android-for-work-security-white-paper.pdf
TRANSCRIPT
-
AndroidforWorkSecuritywhitepaperLastupdated:May2015
-
Contents
AboutthisdocumentIntroductionAndroidOS
AndroidSecureOSservicesCryptographyanddataprotection
DeviceencryptionKeyChainandKeyStore
ApplicationsecurityApplicationsandboxandpermissions
SecurityEnhancedLinuxApplicationsigningGooglePlayappreview
VerifyappsNetworksecurity
Wi-FiVPNThird-partyapplications
DeviceandprofilemanagementAndroidusersManagedProfileCrossprofileintentsDeviceandprofilepolicies
ApplicationmanagementGooglePlayforWork
SecureappservingPrivateapps
UnknownsourcesManagedAppconfiguration
SecuritybestpracticesConclusion
AndroidforWorkSecuritywhitepaper2
-
AboutthisdocumentThiswhitepaperprovidesanoverviewofvarioussecurityfeaturesthatareinplaceattheOSlevelandattheGoogleserviceslayer.Italsointroducesthenewdevicemanagementcapabilitiesdevelopedforwork,whichgiveenterprisestheabilitytomanageaworkspaceontheirusersdevices,preventworkdataleakage,securethecommunicationbacktotheenterprise,andmanagetheapplicationsinstalledintheirworkspace,preventinganyunapprovedappsfrombeinginstalledforwork.
IntroductionTheAndroidoperatingsystemleveragestraditionalOSsecuritycontrolstoprotectuserdataandsystemresources,protectsdeviceintegrityagainstmalware,andprovidesapplicationisolation.Additionally,GoogleprovidesanumberofserviceslayeredontopoftheOSthat,whencombinedwithAndroidOSsecurity,helptocontinuouslyprotecttheAndroiduser.
AndroidOSAndroidisanopensourceOSthatsbuiltontheLinux kernelandprovidesanenvironmentformultipleapplicationstorunsimultaneously.Theseapplicationsaresignedandisolatedintoapplicationsandboxesassociatedwiththeirapplicationsignature.Theapplicationsandboxdefinestheprivilegesavailabletotheapplication.ApplicationsaregenerallybuiltusingAndroidRuntimeandinteractwiththeOSthroughaframeworkthatdescribessystemservices,platformApplicationProgrammingInterfaces(APIs),andmessageformats.Otherhigh-levellanguages(forexample,JavaScript )andlower-levellanguages(forexample,ARM assembly)areallowedandoperatewithinthesameapplicationsandbox.Systemservicesareimplementedasapplicationsandareconstrainedbyanapplicationsandbox.Abovethekernel,theresnoconceptofasuperuserorrootthathasunconstrainedaccesstothesystem.Figure1summarizesthesecuritycomponentsandconsiderationsofthevariouslevelsoftheAndroidOS.
AndroidforWorkSecuritywhitepaper3
-
AndroidSecureOSservices
Androidisamultipurposeoperatingsystem.ManyAndroiddevicesprovideasecondary,isolatedenvironmenttorunprivilegedorsecurity-sensitiveoperationsthatdontneedthefunctionalityofamultipurposeOS. Thisenvironmentissometimesreferredtoasa SecureOS .Thesecapabilitiescanbeimplementedonaseparateprocessor(suchasastandaloneSecureElementorTrustedPlatformModule[TPM]),orcanbeisolatedbeneaththekernelonasharedprocessor(suchasARMTrustZone technology).TheSecureOScanbeusedbytheoriginalequipmentmanufacturer(OEM)toprovidedevice-specificservicesandapplications.MostAndroiddevicesimplementWidevineDRM-protectedvideoplaybackserviceswithintheSecureOS.StartingwithAndroid4.3,cryptographicservicesbasedintheSecureOShavealsobeenexposedtoAndroidapplicationsviathe KeyChain API.ThisAPIprovidestheabilityforapplicationstocreatekeysthatcannotbeexported,evenintheeventofanAndroidcompromise.
AndroidforWorkSecuritywhitepaper4
-
CryptographyanddataprotectionCryptographyisusedthroughoutAndroidtoprovideconfidentialityandintegrity.Googlesupportsmostoftheindustry-standardalgorithms.ThefollowinglistsmajorusesofcryptographyonAndroid:
Deviceencryption Applicationsigning Networkconnectivityandencryption,including SSL , Wi-Fi ,and VPN
Deviceencryption
EncryptionistheprocessofencodinguserdataonanAndroiddeviceusinganencryptedkey.Onceadeviceisencrypted,alluser-createddataisautomaticallyencryptedbeforecommittingittodiskandallreadsautomaticallydecryptdatabeforereturningittothecallingprocess.Androiddiskencryptionisbasedon dm-crypt ,whichisakernelfeaturethatworksattheblockdevicelayer.Theencryptionalgorithmis128AdvancedEncryptionStandard(AES)withcipher-blockchaining(CBC)andESSIV:SHA256.Themasterkeyisencryptedwith128-bitAESviacallstotheAndroidOpenSSLlibrary.OEMscanuse128-bitorhighertoencryptthemasterkey.Android5.0introducesthefollowingnewencryptionfeatures:
Fastencryption,whichonlyencryptsusedblocksonthedatapartitiontoavoidfirstboottakingalongtime.
Addedthe forceencrypt flagtoencryptonfirstboot. Addedsupportforpatternsandencryptionwithoutapassword. Addedhardware-backedstorageoftheencryptionkey.
IntheAndroid5.0release,therearefourkindsofencryptionstates:
Default PIN Password Pattern
Ifdefaultencryptionisenabledonadevice,thenuponfirstboot,thedevicegeneratesa128-bitkey,whichisthenencryptedwithadefaultpassword,andtheencryptedkeyisstoredinthecryptometadata.HardwarebackingisimplementedbyusingtheTrustedExecutionEnvironments(TEEs)signingcapability.Thegenerated128-bitkeyisvaliduntilthenextfactoryreset(i.e.untilthe /datapartitioniserased).Uponfactoryreset,anew128-bitkeyisgenerated.WhentheusersetsthePINorpasswordonthedevice,onlythe128-bitkeyisre-encryptedandstored(i.e.userPIN/Password/Patternchangesdontcausere-encryptionofuserdata).The Android5.0CompatibilityDefinitionDocument(CDD) requiresthatifadeviceimplementationhasalockscreen,thedevicemustsupportfull-diskencryptionoftheapplicationprivatedata;thatis,the /dataandtheSDcardpartition,ifitsapermanent,non-removablepartofthedevice.
AndroidforWorkSecuritywhitepaper5
-
Notes :1. Theencryptionkeymustnotbewrittentostorageatanytimewithoutbeingencrypted.
Otherthanwheninactiveuse,theencryptionkeymustbeAES-encryptedwiththelockscreenpasscodestretched,usingaslowstretchingalgorithm.Iftheuserhasntspecifiedalockscreenpasscodeorhasdisabledpasscodeuseforencryption,thesystemusesadefaultpasscodetowraptheencryptionkey.Ifthedeviceprovidesahardware-backedkeystore,thepasswordstretchingalgorithmmustbecryptographicallyboundtothatkeystore.
2. Devicesencryptedatfirstbootcannotbereturnedtoanunencryptedstateafterfactoryreset.
KeyChainandKeyStore
AndroidprovidesasetofcryptographicAPIsforusebyapplications.TheseAPIsincludeimplementationsofstandardandcommonlyusedcryptographicprimitives,suchasAES,Rivest-Shamir-Adleman(RSA),DigitalSignatureAlgorithm(DSA),andSecureHashAlgorithm(SHA).Additionally,APIsareprovidedforhigher-levelprotocols,suchasSecureSocketLayer(SSL)andHTTPS.Android4.0introducedthe KeyChain classtoallowapplicationstousethesystemcredentialstorageforprivatekeysandcertificatechains.TheKeyChainAPIisusedforWi-FiandVirtualPrivateNetwork(VPN)certificates.TheAndroid KeyStore classletsyoustoreprivatekeysinacontainertomakeitmoredifficulttoextractfromthedevice.ItwasintroducedinAndroid4.3andfocusesonapplicationsstoringcredentialsusedforauthentication,encryption,orsigningpurposes.Applicationscancall isBoundKeyAlgorithm inKeyChainbeforeimportingorgeneratingprivatekeysofagivenalgorithm,todetermineifhardware-backedkeystoreissupportedtobindkeystothedeviceinawaythatmakesthemnon-exportable.
ApplicationsecurityApplicationsareanintegralpartofanymobileplatformandusersincreasinglydownloadapplicationstotheirdevices.Androidprovidesmultiplelayersofapplicationprotection,enablinguserstodownloadtheirfavoriteapplicationstotheirdeviceswiththepeaceofmindthattheyregettingahighlevelofprotectionfrommalware,securityexploits,andattacks.ThefollowingsubsectionsdefinethemainAndroidapplicationsecurityfeatures.
Applicationsandboxandpermissions
Androidapplicationsruninwhatisreferredtoasan applicationsandbox .Justlikethewallsofasandboxkeepthesandfromgettingout,eachapplicationishousedwithinavirtual sandbox tokeepitfromaccessinganythingoutsideitself.Bydefault,someapplicationsneedtousefunctionalityonthedevicethatisntinthesandbox;forexample,accessingcontactinformation.Beforeinstallinganapplication,determinewhetherornottheusercangrant permission totheapptoaccesscertaincapabilitiesonthedevice(forexample, Makephonecalls ).Aphonedialerapplicationshouldnaturallybeabletomakephonecalls.Ontheflipside,iftheapplicationissupposedtobeapuzzle
AndroidforWorkSecuritywhitepaper6
-
game,thatsamerequestmightlookabitmoresuspicious.Byprovidingthesedetailsupfront,userscanmakeaneducateddecisionabouttrustinganappornot. TheAndroidplatformtakesadvantageoftheLinuxuser-basedprotectionasameansofidentifyingandisolatingapplicationresources.TheAndroidsystemassignsauniqueuserID(UID)toeachAndroidapplicationandrunsitasthatuserinaseparateprocess.Thisapproachisdifferentfromotheroperatingsystems(includingthetraditionalLinuxconfiguration),wheremultipleapplicationsrunwiththesameuserpermissions.Thissetsupakernel-levelapplicationsandbox.ThekernelenforcessecuritybetweenapplicationsandthesystemattheprocesslevelthroughstandardLinuxfacilities,suchasuserandgroupIDsthatareassignedtoapplications.Bydefault,applicationscantinteractwitheachotherandapplicationshavelimitedaccesstotheOS.Forexample,ifapplicationAtriestodosomethingmaliciouslikereadapplicationBsdataordialthephonewithoutpermission(whichisaseparateapplication),thentheOSprotectsagainstthisbecauseapplicationAdoesnthavetheappropriateuserprivileges.Thesandboxissimple,auditable,andbasedondecades-old,UNIX-styleuserseparationofprocessesandfilepermissions.Becausetheapplicationsandboxisinthekernel,thissecuritymodelextendstonativecodeandtoOSapplications.AllofthesoftwareabovethekernelinFigure1(includingOSlibraries,applicationframework,applicationruntime,andallapplications)runwithintheapplicationsandbox.Onsomeplatforms,developersareconstrainedtoaspecificdevelopmentframework,setofAPIs,orlanguagetoenforcesecurity.OnAndroid,therearenorestrictionsonhowanapplicationcanbewrittenthatarerequiredtoenforcesecurity;nativecodeisjustassecureasinterpretedcode.Insomeoperatingsystems,memorycorruptionerrorsgenerallyleadtocompletelycompromisingthesecurityofthedevice.ThisisnotthecaseinAndroidduetoallapplicationsandtheirresourcesbeingsandboxedattheOSlevel.Amemorycorruptionerroronlyallowsarbitrarycodeexecutioninthecontextofthatparticularapplication,withthepermissionsestablishedbytheOS.
SecurityEnhancedLinux
AspartoftheAndroidsecuritymodel,theAndroidsandboxalsousesSecurityEnhancedLinux(SELinux)toenforceMandatoryAccessControl(MAC)overallprocesses,evenprocessesrunningwithrootandsuperuserprivileges.SELinuxprovidesacentralizedanalyzablepolicyandstronglyseparatesprocessesfromoneanother.AndroidincludesSELinuxinenforcingmode(forexample,securitypolicyisenforcedandlogged)andacorrespondingsecuritypolicythatworksbydefaultacrossAndroidOpenSourceProject(AOSP).Inenforcingmode,illegitimateactionsthatviolatepolicyarepreventedandallviolations(denials)areloggedbythekerneltodmesgandlogcat.TheAndroid5.0CDDmandatesthatdevicesmustimplementaSELinuxpolicythatallowstheSELinuxmodetobesetonaper-domainbasis,andalldomainsconfiguredinenforcingmode.Nopermissivemodedomainsareallowed.TheCompatibilityTestSuite(CTS)forSELinuxensuressecuritypolicycompatibilityandenforcessecuritybestpractices.
AndroidforWorkSecuritywhitepaper7
-
Applicationsigning
Androidrequiresthatallappsbedigitallysignedwithacertificatebeforetheycanbeinstalled.Thecertificatedoesntneedtobesignedbyacertificateauthority.Androidusesthiscertificatetoidentifytheauthoroftheapplication.Androidapplicationsoftenuseself-signedcertificatesandtheapplicationdeveloperholdsthecertificatesprivatekey.Whenthesysteminstallsanupdatetoanapplication,itcomparesthecertificateinthenewversionwiththoseintheexistingversion,andallowstheupdateifthecertificatematches.Androidallowsapplicationssignedbythesamecertificatetoruninthesameprocess,iftheapplicationssorequest,sothatthesystemtreatsthemasasingleapplication.Androidprovidessignature-basedpermissionsenforcement,sothatanapplicationcanexposefunctionalitytoanotherappthatssignedwithaspecifiedcertificate.Bysigningmultipleappswiththesamecertificate,andusingsignature-basedpermissions,anappcansharecodeanddatainasecuremanner. Thekeymusthaveavalidityperiodthatexceedstheexpectedlifespanoftheapp.(Avalidityperiodof25yearsormoreisrecommended.)Whenakeysvalidityperiodexpires,userscannolongerseamlesslyupgradetonewversionsoftheapplication.Note: ApplicationspublishedonGooglePlaymustbesignedwithkeysthathaveavalidityperiodendingafterOctober22,2033.GooglePlayenforcesthisrequirementtoensurethatuserscanseamlesslyupgradeappswhennewversionsareavailable.
GooglePlayappreview
GooglePlayisAndroid'sappdistributionplatformthatprotectsusersfrompotentiallyharmfulapps.GooglePlayhaspoliciesinplacetoprotectusersfromattackerstryingtodistributepotentiallyharmfulapps.WithinGooglePlay,developersarevalidatedintwostages.DevelopersarefirstreviewedwhentheycreatetheirGooglePlaydeveloperaccountbasedontheirprofileandcreditcards.Developersarethenreviewedfurtherwithadditionalsignalsuponappsubmission.GoogleregularlyscansPlayapplicationsformalwareandothervulnerabilities.Googlealsosuspendsdeveloperaccountsthatviolatedeveloperprogram policies .GooglePlayalsohasratingandreviewsthatprovideinformationaboutanapplicationbeforeinstallingit.Ifanapptriestomisleadusers,itslikelytohavealowstarratingandpoorcomments.AnexampleofGooglesdevelopersecurityadvocacy,wasforappsrunningvulnerableversionsoftheApacheCordovaplatform.Googlenotified:
DevelopersviatheGooglePlayDeveloperConsoleandemail Developersofappscontainingprivatekeysorkeystorefiles
AndroidforWorkSecuritywhitepaper8
-
Verifyapps
AndroiddevicesthathaveGooglePlayinstalledhavetheoptionofusingGooglesVerifyAppsfeature,whichscansappswhenyouinstallthemandperiodicallyscansforpotentiallyharmfulapps.Appverificationisturnedon,bydefault,butnodataissenttoGoogle,unlesstheuseragreestoallowthiswhenpromptedinthedialogbox,priortoinstallingthefirstappfromasourceotherthanGooglePlay.VerifyAppsisavailableonAndroid2.3+withGooglePlay.OndevicesrunningAndroid4.2orhigher,userscanenableordisableVerifyAppsfrom GoogleSettings>Security>VerifyApps .VerifyAppsnowcontinuallychecksdevicestoensurethatallappsbehaveinasafermanner,evenafterinstallation.Thisenhancementtakestheprotectionevenfurther,usingAndroidspowerfulappscanningsystemdevelopedbytheAndroidSecurityandSafeBrowsingteams.
NetworksecurityInadditiontodata-at-restsecurityprotectinginformationstoredonthedevice,Androidprovidesnetworksecurityfordata-in-transittoprotectdatasenttoandfromAndroiddevices.AndroidprovidessecurecommunicationsovertheInternetforwebbrowsing,email,instantmessaging,andotherInternetapplications,bysupportingTransportLayerSecurity(TLS),includingTLSv1.0,TLSv1.1,TLSv1.2,andSSLv3.
Wi-Fi
AndroidsupportstheWPA2-Enterprise(802.11i)protocol,whichisspecificallydesignedforenterprisenetworksandcanbeintegratedintoabroadrangeofRemoteAuthenticationDial-InUserService(RADIUS)authenticationservers.TheWPA2-EnterpriseprotocolsupportusesAES-128encryptioninAndroid5.0,thusprovidingcorporationsandtheiremployeesahighlevelofprotectionwhensendingandreceivingdataoverWi-Fi.Androidsupports802.1xExtensibleAuthenticationProtocols(EAPs),includingEAP-TLS,EAP-TTLS,PEAPv0,PEAPv1,andEAP-SIM,introducedinAndroid5.0.
VPN
AndroidsupportsnetworksecurityusingVPN: Always-onVPN TheVPNcanbeconfiguredsothatapplicationsdonthaveaccesstothe
networkuntilaVPNconnectionisestablished,whichpreventsapplicationsfromsendingdataacrossothernetworks.
PerUserVPN Onmultiuserdevices,VPNsareapplied perAndroiduser ,soallnetworktrafficisroutedthroughaVPNwithoutaffectingotherusersonthedevice.
PerProfileVPN VPNsareapplied perWorkProfile ,whichallowsanITadministratortoensurethatonlytheirenterprisenetworktrafficgoesthroughtheenterprise-WorkProfileVPNnottheuserspersonalnetworktraffic.
PerApplicationVPN Android5.0providessupporttofacilitateVPNconnectionsonallowedapplicationsorpreventsVPNconnectionsondisallowedapplications.
AndroidforWorkSecuritywhitepaper9
-
Third-partyapplications
GoogleiscommittedtoincreasingtheuseofTLS/SSLinallapplicationsandservices.Asapplicationsbecomemorecomplexandconnecttomoredevices,itseasierforapplicationstointroducenetworkingmistakesbynotusingTLS/SSLcorrectly.TheAndroidSecurityteamhasbuiltatoolcalled nogotofail ,whichprovidesaneasywaytoconfirmthatdevicesorapplicationsaresafeagainstknownTLS/SSLvulnerabilitiesandmisconfigurations.ThenogotofailtoolworksforAndroidandotheroperatingsystems.Theresaneasy-to-useclienttoconfigurethesettingsandgetnotificationsonAndroid.Thenogotofailtoolisreleasedas anopensourceproject soapplicationdeveloperscantesttheirapplications,contributenewfeaturestotheproject,andhelpimprovethenetworksecurityonAndroid.
DeviceandprofilemanagementAndroid5.0introducestheconceptofaDeviceOwnerandProfileOwnertosupportthecorporateownedandbringyourowndevice(BYOD)enterpriseusescases,respectively.TheconceptofaManagedProfile isbasedontheAndroid multiuser concept,firstintroducedinAndroid4.2(API17).
Androidusers
AnAndroiduserisintendedtobeusedbyadifferentphysicalpersonandhastheirownapplicationdata,someuniquesettings,andUItoexplicitlyswitchbetweenthem.Ausercanruninthebackgroundwhenanotheruserisactive.Ausersdataisalwaysisolatedfromotherusers.AndroidsupportsPrimaryandSecondaryusersasdefinedbelow:
A Primaryuser isthefirstuseraddedtoadevice.Itcantberemoved,exceptbyfactoryreset.Thisuseralsohasspecialprivilegesandsettingsonlysetbythatuser.ThePrimaryuserisalwaysrunningevenwhenotherusersareintheforeground.
A Secondaryuser isanyuseraddedtothedeviceotherthanthePrimaryuser.Asecondaryusercanberemovedbytheirowndoingandbytheprimaryuser,butcantimpactotherusersonadevice.Secondaryuserscanruninthebackgroundandcontinuetohavenetworkconnectivitywhentheydo.However,therearesomerestrictions;forexample,notbeingabletodisplayUIorhaveBluetoothservicesactivewhileinthebackground.Backgroundsecondaryusersarehaltedbythesystemprocessifthedevicerequiresadditionalmemoryforoperationsintheforegrounduser.
AndroidforWorkSecuritywhitepaper10
-
ManagedProfile
ADevicePolicyClient(DPC)isanapplicationusedtomanagethecorporatespaceonthedevice.TheDPChasaccesstothedevicemanagementAPIsavailableinthe DevicePolicyManager classandreceivescallbacksfromthesystemviathe DeviceAdminReceiver class.A WorkProfile isamanagedprofilecreatedwhentheDPCinitiatesa managedprovisioningflow .Inthisinstance,aWorkProfilefunctionslikearegularuser,butisassociatedwiththeprimaryuserinsuchawaythatnotificationsandtherecenttasklistareshared.Applications,notificationsandwidgetsfromtheManagedProfilearealwaysbadged.BecausetheWorkProfileisaseparateAndroiduser,theresastrongseparationbetweenthecorporateandpersonalprofile,andalldatawithintheWorkProfileismanagedseparatelybytheenterprise.A ProfileOwner isaspecialcaseofa deviceadministrator ,whocanonlymanagethecorporatespaceonauserspersonaldevicetosupporttheBYODusecase.ProfileownersarescopedtotheWorkProfile andcanonlybedefinedaspartofthemanagedprovisioningprocess.TheuserexperienceisenhancedtoallowtheusertoeasilyaccessbothpersonalandWorkProfilesatonce.TheProfileOwnercantbedeactivatedbytheuser;however,theuserisalwaysabletoviewandvalidatethesettingsbeingenforcedwithintheWorkProfile.TheusercanchoosetoremovetheWorkProfileandtheProfileOwneraltogetherwhenevertheydesire.A DeviceOwner islikeaProfileOwner,butscopedtothewholedevice.TheDeviceOwneristhedeviceadministratorinthecorporate-owneddeviceusecase.
Crossprofileintents
IntheBYODcase,dataintheWorkProfileissegregatedfromtheuserspersonaldata.However,thereareinstanceswhereallowingintentsfromoneprofiletoberesolvedintheothercanbeusefulandenhancetheenterpriseusersproductivity.IntheWorkProfile,ITadministratorscontrolsharingbetweenmanagedandpersonalprofiles.TwonewmethodshavebeenaddedinAndroid5.0toDevicePolicyManagerclassforcrossprofileintents: addCrossProfileIntentFilter andclearCrossProfileIntentFilters .Bydefault,thefollowingintentsareautomaticallyconfiguredbythesystemduringtheWorkProfilecreationtobeforwardedtothePrimaryProfile:
Telephonyintents Mobilenetworksettings HomeintentThelauncherdoesntrunintheWorkProfile. GetcontentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile. OpendocumentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile. PictureTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfileifanapp
thatcanhandlecameraexistsintheWorkProfile. SetclockTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile. SpeechrecognitionTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
Additionally,theSENDintent,usedwhensharingcontent,isconfiguredtooffertheusertheoptiontoforwardthecontentintotheWorkProfile.
AndroidforWorkSecuritywhitepaper11
-
Note :TheSENDintentis not automaticallyconfiguredtooffertheusertheoptiontoforwardtheircontent from theWorkProfileintotheprimarybecausesomeITadministratorsconsiderthisasecurityrisk.Instead,theDPCapplicationhastheoptionofaddingthisfunctionality,ifallowedbyacompanysITpolicy.
Deviceandprofilepolicies
Android5.0addsanumberofsecuritypoliciesandconfigurationsforbothdeviceandprofilemanagement.ITadministratorscansetthesepolicies(indirectly)viaamobiledevicemanagement(MDM)solutiontosecureworkdataontheiremployeesdevices.Thefollowingtableliststhesepolicies,indicatingwhethertheyapplytodevicesforcorporate-owneddevicecasesorprofileforBYODcases.
Policy Device Profile
addCrossProfileIntentFilter
addCrossProfileWidgetProvider
addPersistentPreferredActivity
addUserRestriction
clearCrossProfileIntentFilters
clearDeviceOwnerApp
clearPackagePersistentPreferredActivities
clearUserRestriction
createAndInitializeUser
enableSystemApp
installCaCert
installKeyPair
lockNow
removeActiveAdmin
removeCrossProfileWidgetProvider
removeUser
AndroidforWorkSecuritywhitepaper12
-
resetPassword
setAccountManagementDisable
setApplicationHidden
setApplicationRestrictions
setAutoTimeRequired
setCameraDisabled
setCrossProfileIdDisabled
setGlobalSetting
setKeyguardDisabledFeatures
setLockTaskPackages
setMasterVolumeMuted
setMaximumFailedPasswordsForWipe
setMaximumTimeToLock
setPasswordExpirationTimeout
setPasswordHistoryLength
setPasswordMinimumLength
setPasswordMinimumLetters
setPasswordMinimumLowerCase
setPasswordMinimumNonLetter
setPasswordMinimumNumeric
setPasswordMinimumSymbols
setPasswordMinimumUpperCase
setPasswordQuality
setPermittedAccessibilityServices
AndroidforWorkSecuritywhitepaper13
-
setPermittedInputMethods
setProfileEnabled
setProfileName
setRecommendedGlobalProxy
setRestrictionsProvider
setScreenCaptureDisabled
setSecureSetting
setStorageEncryption
setUninstallBlocked
switchUser
uninstallAllUserCaCerts
uninstallCaCert
wipeData
AndroidforWorkSecuritywhitepaper14
-
ApplicationmanagementAndroidforWorkcreatesasecureframeworkforcompaniestoputanyapplicationinGooglePlaytoworkfortheminasimple,standardway.ThroughGooglePlayforWork,anenterpriseversionofGooglePlay,ITadministratorscaneasilyfind,deploy,andmanageworkapplicationswhileensuringmalwareandotherthreatsareneutralized.
GooglePlayforWork
GooglePlayforWorkprovidesAPIsforusebyEnterpriseMobilityManagement(EMM)vendorstoallowthemtomanageapplicationsondevicesinanAndroidforWorkdomain.TheAPIsprovidefunctionalityforuse(indirectly)byadministratorsoftheenterprisesmanagedbytheEMMasfollows:
AnITadministratorcanremotelyinstallorremoveappsonmanagedAndroidforWorkdevicesviatheEMMsapp.ThisactionislimitedtodevicesorprofilesthataremanagedbytheEMMsapp,whichensuresthattheuserhasconsentedtotheEMMsaccess.
AnITadministratorcandefinewhichusersshouldbeabletoseewhichapps.AuserrunningthePlayStoreappwithintheWorkProfileonlyseestheappsvisibletothem.
Enterpriseadministratorscanseewhichusershaveappsinstalledorprovisioned,andthenumberoflicensespurchasedandprovisioned.
InstallationofapplicationswithintheWorkProfileispossibleviaGooglePlayforWorkintheWorkProfile,eitherbydirectuserrequestinthemanagedPlayStoreapp(pull),orasaresultofacalltotheEMMAPI(push).WhentheuseropensthePlayStoreappintheWorkProfile,itonlydisplaystheappswhichtheITadministratorhasspecifiedtheusercanaccess.Theusercaninstalltheseapplications,butnotothers.
Secureappserving
TransportofallAndroidapplicationpackages(APKs)andappmetadatabetweenGooglePlayandAndroiddevicesisencryptedusingSSL.AppaccessisauthenticatedandauthorizedusingtheGoogleAccountcreatedaspartofuserregistrationintheAndroidforWorkdomain.
Privateapps
WithGooglePlayforWork,appscanbepublishedbyanenterprisecustomerandtargetedprivately(i.e.theyreonlyvisibleandinstallablebyuserswithinthatenterprisesAndroidforWorkdomain).PrivateappsarelogicallyseparatedinGooglescloudinfrastructurefromGooglePlayforconsumers.Therearetwomodesofdeliveryforprivateapps:
Googlehosted Bydefault,GooglehoststheAPKinitssecuredatacenters. externally-hosted EnterprisecustomershostAPKsontheirownserversaccessibleonly
ontheirintranetorviaVPN.DetailsoftherequestinguserandtheirauthorizationisprovidedviaaJSONWebToken( JWT )withanexpirytime.TheJWTissignedbyGoogleusing
AndroidforWorkSecuritywhitepaper15
-
thekeypairassociatedwiththespecificappinPlay,andshouldbeverifiedbeforetrustingtheauthorizationcontainedintheJWT.
Inbothcases,GooglePlayforWorkstorestheappmetadatatitle,description,graphics,andscreenshots.AppsmustcomplywithallGooglePlaypoliciesinallcases.
Unknownsources
Bydefault,theUnknownsourcessettingunder Settings>Security>Unknownsources isoff.TheDeviceOwnerorProfileOwnercandisableusercontrolofUnknownsourcesintheManagedDeviceorWorkProfilebysettingthe DISALLOW_INSTALL_UNKNOWN_SOURCES userrestrictionto Trueusing addUserRestriction .ThedefaultvalueforDISALLOW_INSTALL_UNKNOWN_SOURCESuserrestrictioninbothDeviceOwnerandProfileOwnerisfalse.WhenDISALLOW_INSTALL_UNKNOWN_SOURCESissettotruebytheDeviceOwnerorProfileOwner,theusercannotmodifytheUnknownsourcessecuritysettingonthedeviceorWorkProfile;however,inthecaseofWorkProfile,theusercanstillmodifyUnknownsourcessettingintheirpersonalspace.Additionally,thesideloadingofapplicationsusingAndroidDebugBridge(adb)canbedisabledviathe DISALLOW_DEBUGGING_FEATURES userrestrictioninaManagedDevicebyDeviceOwner,orWorkProfilebyProfileOwner.ThedefaultvalueofDISALLOW_DEBUGGING_FEATURESforbothDeviceOwnerandProfileOwnerisfalse.SettingDISALLOW_INSTALL_UNKNOWN_SOURCESandDISALLOW_DEBUGGING_FEATURESuserrestrictionsto True byEMMs,providesanextrameasureofassurancetoITadministratorsthatonlycompany-approvedappswillbedeployedusingGooglePlayforWorktousersinacorporate-manageddeviceorprofile.
ManagedAppconfiguration
AndroidforWorkprovidestheabilitytosetpoliciesonaper-applicationbasis,wheretheappdeveloperhasmadethisavailable.Forexample,anappcouldallowanITadministratortoremotelycontroltheavailabilityoffeatures,configuresettings,orsetin-appcredentials.ThesetApplicationRestrictions methodallowsEMMstoconfiguretheserestrictionsviatheDevicePolicyManagerclass.GoogleChromeisanexampleofanenterprise-managedappthatimplements policiesandconfigurations thatcanbefullymanagedaccordingtoenterprisepoliciesandrestrictions.
AndroidforWorkSecuritywhitepaper16
-
SecuritybestpracticesGoogledesignedAndroidandGooglePlaytoprovideeveryonewithasaferexperience.Withthatgoalinmind,theAndroidSecurityteamworkshardtominimizethesecurityrisksonAndroiddevices.Googlesmultilayeredapproachstartswithpreventionandcontinueswithmalwaredetectionandrapidresponseshouldanyissuesarise.Morespecifically,Google:
Strivesto prevent securityissuesfromoccurringthroughdesignreviews,penetrationtestingandcodeaudits
PerformssecurityreviewspriortoreleasingnewversionsofAndroidandGooglePlay PublishesthesourcecodeforAndroid,thusallowingthebroadercommunitytouncover
flawsandcontributetomakingAndroidthemostsecuremobileplatform Workshardto minimize theimpactofsecurityissueswithfeaturesliketheapplication
sandbox Detects vulnerabilitiesandsecurityissuesbyregularlyscanningGooglePlayapplicationsfor
malware,andremovingthemfromdevicesiftheresapotentialforseriousharmtotheuserdevicesordata
HasarapidresponseprograminplacetohandlevulnerabilitiesfoundinAndroidbyworkingwithhardwareandcarrierpartnerstoquicklyresolvesecurityissuesandpushsecuritypatches
TheAndroidteamworksverycloselywiththewidersecurityresearchcommunitytoshareideas,applybestpractices,andimplementimprovements.Androidispartofthe GooglePatchRewardProgram ,whichpaysdeveloperswhentheycontributesecuritypatchestopopularopensourceprojects,manyofwhichformthefoundationforAOSP.GoogleisalsoamemberoftheForumofIncidentResponseandSecurityTeams(FIRST).
ConclusionForalongtime,beingsecurehasbeensynonymouswithbeingclosed.Butthemobileecosystemisnowtransitioningfromclosed,isolatedplatformstowardsopenplatformsthatfosterinnovationandallowinteroperabilitywithconfidence.Androidgainssecurityfrombeingmoreopen.Androidssecurityisbuilttoprotectitsusersinacomplexecosystemthatincludessystem-on-a-chipvendors(SoCs),OEMs,serviceproviders,independentsoftwarevendors(ISVs),andenterprises,justtonameafew.GooglescommitmenttosecurityforallAndroidusersincludesacombinationofbuilt-insecurityfeaturesintheplatform(suchasapplicationsandboxing)andGoogleservices-basedprotections(suchasGooglePlayandVerifyapps).BehindGooglePlay'sattempttoprotectagainstpotentiallyharmfulapplicationsisavast,systemicknowledgeofAndroidapplicationsaccumulatedovermanyyears,beginningwiththeonsetofAndroid.GooglePlayusesacombinationofstatic,dynamic,andrelationshipanalysis,combinedwiththousandsofuniquesignalstoanalyzeeachapplication.EveryapplicationonGooglePlayisreviewedthroughacombinationoftechnology,humanreview,andusercommunityflags.
AndroidforWorkSecuritywhitepaper17
-
Finally,Android5.0enhancesAndroiddevicemanagementcapabilitiesbyintroducingWorkProfiles.InthecontextofAndroidforWork,enterprisesrelyonGooglePlayforWorkfordeployingapplications.Unknownsourcesandthird-partymarketplacescanbedisallowedbyEMMs,thusprotectingemployeesdevicesfromanypotentialmaliciousapplicationstobeinstalledintheWorkProfile.
AndroidforWorkSecuritywhitepaper18