android enterpriseandroid. monitor services such as safety net for quota and tweak as needed. build...
TRANSCRIPT
Android EnterpriseDeveloper Best Practices, Native Apps
0201
Keep your apps updated with the latest version of Android. Monitor services such as Safety Net for quota and tweak as needed.
Build your app with management, data safety and security in mind.
Maintain
Architect your app strategy to handle your business needs.
Use Material Design to create native experiences.
03 04
Deploy your app to Managed Google Play.
DeployBuildDesign
App Dev Lifecycle
Design
Think about building your apps to logically fit with your business and use cases.
AndroidX / Jetpack
Use Material Design best practices to build your apps.
App Architecture UI Design, UX Flows
App Design
Build
Harden the Android platform and support trusted execution.
Platform
Security
Security Updates
CTS Tested OEMs
Google Play Protect
Ecosystem
Managed Configurations
Security Best Practices
SafetyNet Attestation
App
2 3 41
App Security
Auth/Secure Network Protocols
App Data Storage
Verify Device App Management
Authentication - Use Single Sign on
Authentication - Flow
SaaS backend
Android app
EMMSaaS
backendAndroid
app
OAuth request (via AppAuth)
Managed configuration
Enterprise authorization
server
(login_hint)
(login_hint)
OAuth response (via AppAuth)
Enterprise authentication
Enterprise authenticationresponse
EMMEnterprise
authorization server
B
Secure context, host app cannot
inspect contents
Shared cookie state across apps
Custom tabs area system browser activity presented
in app context
● Android 9.0 Pie and up blocks clear text or unsecure traffic.● Android Oreo and previous, must clearly specify
cleartextTrafficPermitted=false
● Install and define RootCAs○ system○ user○ custom
● Certificate Validation via OCSP (Online Cert Status Protocol)<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">ocsp.pki.goog</domain>
<domain includeSubdomains="true">ocsp.digicert.com</domain>
</domain-config>
Secure Network Protocolsnetwork_security_config
2 3 41
App Security
Auth/Secure Network Protocols
App Data Storage
Verify Device App Management
Use Default Storage when possibleUse App Storage
Only app A can interact with its own home directory unless it decides otherwise.
Data is also in separate user spaces between app profiles.
App data is sandboxed
External storage
Work Profile
App B
Personal Profile
App A
● For file (or larger data set) encryption, use a symmetric key, preferrably AES.● The option to require an unlocked device to decrypt was added in API Level 28.
○ setDeviceUnlockedRequired(), ○ setUserAuthenticationRequired() - BiometricPrompt
● Check to see if keys are stored in Secure Hardware● Use the AndroidKeyStore
Encrypt sensitive dataKey Generation, Create a Cipher and Encrypt data
2 3 41
App Security
Auth/Secure Network Protocols
App Data Storage
Verify Apps/Device
App Management
SafetyNet
Certified version of Android
Not rooted
App self-validation
List Potentially Harmful Apps (PHAs)
Ensure Verify Apps
Attestation
Verify Apps
SafetyNet Attestation
Request a one time use code from your
server for the specific user.
Generate Nonce
Call SafetyNet attest()
Send result to your server
Validate Enforce
Send results of the JWS (JSON Web Signature) to your
server for processing.
Pass the Nonce to the SafetyNet API
call.
Validate the SSL Chain, send the
response to Google to ensure that it’s valid. Check the
Nonce, timestamp, and APK fields.
Check basicIntegrity
(rooted yes/no), and
ctsProfileMatch.
Example JWS ResponseSafetyNet Attestation
● The device is not rooted.● Google knows about the
OEM and type of device.● It’s not an emulator.
Basic Integrity/CTS Match JSON Web Signature message:
{
"nonce": "R2Rra24fVm5xa2Mg", "timestampMs": 9860437986543, "apkPackageName": "com.mycompany.example", "apkCertificateDigestSha256":
["SHA-256 hash of signing certificate"],
"apkDigestSha256": "SHA-256 hash of the APK", "ctsProfileMatch": true, "basicIntegrity": true
}
2 3 41
App Security
Auth/Secure Network Protocols
App Data Storage
Verify Device App Management
BYOD
Data separation
User privacy sensitive
Corp liable
Admin full visibility
Deep inspection
Work Profile Fully Managed Device
Developing for Managed Android
Handle cross-profile intents
Check intents resolve with:Intent.resolveActivity() - result should be non null.
Share data with other apps
● Use content URIs for sharing data between apps ● Grant other apps in same profile with Context.grantUriPermission(),
don’t use file URIs.
NotificationListenerService isn’t available directly from Work profile apps in Android 9.0+
Work Profile Compatibility
Managed Configurations
Config
EMM ServerCompany
App
Publish config schema in
manifest
Google Play
Declare all application restrictions in your restrictions.xml
<?xml version="1.0" encoding="utf-8"?>
<restrictions xmlns:android="http://schemas.android.com/apk/res/android">
<restriction
android:key="login_hint"
android:title="@string/login_hint_title"
android:restrictionType="string"
android:description="@string/login_hint_description" /
</restrictions>
Managed Configurations
MainActivity.java
// Lookup configuration values
RestrictionsManager myRestrictionsMgr = (RestrictionsManager)
getSystemService(Context.RESTRICTIONS_SERVICE);
Bundle appRestrictions =
myRestrictionsMgr.getApplicationRestrictions();
// getApplicationRestrictions returns null if there are none.
if (appRestrictions != null) {
String loginHint = appRestrictions.getString("login_hint");
}
Listen for updates to the Managed Configuration data using a BroadcastReceiver
listening for Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED.
Managed Configurations
Deploy
Enable Private Apps https://play.google.com/apps/publish/delegatePrivateApp?service_account=serviceAccountEmail&continueUrl=http://yourURL.com
The callback passes the developerAccount which is needed for subsequent API calls.
Create Custom AppRequires app title, language code, and APK only.
Recently added to Fastlane https://fastlane.io
Not subject to minimum API Level Checks!
Private Apps on Managed Play
Maintain
Automate and Monitor
● Regularly update apps to keep up with new features and relevant updates.
● Monitor quotas for APIs like SafetyNet. If your app goes above the default quota, an increase can be applied for.
Build and share deployment configurations across apps with Fastlane