered distribution means that no one really controls Android.

At least, not in the sense that Apple controls iOS.

As such, Android fragmentation has accelerated over the years. A picture may be worth one thousand words. Here is OpenSignal’s analysis of Android fragmentation in 2014:

And in 2015:

These pictures of Android fragmentation suggests both the promise and peril of Android. Promise, because with over 24,000 devices to choose from (up from 11,868 in 2013), consumers can find a device that matches them perfectly. But peril, because there’s simply no good way to write apps that fit an OS ecosystem that has doubled its fragmentation over the last two years.

Or secure them.

Patching the unpatchable

As Fortinet’s Chris Dawson writes, “Mobile malware remains almost exclusively a problem for Android.” Sure, iOS isn’t impermeable, and it has its share of vulnerabilities, but both because of its market share and its fragmentation, Android is the target of choice for mobile hackers.

Dawson goes on: “Unpatched security holes are the norm, unfortunately, rather than the exception, and the heterogeneity of user devices further complicates management in BYOD and corporate deployments.”

What this means, in practice, is that “Android has become a viable vector for a variety of attacks against both end users and organizational targets.”

If anyone had reservations about this, Stagefright demolished them.

Stagefright, as described by Lucian Constantin, makes Android (in)security as easy as sending a specially crafted MMS message to an Android device. All that is required is the victim’s phone number. How comforting.

But then there are others, like CVE-2015-3825, which afflicts 55% of all Android smartphones and gives a hacker system-level access to the device. The list goes on.

Corporations get back involved

The BYOD movement has been the norm for years, but we may see enterprises get back involved with device selection. At my own company, Android devices are allowed, but access to the corporate network requires running an updated OS.

I think we’ll see more of this. We’ll have to. Mobile devices used to be for what you did when you weren’t working. They were a sideshow. Now, they’re main stage, and they come and go on enterprise networks constantly, accessing sensitive data and giving others access to that same data through security holes.

No one is going to turn back the clock on Android, but I suspect we’ll see companies privilege iOS in purchasing (maybe a richer reimbursement), as well as insist upon regular updates to the newest, more secure Android operating system.

And maybe, just maybe, companies will try to dictate iOS-only policies. So long as the companies pay for them, this just might fly.