android enterpriseandroid. monitor services such as safety net for quota and tweak as needed. build...

Android EnterpriseDeveloper Best Practices, Native Apps

0201

Keep your apps updated with the latest version of Android. Monitor services such as Safety Net for quota and tweak as needed.

Build your app with management, data safety and security in mind.

Maintain

Architect your app strategy to handle your business needs.

Use Material Design to create native experiences.

03 04

Deploy your app to Managed Google Play.

DeployBuildDesign

App Dev Lifecycle

Design

Think about building your apps to logically fit with your business and use cases.

AndroidX / Jetpack

Use Material Design best practices to build your apps.

App Architecture UI Design, UX Flows

App Design

Harden the Android platform and support trusted execution.

Platform

Security

Security Updates

CTS Tested OEMs

Google Play Protect

Ecosystem

Managed Configurations

Security Best Practices

SafetyNet Attestation

App

2 3 41

App Security

Auth/Secure Network Protocols

App Data Storage

Verify Device App Management

Authentication - Use Single Sign on

Authentication - Flow

SaaS backend

Android app

EMMSaaS

backendAndroid

app

OAuth request (via AppAuth)

Managed configuration

Enterprise authorization

server

(login_hint)

(login_hint)

OAuth response (via AppAuth)

Enterprise authentication

Enterprise authenticationresponse

EMMEnterprise

authorization server

B

Secure context, host app cannot

inspect contents

Shared cookie state across apps

Custom tabs area system browser activity presented

in app context

● Android 9.0 Pie and up blocks clear text or unsecure traffic.● Android Oreo and previous, must clearly specify

cleartextTrafficPermitted=false

● Install and define RootCAs○ system○ user○ custom

● Certificate Validation via OCSP (Online Cert Status Protocol)<domain-config cleartextTrafficPermitted="true">

<domain includeSubdomains="true">ocsp.pki.goog</domain>

<domain includeSubdomains="true">ocsp.digicert.com</domain>

</domain-config>

Secure Network Protocolsnetwork_security_config

2 3 41

App Security


App Data Storage


Use Default Storage when possibleUse App Storage

Only app A can interact with its own home directory unless it decides otherwise.

Data is also in separate user spaces between app profiles.

App data is sandboxed

External storage

Work Profile

App B

Personal Profile

App A

● For file (or larger data set) encryption, use a symmetric key, preferrably AES.● The option to require an unlocked device to decrypt was added in API Level 28.

○ setDeviceUnlockedRequired(), ○ setUserAuthenticationRequired() - BiometricPrompt

● Check to see if keys are stored in Secure Hardware● Use the AndroidKeyStore

Encrypt sensitive dataKey Generation, Create a Cipher and Encrypt data

2 3 41

App Security


App Data Storage

Verify Apps/Device

App Management

SafetyNet

Certified version of Android

Not rooted

App self-validation

List Potentially Harmful Apps (PHAs)

Ensure Verify Apps

Attestation

Verify Apps

SafetyNet Attestation

Request a one time use code from your

server for the specific user.

Generate Nonce

Call SafetyNet attest()

Send result to your server

Validate Enforce

Send results of the JWS (JSON Web Signature) to your

server for processing.

Pass the Nonce to the SafetyNet API

call.

Validate the SSL Chain, send the

response to Google to ensure that it’s valid. Check the

Nonce, timestamp, and APK fields.

Check basicIntegrity

(rooted yes/no), and

ctsProfileMatch.

Example JWS ResponseSafetyNet Attestation

● The device is not rooted.● Google knows about the

OEM and type of device.● It’s not an emulator.

Basic Integrity/CTS Match JSON Web Signature message:

{

"nonce": "R2Rra24fVm5xa2Mg", "timestampMs": 9860437986543, "apkPackageName": "com.mycompany.example", "apkCertificateDigestSha256":

["SHA-256 hash of signing certificate"],

"apkDigestSha256": "SHA-256 hash of the APK", "ctsProfileMatch": true, "basicIntegrity": true

}

2 3 41

App Security


App Data Storage


BYOD

Data separation

User privacy sensitive

Corp liable

Admin full visibility

Deep inspection

Work Profile Fully Managed Device

Developing for Managed Android

Handle cross-profile intents

Check intents resolve with:Intent.resolveActivity() - result should be non null.

Share data with other apps

● Use content URIs for sharing data between apps ● Grant other apps in same profile with Context.grantUriPermission(),

don’t use file URIs.

NotificationListenerService isn’t available directly from Work profile apps in Android 9.0+

Work Profile Compatibility


Config

EMM ServerCompany

App

Publish config schema in

manifest

Google Play

Declare all application restrictions in your restrictions.xml

<?xml version="1.0" encoding="utf-8"?>

<restrictions xmlns:android="http://schemas.android.com/apk/res/android">

<restriction

android:key="login_hint"

android:title="@string/login_hint_title"

android:restrictionType="string"

android:description="@string/login_hint_description" /

</restrictions>


MainActivity.java

// Lookup configuration values

RestrictionsManager myRestrictionsMgr = (RestrictionsManager)

getSystemService(Context.RESTRICTIONS_SERVICE);

Bundle appRestrictions =

myRestrictionsMgr.getApplicationRestrictions();

// getApplicationRestrictions returns null if there are none.

if (appRestrictions != null) {

String loginHint = appRestrictions.getString("login_hint");

}

Listen for updates to the Managed Configuration data using a BroadcastReceiver

listening for Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED.


Deploy

Enable Private Apps https://play.google.com/apps/publish/delegatePrivateApp?service_account=serviceAccountEmail&continueUrl=http://yourURL.com

The callback passes the developerAccount which is needed for subsequent API calls.

Create Custom AppRequires app title, language code, and APK only.

Recently added to Fastlane https://fastlane.io

Not subject to minimum API Level Checks!

Private Apps on Managed Play

Maintain

Automate and Monitor

● Regularly update apps to keep up with new features and relevant updates.

● Monitor quotas for APIs like SafetyNet. If your app goes above the default quota, an increase can be applied for.

Build and share deployment configurations across apps with Fastlane

android enterpriseandroid. monitor services such as safety net for quota and tweak as needed. build...

Documents