Security Best Practices for Android 5.0

Intel® Developer Zone offers tools and how-to information for cross-platform app development, platform and technology information, code samples, and peer expertise to help developers innovate and succeed. Join our communities for Android, Internet of Things, Intel® RealSense™ Technology, and Windows to download tools, access dev kits, share ideas with like-minded developers, and participate in hackathon’s, contests, roadshows, and local events.

Android is one of the most popular mobile systems in the world. A lot of people use Android devices.

Despite the popularity of Android, enterprises have largely avoided Android devices due to their security risks.

Previous versions of Android contained numerous vulnerabilities. Google has since made extensive security advancements. In addition to supporting data encryption and automatic screen locking, the latest devices limit the privileges of applications to help protect against security breaches.

Another important enhancement is Google's new program for enterprises—Android for Work. It offers enterprise-level security and supports containerization, which is the ability to separate work and personal data on employee Android devices.

These significant enhancements have now made it possible to use Android securely within the enterprise, provided organizations address the remaining inherent security issues. In this article, I will describe four best practices for Android device management.

• Prevent rooting or jail breaking
• Protect against mobile malware
• Enforce robust security measures
• Implement device management policies

Prevent rooting or jailbreaking

Rooting means unlocking the Android operating system so that users can install unapproved, potentially malicious applications, update the operating system, and replace the firmware, among other things.

It's a common occurrence that presents significant security challenges for enterprises. Rooted devices are more vulnerable to malicious apps. Rooted devices can expose the corporate network, risking sensitive data and are more susceptible to hacker attacks. Jailbreaking is the process of removing hardware restrictions on Apple iOS* devices through the use of software and hardware exploits. Such devices include the iPhone*, iPod* touch, iPad*, and second-generation Apple TV. Jailbreaking permits root access to the iOS file system and manager, allowing the download of additional applications, extensions, and themes that are unavailable through the official Apple App Store.To prevent the rooting or jailbreaking of Android devices, it is recommended to block rooted devices from connecting to the network and train employees on the dangers and repercussions of rooting their smartphones.

Protect against dangerous mobile software

Android users are able to install applications from any place (not just Google Play) and are consequently exposed to a larger volume of apps that contain malware. This impacts the enterprise because applications targeted by malware can steal login credentials, access the corporate network, and cause critical data loss. The best way to protect the corporate network against mobile malware is to install anti-malware software on approved devices. Here is a list of10 programs to consider using for protection against malicious software:

1. Dr.Web Antivirus*
2. Antivirus and Mobile Security* (Avast)
3. Mobile Security and Antivirus* by ESET
4. Armor* for Android
5. AntiVirus Security Free* by AVG
6. Mobile Security and AntiVirus* by Avast
7. Zoner* AntiVirus Free
8. BitDefender* AntiVirus Free
9. Hornet* AntiVirus Free
10. Norton* Security Antivirus

In addition, IT needs visibility into all installed applications, detect mobile malware in real time, blacklist vulnerable applications, and leverage a secure enterprise app store or catalog to distribute and update approved applications.

Enforce Robust Security Measures

As with all mobile devices, strong security measures are necessary to protect the corporate network. Although specific policies will vary according to industry, these are our baseline recommendations for Enterprise Mobility Management across all approved devices: require strong passwords, enforce data encryption, control app usage based on Wi-Fi* networks, and block certain functions, including copy/paste, location services, email, camera, and the microphone based on access policies and device location.

Best security practices

In addition, best security practices include:

Security and Data Separation – Devices in Android for Work deployments use hardware-based encryption and admin-managed policies to ensure business data stays separate and safe from malware while personal information stays private.

Support for both employee-owned and company-provisioned devices – Android for Work users can safely use a single Android device for business and personal use, and companies can provision devices they own and configure work profiles on employee-owned devices.

Remote Management – Admins can remotely control all work-related policies, applications, and data, and can wipe them from a device without touching the device owner's personal data.

Seamless User Experience – Android for Work delivers a consistent experience across all devices and lets users intuitively and effortlessly switch between work and personal apps. Business apps appear with personal apps in the launcher and recent apps list, but business app icons have badges that clearly distinguish them.

Simplified Application Deployment – Admins can use Google Play to find, whitelist, and deploy business apps to Android for Work devices. They can even use Google Play to deploy internal applications and resources. (See the Google Play for Work Help Center.)

Divide Productivity Suite – Users who don't have Google Apps for Work can instead use a full suite of secure productivity apps specifically designed for Android for Work. The suite includes business email, calendar, contacts, tasks, and download management.

Google offers an out-of-the-box Android for Work solution with its Google Apps for Work productivity suite. The solution lets Google Apps for Work administrators access EMM functionality in the Admin console that expands their current device management capabilities.

Implement device management policies

IT needs to be able to centrally manage and configure Android devices. It is recommended to remotely wipe lost or stolen devices, automatically wipe devices after a set number of failed unlock attempts, and implement location services that identify device coordinates in real time and enforce access policies accordingly.

Google designed Android and Google Play to provide a safer experience. With that goal in mind, the Android Security team works hard to minimize the security risks on Android devices. Google's multi-layered approach starts with prevention and continues with malware detection and rapid response should any issues arise. More specifically, Google:

• Strives to prevent security issues from occurring through design reviews, penetration testing and code audits
• Performs security reviews prior to releasing new versions of Android and Google Play
• Publishes the source code for Android, thus allowing the broader community to uncover flaws and contribute to making Android the most secure mobile platform
• Works hard to minimize the impact of security issues with features like the application sandbox
• Regularly scans Google Play applications for vulnerabilities and security issues and removes them if they pose serious harm to the user devices or data
• Has a rapid response program in place to handle vulnerabilities found in Android by working with hardware and carrier partners to quickly resolve security issues and push security patches

The Android team works very closely with the wider security research community to share ideas, apply best practices, and implement improvements. Android is part of the Google Patch Reward Program, which pays developers when they contribute security patches to popular open source projects, many of which form the foundation for the Android Open Source Project (AOSP). Google is also a member of the Forum of Incident Response and Security Teams (FIRST).

Related articles and resources

• Meshcentral - Improved Android Agent + Mesh Security Update
• Live Development, Security, and More Plugins

About the Author

Vitaliy Kalinin works in the Software & Services Group at Intel Corporation. He is a PhD student at Lobachevsky State University in Nizhny Novgorod, Russia. He has a Bachelor's degree in economics and mathematics and a Master's degree in applied economics and informatics. His main interest is mobile technologies and game development.