Upload
vijayalakshmi
View
3
Download
0
Embed Size (px)
Citation preview
AndroidforWorkSecuritywhitepaperLastupdated:May2015
Contents
AboutthisdocumentIntroductionAndroidOS
AndroidSecureOSservicesCryptographyanddataprotection
DeviceencryptionKeyChainandKeyStore
ApplicationsecurityApplicationsandboxandpermissions
SecurityEnhancedLinuxApplicationsigningGooglePlayappreview
VerifyappsNetworksecurity
Wi-FiVPNThird-partyapplications
DeviceandprofilemanagementAndroidusersManagedProfileCrossprofileintentsDeviceandprofilepolicies
ApplicationmanagementGooglePlayforWork
SecureappservingPrivateapps
UnknownsourcesManagedAppconfiguration
SecuritybestpracticesConclusion
AndroidforWorkSecuritywhitepaper2
AboutthisdocumentThiswhitepaperprovidesanoverviewofvarioussecurityfeaturesthatareinplaceattheOSlevelandattheGoogleserviceslayer.Italsointroducesthenewdevicemanagementcapabilitiesdevelopedforwork,whichgiveenterprisestheabilitytomanageaworkspaceontheirusersdevices,preventworkdataleakage,securethecommunicationbacktotheenterprise,andmanagetheapplicationsinstalledintheirworkspace,preventinganyunapprovedappsfrombeinginstalledforwork.
IntroductionTheAndroidoperatingsystemleveragestraditionalOSsecuritycontrolstoprotectuserdataandsystemresources,protectsdeviceintegrityagainstmalware,andprovidesapplicationisolation.Additionally,GoogleprovidesanumberofserviceslayeredontopoftheOSthat,whencombinedwithAndroidOSsecurity,helptocontinuouslyprotecttheAndroiduser.
AndroidOSAndroidisanopensourceOSthatsbuiltontheLinux kernelandprovidesanenvironmentformultipleapplicationstorunsimultaneously.Theseapplicationsaresignedandisolatedintoapplicationsandboxesassociatedwiththeirapplicationsignature.Theapplicationsandboxdefinestheprivilegesavailabletotheapplication.ApplicationsaregenerallybuiltusingAndroidRuntimeandinteractwiththeOSthroughaframeworkthatdescribessystemservices,platformApplicationProgrammingInterfaces(APIs),andmessageformats.Otherhigh-levellanguages(forexample,JavaScript )andlower-levellanguages(forexample,ARM assembly)areallowedandoperatewithinthesameapplicationsandbox.Systemservicesareimplementedasapplicationsandareconstrainedbyanapplicationsandbox.Abovethekernel,theresnoconceptofasuperuserorrootthathasunconstrainedaccesstothesystem.Figure1summarizesthesecuritycomponentsandconsiderationsofthevariouslevelsoftheAndroidOS.
AndroidforWorkSecuritywhitepaper3
AndroidSecureOSservices
Androidisamultipurposeoperatingsystem.ManyAndroiddevicesprovideasecondary,isolatedenvironmenttorunprivilegedorsecurity-sensitiveoperationsthatdontneedthefunctionalityofamultipurposeOS. Thisenvironmentissometimesreferredtoasa SecureOS .Thesecapabilitiescanbeimplementedonaseparateprocessor(suchasastandaloneSecureElementorTrustedPlatformModule[TPM]),orcanbeisolatedbeneaththekernelonasharedprocessor(suchasARMTrustZone technology).TheSecureOScanbeusedbytheoriginalequipmentmanufacturer(OEM)toprovidedevice-specificservicesandapplications.MostAndroiddevicesimplementWidevineDRM-protectedvideoplaybackserviceswithintheSecureOS.StartingwithAndroid4.3,cryptographicservicesbasedintheSecureOShavealsobeenexposedtoAndroidapplicationsviathe KeyChain API.ThisAPIprovidestheabilityforapplicationstocreatekeysthatcannotbeexported,evenintheeventofanAndroidcompromise.
AndroidforWorkSecuritywhitepaper4
CryptographyanddataprotectionCryptographyisusedthroughoutAndroidtoprovideconfidentialityandintegrity.Googlesupportsmostoftheindustry-standardalgorithms.ThefollowinglistsmajorusesofcryptographyonAndroid:
Deviceencryption Applicationsigning Networkconnectivityandencryption,including SSL , Wi-Fi ,and VPN
Deviceencryption
EncryptionistheprocessofencodinguserdataonanAndroiddeviceusinganencryptedkey.Onceadeviceisencrypted,alluser-createddataisautomaticallyencryptedbeforecommittingittodiskandallreadsautomaticallydecryptdatabeforereturningittothecallingprocess.Androiddiskencryptionisbasedon dm-crypt ,whichisakernelfeaturethatworksattheblockdevicelayer.Theencryptionalgorithmis128AdvancedEncryptionStandard(AES)withcipher-blockchaining(CBC)andESSIV:SHA256.Themasterkeyisencryptedwith128-bitAESviacallstotheAndroidOpenSSLlibrary.OEMscanuse128-bitorhighertoencryptthemasterkey.Android5.0introducesthefollowingnewencryptionfeatures:
Fastencryption,whichonlyencryptsusedblocksonthedatapartitiontoavoidfirstboottakingalongtime.
Addedthe forceencrypt flagtoencryptonfirstboot. Addedsupportforpatternsandencryptionwithoutapassword. Addedhardware-backedstorageoftheencryptionkey.
IntheAndroid5.0release,therearefourkindsofencryptionstates:
Default PIN Password Pattern
Ifdefaultencryptionisenabledonadevice,thenuponfirstboot,thedevicegeneratesa128-bitkey,whichisthenencryptedwithadefaultpassword,andtheencryptedkeyisstoredinthecryptometadata.HardwarebackingisimplementedbyusingtheTrustedExecutionEnvironments(TEEs)signingcapability.Thegenerated128-bitkeyisvaliduntilthenextfactoryreset(i.e.untilthe /datapartitioniserased).Uponfactoryreset,anew128-bitkeyisgenerated.WhentheusersetsthePINorpasswordonthedevice,onlythe128-bitkeyisre-encryptedandstored(i.e.userPIN/Password/Patternchangesdontcausere-encryptionofuserdata).The Android5.0CompatibilityDefinitionDocument(CDD) requiresthatifadeviceimplementationhasalockscreen,thedevicemustsupportfull-diskencryptionoftheapplicationprivatedata;thatis,the /dataandtheSDcardpartition,ifitsapermanent,non-removablepartofthedevice.
AndroidforWorkSecuritywhitepaper5
Notes :1. Theencryptionkeymustnotbewrittentostorageatanytimewithoutbeingencrypted.
Otherthanwheninactiveuse,theencryptionkeymustbeAES-encryptedwiththelockscreenpasscodestretched,usingaslowstretchingalgorithm.Iftheuserhasntspecifiedalockscreenpasscodeorhasdisabledpasscodeuseforencryption,thesystemusesadefaultpasscodetowraptheencryptionkey.Ifthedeviceprovidesahardware-backedkeystore,thepasswordstretchingalgorithmmustbecryptographicallyboundtothatkeystore.
2. Devicesencryptedatfirstbootcannotbereturnedtoanunencryptedstateafterfactoryreset.
KeyChainandKeyStore
AndroidprovidesasetofcryptographicAPIsforusebyapplications.TheseAPIsincludeimplementationsofstandardandcommonlyusedcryptographicprimitives,suchasAES,Rivest-Shamir-Adleman(RSA),DigitalSignatureAlgorithm(DSA),andSecureHashAlgorithm(SHA).Additionally,APIsareprovidedforhigher-levelprotocols,suchasSecureSocketLayer(SSL)andHTTPS.Android4.0introducedthe KeyChain classtoallowapplicationstousethesystemcredentialstorageforprivatekeysandcertificatechains.TheKeyChainAPIisusedforWi-FiandVirtualPrivateNetwork(VPN)certificates.TheAndroid KeyStore classletsyoustoreprivatekeysinacontainertomakeitmoredifficulttoextractfromthedevice.ItwasintroducedinAndroid4.3andfocusesonapplicationsstoringcredentialsusedforauthentication,encryption,orsigningpurposes.Applicationscancall isBoundKeyAlgorithm inKeyChainbeforeimportingorgeneratingprivatekeysofagivenalgorithm,todetermineifhardware-backedkeystoreissupportedtobindkeystothedeviceinawaythatmakesthemnon-exportable.
ApplicationsecurityApplicationsareanintegralpartofanymobileplatformandusersincreasinglydownloadapplicationstotheirdevices.Androidprovidesmultiplelayersofapplicationprotection,enablinguserstodownloadtheirfavoriteapplicationstotheirdeviceswiththepeaceofmindthattheyregettingahighlevelofprotectionfrommalware,securityexploits,andattacks.ThefollowingsubsectionsdefinethemainAndroidapplicationsecurityfeatures.
Applicationsandboxandpermissions
Androidapplicationsruninwhatisreferredtoasan applicationsandbox .Justlikethewallsofasandboxkeepthesandfromgettingout,eachapplicationishousedwithinavirtual sandbox tokeepitfromaccessinganythingoutsideitself.Bydefault,someapplicationsneedtousefunctionalityonthedevicethatisntinthesandbox;forexample,accessingcontactinformation.Beforeinstallinganapplication,determinewhetherornottheusercangrant permission totheapptoaccesscertaincapabilitiesonthedevice(forexample, Makephonecalls ).Aphonedialerapplicationshouldnaturallybeabletomakephonecalls.Ontheflipside,iftheapplicationissupposedtobeapuzzle
AndroidforWorkSecuritywhitepaper6
game,thatsamerequestmightlookabitmoresuspicious.Byprovidingthesedetailsupfront,userscanmakeaneducateddecisionabouttrustinganappornot. TheAndroidplatformtakesadvantageoftheLinuxuser-basedprotectionasameansofidentifyingandisolatingapplicationresources.TheAndroidsystemassignsauniqueuserID(UID)toeachAndroidapplicationandrunsitasthatuserinaseparateprocess.Thisapproachisdifferentfromotheroperatingsystems(includingthetraditionalLinuxconfiguration),wheremultipleapplicationsrunwiththesameuserpermissions.Thissetsupakernel-levelapplicationsandbox.ThekernelenforcessecuritybetweenapplicationsandthesystemattheprocesslevelthroughstandardLinuxfacilities,suchasuserandgroupIDsthatareassignedtoapplications.Bydefault,applicationscantinteractwitheachotherandapplicationshavelimitedaccesstotheOS.Forexample,ifapplicationAtriestodosomethingmaliciouslikereadapplicationBsdataordialthephonewithoutpermission(whichisaseparateapplication),thentheOSprotectsagainstthisbecauseapplicationAdoesnthavetheappropriateuserprivileges.Thesandboxissimple,auditable,andbasedondecades-old,UNIX-styleuserseparationofprocessesandfilepermissions.Becausetheapplicationsandboxisinthekernel,thissecuritymodelextendstonativecodeandtoOSapplications.AllofthesoftwareabovethekernelinFigure1(includingOSlibraries,applicationframework,applicationruntime,andallapplications)runwithintheapplicationsandbox.Onsomeplatforms,developersareconstrainedtoaspecificdevelopmentframework,setofAPIs,orlanguagetoenforcesecurity.OnAndroid,therearenorestrictionsonhowanapplicationcanbewrittenthatarerequiredtoenforcesecurity;nativecodeisjustassecureasinterpretedcode.Insomeoperatingsystems,memorycorruptionerrorsgenerallyleadtocompletelycompromisingthesecurityofthedevice.ThisisnotthecaseinAndroidduetoallapplicationsandtheirresourcesbeingsandboxedattheOSlevel.Amemorycorruptionerroronlyallowsarbitrarycodeexecutioninthecontextofthatparticularapplication,withthepermissionsestablishedbytheOS.
SecurityEnhancedLinux
AspartoftheAndroidsecuritymodel,theAndroidsandboxalsousesSecurityEnhancedLinux(SELinux)toenforceMandatoryAccessControl(MAC)overallprocesses,evenprocessesrunningwithrootandsuperuserprivileges.SELinuxprovidesacentralizedanalyzablepolicyandstronglyseparatesprocessesfromoneanother.AndroidincludesSELinuxinenforcingmode(forexample,securitypolicyisenforcedandlogged)andacorrespondingsecuritypolicythatworksbydefaultacrossAndroidOpenSourceProject(AOSP).Inenforcingmode,illegitimateactionsthatviolatepolicyarepreventedandallviolations(denials)areloggedbythekerneltodmesgandlogcat.TheAndroid5.0CDDmandatesthatdevicesmustimplementaSELinuxpolicythatallowstheSELinuxmodetobesetonaper-domainbasis,andalldomainsconfiguredinenforcingmode.Nopermissivemodedomainsareallowed.TheCompatibilityTestSuite(CTS)forSELinuxensuressecuritypolicycompatibilityandenforcessecuritybestpractices.
AndroidforWorkSecuritywhitepaper7
Applicationsigning
Androidrequiresthatallappsbedigitallysignedwithacertificatebeforetheycanbeinstalled.Thecertificatedoesntneedtobesignedbyacertificateauthority.Androidusesthiscertificatetoidentifytheauthoroftheapplication.Androidapplicationsoftenuseself-signedcertificatesandtheapplicationdeveloperholdsthecertificatesprivatekey.Whenthesysteminstallsanupdatetoanapplication,itcomparesthecertificateinthenewversionwiththoseintheexistingversion,andallowstheupdateifthecertificatematches.Androidallowsapplicationssignedbythesamecertificatetoruninthesameprocess,iftheapplicationssorequest,sothatthesystemtreatsthemasasingleapplication.Androidprovidessignature-basedpermissionsenforcement,sothatanapplicationcanexposefunctionalitytoanotherappthatssignedwithaspecifiedcertificate.Bysigningmultipleappswiththesamecertificate,andusingsignature-basedpermissions,anappcansharecodeanddatainasecuremanner. Thekeymusthaveavalidityperiodthatexceedstheexpectedlifespanoftheapp.(Avalidityperiodof25yearsormoreisrecommended.)Whenakeysvalidityperiodexpires,userscannolongerseamlesslyupgradetonewversionsoftheapplication.Note: ApplicationspublishedonGooglePlaymustbesignedwithkeysthathaveavalidityperiodendingafterOctober22,2033.GooglePlayenforcesthisrequirementtoensurethatuserscanseamlesslyupgradeappswhennewversionsareavailable.
GooglePlayappreview
GooglePlayisAndroid'sappdistributionplatformthatprotectsusersfrompotentiallyharmfulapps.GooglePlayhaspoliciesinplacetoprotectusersfromattackerstryingtodistributepotentiallyharmfulapps.WithinGooglePlay,developersarevalidatedintwostages.DevelopersarefirstreviewedwhentheycreatetheirGooglePlaydeveloperaccountbasedontheirprofileandcreditcards.Developersarethenreviewedfurtherwithadditionalsignalsuponappsubmission.GoogleregularlyscansPlayapplicationsformalwareandothervulnerabilities.Googlealsosuspendsdeveloperaccountsthatviolatedeveloperprogram policies .GooglePlayalsohasratingandreviewsthatprovideinformationaboutanapplicationbeforeinstallingit.Ifanapptriestomisleadusers,itslikelytohavealowstarratingandpoorcomments.AnexampleofGooglesdevelopersecurityadvocacy,wasforappsrunningvulnerableversionsoftheApacheCordovaplatform.Googlenotified:
DevelopersviatheGooglePlayDeveloperConsoleandemail Developersofappscontainingprivatekeysorkeystorefiles
AndroidforWorkSecuritywhitepaper8
Verifyapps
AndroiddevicesthathaveGooglePlayinstalledhavetheoptionofusingGooglesVerifyAppsfeature,whichscansappswhenyouinstallthemandperiodicallyscansforpotentiallyharmfulapps.Appverificationisturnedon,bydefault,butnodataissenttoGoogle,unlesstheuseragreestoallowthiswhenpromptedinthedialogbox,priortoinstallingthefirstappfromasourceotherthanGooglePlay.VerifyAppsisavailableonAndroid2.3+withGooglePlay.OndevicesrunningAndroid4.2orhigher,userscanenableordisableVerifyAppsfrom GoogleSettings>Security>VerifyApps .VerifyAppsnowcontinuallychecksdevicestoensurethatallappsbehaveinasafermanner,evenafterinstallation.Thisenhancementtakestheprotectionevenfurther,usingAndroidspowerfulappscanningsystemdevelopedbytheAndroidSecurityandSafeBrowsingteams.
NetworksecurityInadditiontodata-at-restsecurityprotectinginformationstoredonthedevice,Androidprovidesnetworksecurityfordata-in-transittoprotectdatasenttoandfromAndroiddevices.AndroidprovidessecurecommunicationsovertheInternetforwebbrowsing,email,instantmessaging,andotherInternetapplications,bysupportingTransportLayerSecurity(TLS),includingTLSv1.0,TLSv1.1,TLSv1.2,andSSLv3.
Wi-Fi
AndroidsupportstheWPA2-Enterprise(802.11i)protocol,whichisspecificallydesignedforenterprisenetworksandcanbeintegratedintoabroadrangeofRemoteAuthenticationDial-InUserService(RADIUS)authenticationservers.TheWPA2-EnterpriseprotocolsupportusesAES-128encryptioninAndroid5.0,thusprovidingcorporationsandtheiremployeesahighlevelofprotectionwhensendingandreceivingdataoverWi-Fi.Androidsupports802.1xExtensibleAuthenticationProtocols(EAPs),includingEAP-TLS,EAP-TTLS,PEAPv0,PEAPv1,andEAP-SIM,introducedinAndroid5.0.
VPN
AndroidsupportsnetworksecurityusingVPN: Always-onVPN TheVPNcanbeconfiguredsothatapplicationsdonthaveaccesstothe
networkuntilaVPNconnectionisestablished,whichpreventsapplicationsfromsendingdataacrossothernetworks.
PerUserVPN Onmultiuserdevices,VPNsareapplied perAndroiduser ,soallnetworktrafficisroutedthroughaVPNwithoutaffectingotherusersonthedevice.
PerProfileVPN VPNsareapplied perWorkProfile ,whichallowsanITadministratortoensurethatonlytheirenterprisenetworktrafficgoesthroughtheenterprise-WorkProfileVPNnottheuserspersonalnetworktraffic.
PerApplicationVPN Android5.0providessupporttofacilitateVPNconnectionsonallowedapplicationsorpreventsVPNconnectionsondisallowedapplications.
AndroidforWorkSecuritywhitepaper9
Third-partyapplications
GoogleiscommittedtoincreasingtheuseofTLS/SSLinallapplicationsandservices.Asapplicationsbecomemorecomplexandconnecttomoredevices,itseasierforapplicationstointroducenetworkingmistakesbynotusingTLS/SSLcorrectly.TheAndroidSecurityteamhasbuiltatoolcalled nogotofail ,whichprovidesaneasywaytoconfirmthatdevicesorapplicationsaresafeagainstknownTLS/SSLvulnerabilitiesandmisconfigurations.ThenogotofailtoolworksforAndroidandotheroperatingsystems.Theresaneasy-to-useclienttoconfigurethesettingsandgetnotificationsonAndroid.Thenogotofailtoolisreleasedas anopensourceproject soapplicationdeveloperscantesttheirapplications,contributenewfeaturestotheproject,andhelpimprovethenetworksecurityonAndroid.
DeviceandprofilemanagementAndroid5.0introducestheconceptofaDeviceOwnerandProfileOwnertosupportthecorporateownedandbringyourowndevice(BYOD)enterpriseusescases,respectively.TheconceptofaManagedProfile isbasedontheAndroid multiuser concept,firstintroducedinAndroid4.2(API17).
Androidusers
AnAndroiduserisintendedtobeusedbyadifferentphysicalpersonandhastheirownapplicationdata,someuniquesettings,andUItoexplicitlyswitchbetweenthem.Ausercanruninthebackgroundwhenanotheruserisactive.Ausersdataisalwaysisolatedfromotherusers.AndroidsupportsPrimaryandSecondaryusersasdefinedbelow:
A Primaryuser isthefirstuseraddedtoadevice.Itcantberemoved,exceptbyfactoryreset.Thisuseralsohasspecialprivilegesandsettingsonlysetbythatuser.ThePrimaryuserisalwaysrunningevenwhenotherusersareintheforeground.
A Secondaryuser isanyuseraddedtothedeviceotherthanthePrimaryuser.Asecondaryusercanberemovedbytheirowndoingandbytheprimaryuser,butcantimpactotherusersonadevice.Secondaryuserscanruninthebackgroundandcontinuetohavenetworkconnectivitywhentheydo.However,therearesomerestrictions;forexample,notbeingabletodisplayUIorhaveBluetoothservicesactivewhileinthebackground.Backgroundsecondaryusersarehaltedbythesystemprocessifthedevicerequiresadditionalmemoryforoperationsintheforegrounduser.
AndroidforWorkSecuritywhitepaper10
ManagedProfile
ADevicePolicyClient(DPC)isanapplicationusedtomanagethecorporatespaceonthedevice.TheDPChasaccesstothedevicemanagementAPIsavailableinthe DevicePolicyManager classandreceivescallbacksfromthesystemviathe DeviceAdminReceiver class.A WorkProfile isamanagedprofilecreatedwhentheDPCinitiatesa managedprovisioningflow .Inthisinstance,aWorkProfilefunctionslikearegularuser,butisassociatedwiththeprimaryuserinsuchawaythatnotificationsandtherecenttasklistareshared.Applications,notificationsandwidgetsfromtheManagedProfilearealwaysbadged.BecausetheWorkProfileisaseparateAndroiduser,theresastrongseparationbetweenthecorporateandpersonalprofile,andalldatawithintheWorkProfileismanagedseparatelybytheenterprise.A ProfileOwner isaspecialcaseofa deviceadministrator ,whocanonlymanagethecorporatespaceonauserspersonaldevicetosupporttheBYODusecase.ProfileownersarescopedtotheWorkProfile andcanonlybedefinedaspartofthemanagedprovisioningprocess.TheuserexperienceisenhancedtoallowtheusertoeasilyaccessbothpersonalandWorkProfilesatonce.TheProfileOwnercantbedeactivatedbytheuser;however,theuserisalwaysabletoviewandvalidatethesettingsbeingenforcedwithintheWorkProfile.TheusercanchoosetoremovetheWorkProfileandtheProfileOwneraltogetherwhenevertheydesire.A DeviceOwner islikeaProfileOwner,butscopedtothewholedevice.TheDeviceOwneristhedeviceadministratorinthecorporate-owneddeviceusecase.
Crossprofileintents
IntheBYODcase,dataintheWorkProfileissegregatedfromtheuserspersonaldata.However,thereareinstanceswhereallowingintentsfromoneprofiletoberesolvedintheothercanbeusefulandenhancetheenterpriseusersproductivity.IntheWorkProfile,ITadministratorscontrolsharingbetweenmanagedandpersonalprofiles.TwonewmethodshavebeenaddedinAndroid5.0toDevicePolicyManagerclassforcrossprofileintents: addCrossProfileIntentFilter andclearCrossProfileIntentFilters .Bydefault,thefollowingintentsareautomaticallyconfiguredbythesystemduringtheWorkProfilecreationtobeforwardedtothePrimaryProfile:
Telephonyintents Mobilenetworksettings HomeintentThelauncherdoesntrunintheWorkProfile. GetcontentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile. OpendocumentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile. PictureTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfileifanapp
thatcanhandlecameraexistsintheWorkProfile. SetclockTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile. SpeechrecognitionTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
Additionally,theSENDintent,usedwhensharingcontent,isconfiguredtooffertheusertheoptiontoforwardthecontentintotheWorkProfile.
AndroidforWorkSecuritywhitepaper11
Note :TheSENDintentis not automaticallyconfiguredtooffertheusertheoptiontoforwardtheircontent from theWorkProfileintotheprimarybecausesomeITadministratorsconsiderthisasecurityrisk.Instead,theDPCapplicationhastheoptionofaddingthisfunctionality,ifallowedbyacompanysITpolicy.
Deviceandprofilepolicies
Android5.0addsanumberofsecuritypoliciesandconfigurationsforbothdeviceandprofilemanagement.ITadministratorscansetthesepolicies(indirectly)viaamobiledevicemanagement(MDM)solutiontosecureworkdataontheiremployeesdevices.Thefollowingtableliststhesepolicies,indicatingwhethertheyapplytodevicesforcorporate-owneddevicecasesorprofileforBYODcases.
Policy Device Profile
addCrossProfileIntentFilter
addCrossProfileWidgetProvider
addPersistentPreferredActivity
addUserRestriction
clearCrossProfileIntentFilters
clearDeviceOwnerApp
clearPackagePersistentPreferredActivities
clearUserRestriction
createAndInitializeUser
enableSystemApp
installCaCert
installKeyPair
lockNow
removeActiveAdmin
removeCrossProfileWidgetProvider
removeUser
AndroidforWorkSecuritywhitepaper12
resetPassword
setAccountManagementDisable
setApplicationHidden
setApplicationRestrictions
setAutoTimeRequired
setCameraDisabled
setCrossProfileIdDisabled
setGlobalSetting
setKeyguardDisabledFeatures
setLockTaskPackages
setMasterVolumeMuted
setMaximumFailedPasswordsForWipe
setMaximumTimeToLock
setPasswordExpirationTimeout
setPasswordHistoryLength
setPasswordMinimumLength
setPasswordMinimumLetters
setPasswordMinimumLowerCase
setPasswordMinimumNonLetter
setPasswordMinimumNumeric
setPasswordMinimumSymbols
setPasswordMinimumUpperCase
setPasswordQuality
setPermittedAccessibilityServices
AndroidforWorkSecuritywhitepaper13
setPermittedInputMethods
setProfileEnabled
setProfileName
setRecommendedGlobalProxy
setRestrictionsProvider
setScreenCaptureDisabled
setSecureSetting
setStorageEncryption
setUninstallBlocked
switchUser
uninstallAllUserCaCerts
uninstallCaCert
wipeData
AndroidforWorkSecuritywhitepaper14
ApplicationmanagementAndroidforWorkcreatesasecureframeworkforcompaniestoputanyapplicationinGooglePlaytoworkfortheminasimple,standardway.ThroughGooglePlayforWork,anenterpriseversionofGooglePlay,ITadministratorscaneasilyfind,deploy,andmanageworkapplicationswhileensuringmalwareandotherthreatsareneutralized.
GooglePlayforWork
GooglePlayforWorkprovidesAPIsforusebyEnterpriseMobilityManagement(EMM)vendorstoallowthemtomanageapplicationsondevicesinanAndroidforWorkdomain.TheAPIsprovidefunctionalityforuse(indirectly)byadministratorsoftheenterprisesmanagedbytheEMMasfollows:
AnITadministratorcanremotelyinstallorremoveappsonmanagedAndroidforWorkdevicesviatheEMMsapp.ThisactionislimitedtodevicesorprofilesthataremanagedbytheEMMsapp,whichensuresthattheuserhasconsentedtotheEMMsaccess.
AnITadministratorcandefinewhichusersshouldbeabletoseewhichapps.AuserrunningthePlayStoreappwithintheWorkProfileonlyseestheappsvisibletothem.
Enterpriseadministratorscanseewhichusershaveappsinstalledorprovisioned,andthenumberoflicensespurchasedandprovisioned.
InstallationofapplicationswithintheWorkProfileispossibleviaGooglePlayforWorkintheWorkProfile,eitherbydirectuserrequestinthemanagedPlayStoreapp(pull),orasaresultofacalltotheEMMAPI(push).WhentheuseropensthePlayStoreappintheWorkProfile,itonlydisplaystheappswhichtheITadministratorhasspecifiedtheusercanaccess.Theusercaninstalltheseapplications,butnotothers.
Secureappserving
TransportofallAndroidapplicationpackages(APKs)andappmetadatabetweenGooglePlayandAndroiddevicesisencryptedusingSSL.AppaccessisauthenticatedandauthorizedusingtheGoogleAccountcreatedaspartofuserregistrationintheAndroidforWorkdomain.
Privateapps
WithGooglePlayforWork,appscanbepublishedbyanenterprisecustomerandtargetedprivately(i.e.theyreonlyvisibleandinstallablebyuserswithinthatenterprisesAndroidforWorkdomain).PrivateappsarelogicallyseparatedinGooglescloudinfrastructurefromGooglePlayforconsumers.Therearetwomodesofdeliveryforprivateapps:
Googlehosted Bydefault,GooglehoststheAPKinitssecuredatacenters. externally-hosted EnterprisecustomershostAPKsontheirownserversaccessibleonly
ontheirintranetorviaVPN.DetailsoftherequestinguserandtheirauthorizationisprovidedviaaJSONWebToken( JWT )withanexpirytime.TheJWTissignedbyGoogleusing
AndroidforWorkSecuritywhitepaper15
thekeypairassociatedwiththespecificappinPlay,andshouldbeverifiedbeforetrustingtheauthorizationcontainedintheJWT.
Inbothcases,GooglePlayforWorkstorestheappmetadatatitle,description,graphics,andscreenshots.AppsmustcomplywithallGooglePlaypoliciesinallcases.
Unknownsources
Bydefault,theUnknownsourcessettingunder Settings>Security>Unknownsources isoff.TheDeviceOwnerorProfileOwnercandisableusercontrolofUnknownsourcesintheManagedDeviceorWorkProfilebysettingthe DISALLOW_INSTALL_UNKNOWN_SOURCES userrestrictionto Trueusing addUserRestriction .ThedefaultvalueforDISALLOW_INSTALL_UNKNOWN_SOURCESuserrestrictioninbothDeviceOwnerandProfileOwnerisfalse.WhenDISALLOW_INSTALL_UNKNOWN_SOURCESissettotruebytheDeviceOwnerorProfileOwner,theusercannotmodifytheUnknownsourcessecuritysettingonthedeviceorWorkProfile;however,inthecaseofWorkProfile,theusercanstillmodifyUnknownsourcessettingintheirpersonalspace.Additionally,thesideloadingofapplicationsusingAndroidDebugBridge(adb)canbedisabledviathe DISALLOW_DEBUGGING_FEATURES userrestrictioninaManagedDevicebyDeviceOwner,orWorkProfilebyProfileOwner.ThedefaultvalueofDISALLOW_DEBUGGING_FEATURESforbothDeviceOwnerandProfileOwnerisfalse.SettingDISALLOW_INSTALL_UNKNOWN_SOURCESandDISALLOW_DEBUGGING_FEATURESuserrestrictionsto True byEMMs,providesanextrameasureofassurancetoITadministratorsthatonlycompany-approvedappswillbedeployedusingGooglePlayforWorktousersinacorporate-manageddeviceorprofile.
ManagedAppconfiguration
AndroidforWorkprovidestheabilitytosetpoliciesonaper-applicationbasis,wheretheappdeveloperhasmadethisavailable.Forexample,anappcouldallowanITadministratortoremotelycontroltheavailabilityoffeatures,configuresettings,orsetin-appcredentials.ThesetApplicationRestrictions methodallowsEMMstoconfiguretheserestrictionsviatheDevicePolicyManagerclass.GoogleChromeisanexampleofanenterprise-managedappthatimplements policiesandconfigurations thatcanbefullymanagedaccordingtoenterprisepoliciesandrestrictions.
AndroidforWorkSecuritywhitepaper16
SecuritybestpracticesGoogledesignedAndroidandGooglePlaytoprovideeveryonewithasaferexperience.Withthatgoalinmind,theAndroidSecurityteamworkshardtominimizethesecurityrisksonAndroiddevices.Googlesmultilayeredapproachstartswithpreventionandcontinueswithmalwaredetectionandrapidresponseshouldanyissuesarise.Morespecifically,Google:
Strivesto prevent securityissuesfromoccurringthroughdesignreviews,penetrationtestingandcodeaudits
PerformssecurityreviewspriortoreleasingnewversionsofAndroidandGooglePlay PublishesthesourcecodeforAndroid,thusallowingthebroadercommunitytouncover
flawsandcontributetomakingAndroidthemostsecuremobileplatform Workshardto minimize theimpactofsecurityissueswithfeaturesliketheapplication
sandbox Detects vulnerabilitiesandsecurityissuesbyregularlyscanningGooglePlayapplicationsfor
malware,andremovingthemfromdevicesiftheresapotentialforseriousharmtotheuserdevicesordata
HasarapidresponseprograminplacetohandlevulnerabilitiesfoundinAndroidbyworkingwithhardwareandcarrierpartnerstoquicklyresolvesecurityissuesandpushsecuritypatches
TheAndroidteamworksverycloselywiththewidersecurityresearchcommunitytoshareideas,applybestpractices,andimplementimprovements.Androidispartofthe GooglePatchRewardProgram ,whichpaysdeveloperswhentheycontributesecuritypatchestopopularopensourceprojects,manyofwhichformthefoundationforAOSP.GoogleisalsoamemberoftheForumofIncidentResponseandSecurityTeams(FIRST).
ConclusionForalongtime,beingsecurehasbeensynonymouswithbeingclosed.Butthemobileecosystemisnowtransitioningfromclosed,isolatedplatformstowardsopenplatformsthatfosterinnovationandallowinteroperabilitywithconfidence.Androidgainssecurityfrombeingmoreopen.Androidssecurityisbuilttoprotectitsusersinacomplexecosystemthatincludessystem-on-a-chipvendors(SoCs),OEMs,serviceproviders,independentsoftwarevendors(ISVs),andenterprises,justtonameafew.GooglescommitmenttosecurityforallAndroidusersincludesacombinationofbuilt-insecurityfeaturesintheplatform(suchasapplicationsandboxing)andGoogleservices-basedprotections(suchasGooglePlayandVerifyapps).BehindGooglePlay'sattempttoprotectagainstpotentiallyharmfulapplicationsisavast,systemicknowledgeofAndroidapplicationsaccumulatedovermanyyears,beginningwiththeonsetofAndroid.GooglePlayusesacombinationofstatic,dynamic,andrelationshipanalysis,combinedwiththousandsofuniquesignalstoanalyzeeachapplication.EveryapplicationonGooglePlayisreviewedthroughacombinationoftechnology,humanreview,andusercommunityflags.
AndroidforWorkSecuritywhitepaper17
Finally,Android5.0enhancesAndroiddevicemanagementcapabilitiesbyintroducingWorkProfiles.InthecontextofAndroidforWork,enterprisesrelyonGooglePlayforWorkfordeployingapplications.Unknownsourcesandthird-partymarketplacescanbedisallowedbyEMMs,thusprotectingemployeesdevicesfromanypotentialmaliciousapplicationstobeinstalledintheWorkProfile.
AndroidforWorkSecuritywhitepaper18