-
AndroidforWorkSecuritywhitepaperLastupdated:May2015
-
Contents
AboutthisdocumentIntroductionAndroidOS
AndroidSecureOSservicesCryptographyanddataprotection
DeviceencryptionKeyChainandKeyStore
ApplicationsecurityApplicationsandboxandpermissions
SecurityEnhancedLinuxApplicationsigningGooglePlayappreview
VerifyappsNetworksecurity
Wi-FiVPNThird-partyapplications
DeviceandprofilemanagementAndroidusersManagedProfileCrossprofileintentsDeviceandprofilepolicies
ApplicationmanagementGooglePlayforWork
SecureappservingPrivateapps
UnknownsourcesManagedAppconfiguration
SecuritybestpracticesConclusion
AndroidforWorkSecuritywhitepaper2
-
AboutthisdocumentThiswhitepaperprovidesanoverviewofvarioussecurityfeaturesthatareinplaceattheOSlevelandattheGoogleserviceslayer.Italsointroducesthenewdevicemanagementcapabilitiesdevelopedforwork,whichgiveenterprisestheabilitytomanageaworkspaceontheirusersdevices,preventworkdataleakage,securethecommunicationbacktotheenterprise,andmanagetheapplicationsinstalledintheirworkspace,preventinganyunapprovedappsfrombeinginstalledforwork.
IntroductionTheAndroidoperatingsystemleveragestraditionalOSsecuritycontrolstoprotectuserdataandsystemresources,protectsdeviceintegrityagainstmalware,andprovidesapplicationisolation.Additionally,GoogleprovidesanumberofserviceslayeredontopoftheOSthat,whencombinedwithAndroidOSsecurity,helptocontinuouslyprotecttheAndroiduser.
AndroidOSAndroidisanopensourceOSthatsbuiltontheLinux
kernelandprovidesanenvironmentformultipleapplicationstorunsimultaneously.Theseapplicationsaresignedandisolatedintoapplicationsandboxesassociatedwiththeirapplicationsignature.Theapplicationsandboxdefinestheprivilegesavailabletotheapplication.ApplicationsaregenerallybuiltusingAndroidRuntimeandinteractwiththeOSthroughaframeworkthatdescribessystemservices,platformApplicationProgrammingInterfaces(APIs),andmessageformats.Otherhigh-levellanguages(forexample,JavaScript
)andlower-levellanguages(forexample,ARM
assembly)areallowedandoperatewithinthesameapplicationsandbox.Systemservicesareimplementedasapplicationsandareconstrainedbyanapplicationsandbox.Abovethekernel,theresnoconceptofasuperuserorrootthathasunconstrainedaccesstothesystem.Figure1summarizesthesecuritycomponentsandconsiderationsofthevariouslevelsoftheAndroidOS.
AndroidforWorkSecuritywhitepaper3
-
AndroidSecureOSservices
Androidisamultipurposeoperatingsystem.ManyAndroiddevicesprovideasecondary,isolatedenvironmenttorunprivilegedorsecurity-sensitiveoperationsthatdontneedthefunctionalityofamultipurposeOS.
Thisenvironmentissometimesreferredtoasa SecureOS
.Thesecapabilitiescanbeimplementedonaseparateprocessor(suchasastandaloneSecureElementorTrustedPlatformModule[TPM]),orcanbeisolatedbeneaththekernelonasharedprocessor(suchasARMTrustZone
technology).TheSecureOScanbeusedbytheoriginalequipmentmanufacturer(OEM)toprovidedevice-specificservicesandapplications.MostAndroiddevicesimplementWidevineDRM-protectedvideoplaybackserviceswithintheSecureOS.StartingwithAndroid4.3,cryptographicservicesbasedintheSecureOShavealsobeenexposedtoAndroidapplicationsviathe
KeyChain
API.ThisAPIprovidestheabilityforapplicationstocreatekeysthatcannotbeexported,evenintheeventofanAndroidcompromise.
AndroidforWorkSecuritywhitepaper4
-
CryptographyanddataprotectionCryptographyisusedthroughoutAndroidtoprovideconfidentialityandintegrity.Googlesupportsmostoftheindustry-standardalgorithms.ThefollowinglistsmajorusesofcryptographyonAndroid:
Deviceencryption Applicationsigning
Networkconnectivityandencryption,including SSL , Wi-Fi ,and VPN
Deviceencryption
EncryptionistheprocessofencodinguserdataonanAndroiddeviceusinganencryptedkey.Onceadeviceisencrypted,alluser-createddataisautomaticallyencryptedbeforecommittingittodiskandallreadsautomaticallydecryptdatabeforereturningittothecallingprocess.Androiddiskencryptionisbasedon
dm-crypt
,whichisakernelfeaturethatworksattheblockdevicelayer.Theencryptionalgorithmis128AdvancedEncryptionStandard(AES)withcipher-blockchaining(CBC)andESSIV:SHA256.Themasterkeyisencryptedwith128-bitAESviacallstotheAndroidOpenSSLlibrary.OEMscanuse128-bitorhighertoencryptthemasterkey.Android5.0introducesthefollowingnewencryptionfeatures:
Fastencryption,whichonlyencryptsusedblocksonthedatapartitiontoavoidfirstboottakingalongtime.
Addedthe forceencrypt flagtoencryptonfirstboot.
Addedsupportforpatternsandencryptionwithoutapassword.
Addedhardware-backedstorageoftheencryptionkey.
IntheAndroid5.0release,therearefourkindsofencryptionstates:
Default PIN Password Pattern
Ifdefaultencryptionisenabledonadevice,thenuponfirstboot,thedevicegeneratesa128-bitkey,whichisthenencryptedwithadefaultpassword,andtheencryptedkeyisstoredinthecryptometadata.HardwarebackingisimplementedbyusingtheTrustedExecutionEnvironments(TEEs)signingcapability.Thegenerated128-bitkeyisvaliduntilthenextfactoryreset(i.e.untilthe
/datapartitioniserased).Uponfactoryreset,anew128-bitkeyisgenerated.WhentheusersetsthePINorpasswordonthedevice,onlythe128-bitkeyisre-encryptedandstored(i.e.userPIN/Password/Patternchangesdontcausere-encryptionofuserdata).The
Android5.0CompatibilityDefinitionDocument(CDD)
requiresthatifadeviceimplementationhasalockscreen,thedevicemustsupportfull-diskencryptionoftheapplicationprivatedata;thatis,the
/dataandtheSDcardpartition,ifitsapermanent,non-removablepartofthedevice.
AndroidforWorkSecuritywhitepaper5
-
Notes :1.
Theencryptionkeymustnotbewrittentostorageatanytimewithoutbeingencrypted.
Otherthanwheninactiveuse,theencryptionkeymustbeAES-encryptedwiththelockscreenpasscodestretched,usingaslowstretchingalgorithm.Iftheuserhasntspecifiedalockscreenpasscodeorhasdisabledpasscodeuseforencryption,thesystemusesadefaultpasscodetowraptheencryptionkey.Ifthedeviceprovidesahardware-backedkeystore,thepasswordstretchingalgorithmmustbecryptographicallyboundtothatkeystore.
2.
Devicesencryptedatfirstbootcannotbereturnedtoanunencryptedstateafterfactoryreset.
KeyChainandKeyStore
AndroidprovidesasetofcryptographicAPIsforusebyapplications.TheseAPIsincludeimplementationsofstandardandcommonlyusedcryptographicprimitives,suchasAES,Rivest-Shamir-Adleman(RSA),DigitalSignatureAlgorithm(DSA),andSecureHashAlgorithm(SHA).Additionally,APIsareprovidedforhigher-levelprotocols,suchasSecureSocketLayer(SSL)andHTTPS.Android4.0introducedthe
KeyChain
classtoallowapplicationstousethesystemcredentialstorageforprivatekeysandcertificatechains.TheKeyChainAPIisusedforWi-FiandVirtualPrivateNetwork(VPN)certificates.TheAndroid
KeyStore
classletsyoustoreprivatekeysinacontainertomakeitmoredifficulttoextractfromthedevice.ItwasintroducedinAndroid4.3andfocusesonapplicationsstoringcredentialsusedforauthentication,encryption,orsigningpurposes.Applicationscancall
isBoundKeyAlgorithm
inKeyChainbeforeimportingorgeneratingprivatekeysofagivenalgorithm,todetermineifhardware-backedkeystoreissupportedtobindkeystothedeviceinawaythatmakesthemnon-exportable.
ApplicationsecurityApplicationsareanintegralpartofanymobileplatformandusersincreasinglydownloadapplicationstotheirdevices.Androidprovidesmultiplelayersofapplicationprotection,enablinguserstodownloadtheirfavoriteapplicationstotheirdeviceswiththepeaceofmindthattheyregettingahighlevelofprotectionfrommalware,securityexploits,andattacks.ThefollowingsubsectionsdefinethemainAndroidapplicationsecurityfeatures.
Applicationsandboxandpermissions
Androidapplicationsruninwhatisreferredtoasan applicationsandbox
.Justlikethewallsofasandboxkeepthesandfromgettingout,eachapplicationishousedwithinavirtual
sandbox
tokeepitfromaccessinganythingoutsideitself.Bydefault,someapplicationsneedtousefunctionalityonthedevicethatisntinthesandbox;forexample,accessingcontactinformation.Beforeinstallinganapplication,determinewhetherornottheusercangrant
permission
totheapptoaccesscertaincapabilitiesonthedevice(forexample,
Makephonecalls
).Aphonedialerapplicationshouldnaturallybeabletomakephonecalls.Ontheflipside,iftheapplicationissupposedtobeapuzzle
AndroidforWorkSecuritywhitepaper6
-
game,thatsamerequestmightlookabitmoresuspicious.Byprovidingthesedetailsupfront,userscanmakeaneducateddecisionabouttrustinganappornot.
TheAndroidplatformtakesadvantageoftheLinuxuser-basedprotectionasameansofidentifyingandisolatingapplicationresources.TheAndroidsystemassignsauniqueuserID(UID)toeachAndroidapplicationandrunsitasthatuserinaseparateprocess.Thisapproachisdifferentfromotheroperatingsystems(includingthetraditionalLinuxconfiguration),wheremultipleapplicationsrunwiththesameuserpermissions.Thissetsupakernel-levelapplicationsandbox.ThekernelenforcessecuritybetweenapplicationsandthesystemattheprocesslevelthroughstandardLinuxfacilities,suchasuserandgroupIDsthatareassignedtoapplications.Bydefault,applicationscantinteractwitheachotherandapplicationshavelimitedaccesstotheOS.Forexample,ifapplicationAtriestodosomethingmaliciouslikereadapplicationBsdataordialthephonewithoutpermission(whichisaseparateapplication),thentheOSprotectsagainstthisbecauseapplicationAdoesnthavetheappropriateuserprivileges.Thesandboxissimple,auditable,andbasedondecades-old,UNIX-styleuserseparationofprocessesandfilepermissions.Becausetheapplicationsandboxisinthekernel,thissecuritymodelextendstonativecodeandtoOSapplications.AllofthesoftwareabovethekernelinFigure1(includingOSlibraries,applicationframework,applicationruntime,andallapplications)runwithintheapplicationsandbox.Onsomeplatforms,developersareconstrainedtoaspecificdevelopmentframework,setofAPIs,orlanguagetoenforcesecurity.OnAndroid,therearenorestrictionsonhowanapplicationcanbewrittenthatarerequiredtoenforcesecurity;nativecodeisjustassecureasinterpretedcode.Insomeoperatingsystems,memorycorruptionerrorsgenerallyleadtocompletelycompromisingthesecurityofthedevice.ThisisnotthecaseinAndroidduetoallapplicationsandtheirresourcesbeingsandboxedattheOSlevel.Amemorycorruptionerroronlyallowsarbitrarycodeexecutioninthecontextofthatparticularapplication,withthepermissionsestablishedbytheOS.
SecurityEnhancedLinux
AspartoftheAndroidsecuritymodel,theAndroidsandboxalsousesSecurityEnhancedLinux(SELinux)toenforceMandatoryAccessControl(MAC)overallprocesses,evenprocessesrunningwithrootandsuperuserprivileges.SELinuxprovidesacentralizedanalyzablepolicyandstronglyseparatesprocessesfromoneanother.AndroidincludesSELinuxinenforcingmode(forexample,securitypolicyisenforcedandlogged)andacorrespondingsecuritypolicythatworksbydefaultacrossAndroidOpenSourceProject(AOSP).Inenforcingmode,illegitimateactionsthatviolatepolicyarepreventedandallviolations(denials)areloggedbythekerneltodmesgandlogcat.TheAndroid5.0CDDmandatesthatdevicesmustimplementaSELinuxpolicythatallowstheSELinuxmodetobesetonaper-domainbasis,andalldomainsconfiguredinenforcingmode.Nopermissivemodedomainsareallowed.TheCompatibilityTestSuite(CTS)forSELinuxensuressecuritypolicycompatibilityandenforcessecuritybestpractices.
AndroidforWorkSecuritywhitepaper7
-
Applicationsigning
Androidrequiresthatallappsbedigitallysignedwithacertificatebeforetheycanbeinstalled.Thecertificatedoesntneedtobesignedbyacertificateauthority.Androidusesthiscertificatetoidentifytheauthoroftheapplication.Androidapplicationsoftenuseself-signedcertificatesandtheapplicationdeveloperholdsthecertificatesprivatekey.Whenthesysteminstallsanupdatetoanapplication,itcomparesthecertificateinthenewversionwiththoseintheexistingversion,andallowstheupdateifthecertificatematches.Androidallowsapplicationssignedbythesamecertificatetoruninthesameprocess,iftheapplicationssorequest,sothatthesystemtreatsthemasasingleapplication.Androidprovidessignature-basedpermissionsenforcement,sothatanapplicationcanexposefunctionalitytoanotherappthatssignedwithaspecifiedcertificate.Bysigningmultipleappswiththesamecertificate,andusingsignature-basedpermissions,anappcansharecodeanddatainasecuremanner.
Thekeymusthaveavalidityperiodthatexceedstheexpectedlifespanoftheapp.(Avalidityperiodof25yearsormoreisrecommended.)Whenakeysvalidityperiodexpires,userscannolongerseamlesslyupgradetonewversionsoftheapplication.Note:
ApplicationspublishedonGooglePlaymustbesignedwithkeysthathaveavalidityperiodendingafterOctober22,2033.GooglePlayenforcesthisrequirementtoensurethatuserscanseamlesslyupgradeappswhennewversionsareavailable.
GooglePlayappreview
GooglePlayisAndroid'sappdistributionplatformthatprotectsusersfrompotentiallyharmfulapps.GooglePlayhaspoliciesinplacetoprotectusersfromattackerstryingtodistributepotentiallyharmfulapps.WithinGooglePlay,developersarevalidatedintwostages.DevelopersarefirstreviewedwhentheycreatetheirGooglePlaydeveloperaccountbasedontheirprofileandcreditcards.Developersarethenreviewedfurtherwithadditionalsignalsuponappsubmission.GoogleregularlyscansPlayapplicationsformalwareandothervulnerabilities.Googlealsosuspendsdeveloperaccountsthatviolatedeveloperprogram
policies
.GooglePlayalsohasratingandreviewsthatprovideinformationaboutanapplicationbeforeinstallingit.Ifanapptriestomisleadusers,itslikelytohavealowstarratingandpoorcomments.AnexampleofGooglesdevelopersecurityadvocacy,wasforappsrunningvulnerableversionsoftheApacheCordovaplatform.Googlenotified:
DevelopersviatheGooglePlayDeveloperConsoleandemail
Developersofappscontainingprivatekeysorkeystorefiles
AndroidforWorkSecuritywhitepaper8
-
Verifyapps
AndroiddevicesthathaveGooglePlayinstalledhavetheoptionofusingGooglesVerifyAppsfeature,whichscansappswhenyouinstallthemandperiodicallyscansforpotentiallyharmfulapps.Appverificationisturnedon,bydefault,butnodataissenttoGoogle,unlesstheuseragreestoallowthiswhenpromptedinthedialogbox,priortoinstallingthefirstappfromasourceotherthanGooglePlay.VerifyAppsisavailableonAndroid2.3+withGooglePlay.OndevicesrunningAndroid4.2orhigher,userscanenableordisableVerifyAppsfrom
GoogleSettings>Security>VerifyApps
.VerifyAppsnowcontinuallychecksdevicestoensurethatallappsbehaveinasafermanner,evenafterinstallation.Thisenhancementtakestheprotectionevenfurther,usingAndroidspowerfulappscanningsystemdevelopedbytheAndroidSecurityandSafeBrowsingteams.
NetworksecurityInadditiontodata-at-restsecurityprotectinginformationstoredonthedevice,Androidprovidesnetworksecurityfordata-in-transittoprotectdatasenttoandfromAndroiddevices.AndroidprovidessecurecommunicationsovertheInternetforwebbrowsing,email,instantmessaging,andotherInternetapplications,bysupportingTransportLayerSecurity(TLS),includingTLSv1.0,TLSv1.1,TLSv1.2,andSSLv3.
Wi-Fi
AndroidsupportstheWPA2-Enterprise(802.11i)protocol,whichisspecificallydesignedforenterprisenetworksandcanbeintegratedintoabroadrangeofRemoteAuthenticationDial-InUserService(RADIUS)authenticationservers.TheWPA2-EnterpriseprotocolsupportusesAES-128encryptioninAndroid5.0,thusprovidingcorporationsandtheiremployeesahighlevelofprotectionwhensendingandreceivingdataoverWi-Fi.Androidsupports802.1xExtensibleAuthenticationProtocols(EAPs),includingEAP-TLS,EAP-TTLS,PEAPv0,PEAPv1,andEAP-SIM,introducedinAndroid5.0.
VPN
AndroidsupportsnetworksecurityusingVPN: Always-onVPN
TheVPNcanbeconfiguredsothatapplicationsdonthaveaccesstothe
networkuntilaVPNconnectionisestablished,whichpreventsapplicationsfromsendingdataacrossothernetworks.
PerUserVPN Onmultiuserdevices,VPNsareapplied perAndroiduser
,soallnetworktrafficisroutedthroughaVPNwithoutaffectingotherusersonthedevice.
PerProfileVPN VPNsareapplied perWorkProfile
,whichallowsanITadministratortoensurethatonlytheirenterprisenetworktrafficgoesthroughtheenterprise-WorkProfileVPNnottheuserspersonalnetworktraffic.
PerApplicationVPN
Android5.0providessupporttofacilitateVPNconnectionsonallowedapplicationsorpreventsVPNconnectionsondisallowedapplications.
AndroidforWorkSecuritywhitepaper9
-
Third-partyapplications
GoogleiscommittedtoincreasingtheuseofTLS/SSLinallapplicationsandservices.Asapplicationsbecomemorecomplexandconnecttomoredevices,itseasierforapplicationstointroducenetworkingmistakesbynotusingTLS/SSLcorrectly.TheAndroidSecurityteamhasbuiltatoolcalled
nogotofail
,whichprovidesaneasywaytoconfirmthatdevicesorapplicationsaresafeagainstknownTLS/SSLvulnerabilitiesandmisconfigurations.ThenogotofailtoolworksforAndroidandotheroperatingsystems.Theresaneasy-to-useclienttoconfigurethesettingsandgetnotificationsonAndroid.Thenogotofailtoolisreleasedas
anopensourceproject
soapplicationdeveloperscantesttheirapplications,contributenewfeaturestotheproject,andhelpimprovethenetworksecurityonAndroid.
DeviceandprofilemanagementAndroid5.0introducestheconceptofaDeviceOwnerandProfileOwnertosupportthecorporateownedandbringyourowndevice(BYOD)enterpriseusescases,respectively.TheconceptofaManagedProfile
isbasedontheAndroid multiuser
concept,firstintroducedinAndroid4.2(API17).
Androidusers
AnAndroiduserisintendedtobeusedbyadifferentphysicalpersonandhastheirownapplicationdata,someuniquesettings,andUItoexplicitlyswitchbetweenthem.Ausercanruninthebackgroundwhenanotheruserisactive.Ausersdataisalwaysisolatedfromotherusers.AndroidsupportsPrimaryandSecondaryusersasdefinedbelow:
A Primaryuser
isthefirstuseraddedtoadevice.Itcantberemoved,exceptbyfactoryreset.Thisuseralsohasspecialprivilegesandsettingsonlysetbythatuser.ThePrimaryuserisalwaysrunningevenwhenotherusersareintheforeground.
A Secondaryuser
isanyuseraddedtothedeviceotherthanthePrimaryuser.Asecondaryusercanberemovedbytheirowndoingandbytheprimaryuser,butcantimpactotherusersonadevice.Secondaryuserscanruninthebackgroundandcontinuetohavenetworkconnectivitywhentheydo.However,therearesomerestrictions;forexample,notbeingabletodisplayUIorhaveBluetoothservicesactivewhileinthebackground.Backgroundsecondaryusersarehaltedbythesystemprocessifthedevicerequiresadditionalmemoryforoperationsintheforegrounduser.
AndroidforWorkSecuritywhitepaper10
-
ManagedProfile
ADevicePolicyClient(DPC)isanapplicationusedtomanagethecorporatespaceonthedevice.TheDPChasaccesstothedevicemanagementAPIsavailableinthe
DevicePolicyManager classandreceivescallbacksfromthesystemviathe
DeviceAdminReceiver class.A WorkProfile
isamanagedprofilecreatedwhentheDPCinitiatesa
managedprovisioningflow
.Inthisinstance,aWorkProfilefunctionslikearegularuser,butisassociatedwiththeprimaryuserinsuchawaythatnotificationsandtherecenttasklistareshared.Applications,notificationsandwidgetsfromtheManagedProfilearealwaysbadged.BecausetheWorkProfileisaseparateAndroiduser,theresastrongseparationbetweenthecorporateandpersonalprofile,andalldatawithintheWorkProfileismanagedseparatelybytheenterprise.A
ProfileOwner isaspecialcaseofa deviceadministrator
,whocanonlymanagethecorporatespaceonauserspersonaldevicetosupporttheBYODusecase.ProfileownersarescopedtotheWorkProfile
andcanonlybedefinedaspartofthemanagedprovisioningprocess.TheuserexperienceisenhancedtoallowtheusertoeasilyaccessbothpersonalandWorkProfilesatonce.TheProfileOwnercantbedeactivatedbytheuser;however,theuserisalwaysabletoviewandvalidatethesettingsbeingenforcedwithintheWorkProfile.TheusercanchoosetoremovetheWorkProfileandtheProfileOwneraltogetherwhenevertheydesire.A
DeviceOwner
islikeaProfileOwner,butscopedtothewholedevice.TheDeviceOwneristhedeviceadministratorinthecorporate-owneddeviceusecase.
Crossprofileintents
IntheBYODcase,dataintheWorkProfileissegregatedfromtheuserspersonaldata.However,thereareinstanceswhereallowingintentsfromoneprofiletoberesolvedintheothercanbeusefulandenhancetheenterpriseusersproductivity.IntheWorkProfile,ITadministratorscontrolsharingbetweenmanagedandpersonalprofiles.TwonewmethodshavebeenaddedinAndroid5.0toDevicePolicyManagerclassforcrossprofileintents:
addCrossProfileIntentFilter andclearCrossProfileIntentFilters
.Bydefault,thefollowingintentsareautomaticallyconfiguredbythesystemduringtheWorkProfilecreationtobeforwardedtothePrimaryProfile:
Telephonyintents Mobilenetworksettings
HomeintentThelauncherdoesntrunintheWorkProfile.
GetcontentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
OpendocumentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
PictureTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfileifanapp
thatcanhandlecameraexistsintheWorkProfile.
SetclockTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
SpeechrecognitionTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
Additionally,theSENDintent,usedwhensharingcontent,isconfiguredtooffertheusertheoptiontoforwardthecontentintotheWorkProfile.
AndroidforWorkSecuritywhitepaper11
-
Note :TheSENDintentis not
automaticallyconfiguredtooffertheusertheoptiontoforwardtheircontent
from
theWorkProfileintotheprimarybecausesomeITadministratorsconsiderthisasecurityrisk.Instead,theDPCapplicationhastheoptionofaddingthisfunctionality,ifallowedbyacompanysITpolicy.
Deviceandprofilepolicies
Android5.0addsanumberofsecuritypoliciesandconfigurationsforbothdeviceandprofilemanagement.ITadministratorscansetthesepolicies(indirectly)viaamobiledevicemanagement(MDM)solutiontosecureworkdataontheiremployeesdevices.Thefollowingtableliststhesepolicies,indicatingwhethertheyapplytodevicesforcorporate-owneddevicecasesorprofileforBYODcases.
Policy Device Profile
addCrossProfileIntentFilter
addCrossProfileWidgetProvider
addPersistentPreferredActivity
addUserRestriction
clearCrossProfileIntentFilters
clearDeviceOwnerApp
clearPackagePersistentPreferredActivities
clearUserRestriction
createAndInitializeUser
enableSystemApp
installCaCert
installKeyPair
lockNow
removeActiveAdmin
removeCrossProfileWidgetProvider
removeUser
AndroidforWorkSecuritywhitepaper12
-
resetPassword
setAccountManagementDisable
setApplicationHidden
setApplicationRestrictions
setAutoTimeRequired
setCameraDisabled
setCrossProfileIdDisabled
setGlobalSetting
setKeyguardDisabledFeatures
setLockTaskPackages
setMasterVolumeMuted
setMaximumFailedPasswordsForWipe
setMaximumTimeToLock
setPasswordExpirationTimeout
setPasswordHistoryLength
setPasswordMinimumLength
setPasswordMinimumLetters
setPasswordMinimumLowerCase
setPasswordMinimumNonLetter
setPasswordMinimumNumeric
setPasswordMinimumSymbols
setPasswordMinimumUpperCase
setPasswordQuality
setPermittedAccessibilityServices
AndroidforWorkSecuritywhitepaper13
-
setPermittedInputMethods
setProfileEnabled
setProfileName
setRecommendedGlobalProxy
setRestrictionsProvider
setScreenCaptureDisabled
setSecureSetting
setStorageEncryption
setUninstallBlocked
switchUser
uninstallAllUserCaCerts
uninstallCaCert
wipeData
AndroidforWorkSecuritywhitepaper14
-
ApplicationmanagementAndroidforWorkcreatesasecureframeworkforcompaniestoputanyapplicationinGooglePlaytoworkfortheminasimple,standardway.ThroughGooglePlayforWork,anenterpriseversionofGooglePlay,ITadministratorscaneasilyfind,deploy,andmanageworkapplicationswhileensuringmalwareandotherthreatsareneutralized.
GooglePlayforWork
GooglePlayforWorkprovidesAPIsforusebyEnterpriseMobilityManagement(EMM)vendorstoallowthemtomanageapplicationsondevicesinanAndroidforWorkdomain.TheAPIsprovidefunctionalityforuse(indirectly)byadministratorsoftheenterprisesmanagedbytheEMMasfollows:
AnITadministratorcanremotelyinstallorremoveappsonmanagedAndroidforWorkdevicesviatheEMMsapp.ThisactionislimitedtodevicesorprofilesthataremanagedbytheEMMsapp,whichensuresthattheuserhasconsentedtotheEMMsaccess.
AnITadministratorcandefinewhichusersshouldbeabletoseewhichapps.AuserrunningthePlayStoreappwithintheWorkProfileonlyseestheappsvisibletothem.
Enterpriseadministratorscanseewhichusershaveappsinstalledorprovisioned,andthenumberoflicensespurchasedandprovisioned.
InstallationofapplicationswithintheWorkProfileispossibleviaGooglePlayforWorkintheWorkProfile,eitherbydirectuserrequestinthemanagedPlayStoreapp(pull),orasaresultofacalltotheEMMAPI(push).WhentheuseropensthePlayStoreappintheWorkProfile,itonlydisplaystheappswhichtheITadministratorhasspecifiedtheusercanaccess.Theusercaninstalltheseapplications,butnotothers.
Secureappserving
TransportofallAndroidapplicationpackages(APKs)andappmetadatabetweenGooglePlayandAndroiddevicesisencryptedusingSSL.AppaccessisauthenticatedandauthorizedusingtheGoogleAccountcreatedaspartofuserregistrationintheAndroidforWorkdomain.
Privateapps
WithGooglePlayforWork,appscanbepublishedbyanenterprisecustomerandtargetedprivately(i.e.theyreonlyvisibleandinstallablebyuserswithinthatenterprisesAndroidforWorkdomain).PrivateappsarelogicallyseparatedinGooglescloudinfrastructurefromGooglePlayforconsumers.Therearetwomodesofdeliveryforprivateapps:
Googlehosted Bydefault,GooglehoststheAPKinitssecuredatacenters.
externally-hosted
EnterprisecustomershostAPKsontheirownserversaccessibleonly
ontheirintranetorviaVPN.DetailsoftherequestinguserandtheirauthorizationisprovidedviaaJSONWebToken(
JWT )withanexpirytime.TheJWTissignedbyGoogleusing
AndroidforWorkSecuritywhitepaper15
-
thekeypairassociatedwiththespecificappinPlay,andshouldbeverifiedbeforetrustingtheauthorizationcontainedintheJWT.
Inbothcases,GooglePlayforWorkstorestheappmetadatatitle,description,graphics,andscreenshots.AppsmustcomplywithallGooglePlaypoliciesinallcases.
Unknownsources
Bydefault,theUnknownsourcessettingunder
Settings>Security>Unknownsources
isoff.TheDeviceOwnerorProfileOwnercandisableusercontrolofUnknownsourcesintheManagedDeviceorWorkProfilebysettingthe
DISALLOW_INSTALL_UNKNOWN_SOURCES userrestrictionto Trueusing
addUserRestriction
.ThedefaultvalueforDISALLOW_INSTALL_UNKNOWN_SOURCESuserrestrictioninbothDeviceOwnerandProfileOwnerisfalse.WhenDISALLOW_INSTALL_UNKNOWN_SOURCESissettotruebytheDeviceOwnerorProfileOwner,theusercannotmodifytheUnknownsourcessecuritysettingonthedeviceorWorkProfile;however,inthecaseofWorkProfile,theusercanstillmodifyUnknownsourcessettingintheirpersonalspace.Additionally,thesideloadingofapplicationsusingAndroidDebugBridge(adb)canbedisabledviathe
DISALLOW_DEBUGGING_FEATURES
userrestrictioninaManagedDevicebyDeviceOwner,orWorkProfilebyProfileOwner.ThedefaultvalueofDISALLOW_DEBUGGING_FEATURESforbothDeviceOwnerandProfileOwnerisfalse.SettingDISALLOW_INSTALL_UNKNOWN_SOURCESandDISALLOW_DEBUGGING_FEATURESuserrestrictionsto
True
byEMMs,providesanextrameasureofassurancetoITadministratorsthatonlycompany-approvedappswillbedeployedusingGooglePlayforWorktousersinacorporate-manageddeviceorprofile.
ManagedAppconfiguration
AndroidforWorkprovidestheabilitytosetpoliciesonaper-applicationbasis,wheretheappdeveloperhasmadethisavailable.Forexample,anappcouldallowanITadministratortoremotelycontroltheavailabilityoffeatures,configuresettings,orsetin-appcredentials.ThesetApplicationRestrictions
methodallowsEMMstoconfiguretheserestrictionsviatheDevicePolicyManagerclass.GoogleChromeisanexampleofanenterprise-managedappthatimplements
policiesandconfigurations
thatcanbefullymanagedaccordingtoenterprisepoliciesandrestrictions.
AndroidforWorkSecuritywhitepaper16
-
SecuritybestpracticesGoogledesignedAndroidandGooglePlaytoprovideeveryonewithasaferexperience.Withthatgoalinmind,theAndroidSecurityteamworkshardtominimizethesecurityrisksonAndroiddevices.Googlesmultilayeredapproachstartswithpreventionandcontinueswithmalwaredetectionandrapidresponseshouldanyissuesarise.Morespecifically,Google:
Strivesto prevent
securityissuesfromoccurringthroughdesignreviews,penetrationtestingandcodeaudits
PerformssecurityreviewspriortoreleasingnewversionsofAndroidandGooglePlay
PublishesthesourcecodeforAndroid,thusallowingthebroadercommunitytouncover
flawsandcontributetomakingAndroidthemostsecuremobileplatform
Workshardto minimize
theimpactofsecurityissueswithfeaturesliketheapplication
sandbox Detects
vulnerabilitiesandsecurityissuesbyregularlyscanningGooglePlayapplicationsfor
malware,andremovingthemfromdevicesiftheresapotentialforseriousharmtotheuserdevicesordata
HasarapidresponseprograminplacetohandlevulnerabilitiesfoundinAndroidbyworkingwithhardwareandcarrierpartnerstoquicklyresolvesecurityissuesandpushsecuritypatches
TheAndroidteamworksverycloselywiththewidersecurityresearchcommunitytoshareideas,applybestpractices,andimplementimprovements.Androidispartofthe
GooglePatchRewardProgram
,whichpaysdeveloperswhentheycontributesecuritypatchestopopularopensourceprojects,manyofwhichformthefoundationforAOSP.GoogleisalsoamemberoftheForumofIncidentResponseandSecurityTeams(FIRST).
ConclusionForalongtime,beingsecurehasbeensynonymouswithbeingclosed.Butthemobileecosystemisnowtransitioningfromclosed,isolatedplatformstowardsopenplatformsthatfosterinnovationandallowinteroperabilitywithconfidence.Androidgainssecurityfrombeingmoreopen.Androidssecurityisbuilttoprotectitsusersinacomplexecosystemthatincludessystem-on-a-chipvendors(SoCs),OEMs,serviceproviders,independentsoftwarevendors(ISVs),andenterprises,justtonameafew.GooglescommitmenttosecurityforallAndroidusersincludesacombinationofbuilt-insecurityfeaturesintheplatform(suchasapplicationsandboxing)andGoogleservices-basedprotections(suchasGooglePlayandVerifyapps).BehindGooglePlay'sattempttoprotectagainstpotentiallyharmfulapplicationsisavast,systemicknowledgeofAndroidapplicationsaccumulatedovermanyyears,beginningwiththeonsetofAndroid.GooglePlayusesacombinationofstatic,dynamic,andrelationshipanalysis,combinedwiththousandsofuniquesignalstoanalyzeeachapplication.EveryapplicationonGooglePlayisreviewedthroughacombinationoftechnology,humanreview,andusercommunityflags.
AndroidforWorkSecuritywhitepaper17
-
Finally,Android5.0enhancesAndroiddevicemanagementcapabilitiesbyintroducingWorkProfiles.InthecontextofAndroidforWork,enterprisesrelyonGooglePlayforWorkfordeployingapplications.Unknownsourcesandthird-partymarketplacescanbedisallowedbyEMMs,thusprotectingemployeesdevicesfromanypotentialmaliciousapplicationstobeinstalledintheWorkProfile.
AndroidforWorkSecuritywhitepaper18
