Securitywhitepaper
Lastupdated:May2015
Contents
Aboutthisdocument
Introduction
AndroidOS
AndroidSecureOSservices
Cryptographyanddataprotection
Deviceencryption
KeyChainandKeyStore
Applicationsecurity
Applicationsandboxandpermissions
SecurityEnhancedLinux
Applicationsigning
GooglePlayappreview
Verifyapps
Networksecurity
Wi-Fi
VPN
Third-partyapplications
Deviceandprofilemanagement
Androidusers
ManagedProfile
Crossprofileintents
Deviceandprofilepolicies
Applicationmanagement
GooglePlayforWork
Secureappserving
Privateapps
Unknownsources
ManagedAppconfiguration
Securitybestpractices
Conclusion
AndroidforWorkSecuritywhitepaper2
Aboutthisdocument
ThiswhitepaperprovidesanoverviewofvarioussecurityfeaturesthatareinplaceattheOSlevel
andattheGoogleserviceslayer.Italsointroducesthenewdevicemanagementcapabilities
developedforwork,whichgiveenterprisestheabilitytomanageaworkspaceontheirusers
devices,preventworkdataleakage,securethecommunicationbacktotheenterprise,andmanage
theapplicationsinstalledintheirworkspace,preventinganyunapprovedappsfrombeinginstalled
forwork.
Introduction
TheAndroidoperatingsystemleveragestraditionalOSsecuritycontrolstoprotectuserdataand
systemresources,protectsdeviceintegrityagainstmalware,andprovidesapplicationisolation.
Additionally,GoogleprovidesanumberofserviceslayeredontopoftheOSthat,whencombined
withAndroidOSsecurity,helptocontinuouslyprotecttheAndroiduser.
AndroidOS
AndroidisanopensourceOSthatsbuiltontheLinuxkernelandprovidesanenvironmentfor
multipleapplicationstorunsimultaneously.Theseapplicationsaresignedandisolatedinto
applicationsandboxesassociatedwiththeirapplicationsignature.Theapplicationsandboxdefines
theprivilegesavailabletotheapplication.ApplicationsaregenerallybuiltusingAndroidRuntime
andinteractwiththeOSthroughaframeworkthatdescribessystemservices,platformApplication
ProgrammingInterfaces(APIs),andmessageformats.Otherhigh-levellanguages(forexample,
JavaScript)andlower-levellanguages(forexample,ARMassembly)areallowedandoperatewithin
thesameapplicationsandbox.Systemservicesareimplementedasapplicationsandare
constrainedbyanapplicationsandbox.Abovethekernel,theresnoconceptofasuperuserorroot
thathasunconstrainedaccesstothesystem.
Figure1summarizesthesecuritycomponentsandconsiderationsofthevariouslevelsofthe
AndroidOS.
AndroidforWorkSecuritywhitepaper3
AndroidSecureOSservices
Androidisamultipurposeoperatingsystem.ManyAndroiddevicesprovideasecondary,isolated
environmenttorunprivilegedorsecurity-sensitiveoperationsthatdontneedthefunctionalityofa
multipurposeOS.ThisenvironmentissometimesreferredtoasaSecureOS.Thesecapabilitiescan
beimplementedonaseparateprocessor(suchasastandaloneSecureElementorTrustedPlatform
Module[TPM]),orcanbeisolatedbeneaththekernelonasharedprocessor(suchasARM
TrustZonetechnology).
TheSecureOScanbeusedbytheoriginalequipmentmanufacturer(OEM)toprovidedevice-specific
servicesandapplications.MostAndroiddevicesimplementWidevineDRM-protectedvideoplayback
serviceswithintheSecureOS.StartingwithAndroid4.3,cryptographicservicesbasedinthe
SecureOShavealsobeenexposedtoAndroidapplicationsviatheKeyChainAPI.ThisAPIprovides
theabilityforapplicationstocreatekeysthatcannotbeexported,evenintheeventofanAndroid
compromise.
AndroidforWorkSecuritywhitepaper4
Cryptographyanddataprotection
CryptographyisusedthroughoutAndroidtoprovideconfidentialityandintegrity.Googlesupports
mostoftheindustry-standardalgorithms.Thefollowinglistsmajorusesofcryptographyon
Android:
Deviceencryption
Applicationsigning
Networkconnectivityandencryption,includingSSL,Wi-Fi,andVPN
Deviceencryption
EncryptionistheprocessofencodinguserdataonanAndroiddeviceusinganencryptedkey.Once
adeviceisencrypted,alluser-createddataisautomaticallyencryptedbeforecommittingittodisk
andallreadsautomaticallydecryptdatabeforereturningittothecallingprocess.
Androiddiskencryptionisbasedondm-crypt,whichisakernelfeaturethatworksattheblock
devicelayer.Theencryptionalgorithmis128AdvancedEncryptionStandard(AES)withcipher-block
chaining(CBC)andESSIV:SHA256.Themasterkeyisencryptedwith128-bitAESviacallstothe
AndroidOpenSSLlibrary.OEMscanuse128-bitorhighertoencryptthemasterkey.
Android5.0introducesthefollowingnewencryptionfeatures:
Fastencryption,whichonlyencryptsusedblocksonthedatapartitiontoavoidfirstboot
takingalongtime.
Addedtheforceencryptflagtoencryptonfirstboot.
Addedsupportforpatternsandencryptionwithoutapassword.
Addedhardware-backedstorageoftheencryptionkey.
IntheAndroid5.0release,therearefourkindsofencryptionstates:
Default
PIN
Password
Pattern
Ifdefaultencryptionisenabledonadevice,thenuponfirstboot,thedevicegeneratesa128-bitkey,
whichisthenencryptedwithadefaultpassword,andtheencryptedkeyisstoredinthecrypto
metadata.HardwarebackingisimplementedbyusingtheTrustedExecutionEnvironments(TEEs)
signingcapability.Thegenerated128-bitkeyisvaliduntilthenextfactoryreset(i.e.untilthe/data
partitioniserased).Uponfactoryreset,anew128-bitkeyisgenerated.
WhentheusersetsthePINorpasswordonthedevice,onlythe128-bitkeyisre-encryptedand
stored(i.e.userPIN/Password/Patternchangesdontcausere-encryptionofuserdata).
TheAndroid5.0CompatibilityDefinitionDocument(CDD)requiresthatifadeviceimplementation
hasalockscreen,thedevicemustsupportfull-diskencryptionoftheapplicationprivatedata;thatis,
the/data
andtheSDcardpartition,ifitsapermanent,non-removablepartofthedevice.
AndroidforWorkSecuritywhitepaper5
Notes:
1. Theencryptionkeymustnotbewrittentostorageatanytimewithoutbeingencrypted.
Otherthanwheninactiveuse,theencryptionkeymustbeAES-encryptedwiththelock
screenpasscodestretched,usingaslowstretchingalgorithm.Iftheuserhasntspecifieda
lockscreenpasscodeorhasdisabledpasscodeuseforencryption,thesystemusesadefault
passcodetowraptheencryptionkey.Ifthedeviceprovidesahardware-backedkeystore,the
passwordstretchingalgorithmmustbecryptographicallyboundtothatkeystore.
2. Devicesencryptedatfirstbootcannotbereturnedtoanunencryptedstateafterfactory
reset.
KeyChainandKeyStore
AndroidprovidesasetofcryptographicAPIsforusebyapplications.TheseAPIsinclude
implementationsofstandardandcommonlyusedcryptographicprimitives,suchasAES,
Rivest-Shamir-Adleman(RSA),DigitalSignatureAlgorithm(DSA),andSecureHashAlgorithm(SHA).
Additionally,APIsareprovidedforhigher-levelprotocols,suchasSecureSocketLayer(SSL)and
HTTPS.
Android4.0introducedtheKeyChainclasstoallowapplicationstousethesystemcredentialstorage
forprivatekeysandcertificatechains.TheKeyChainAPIisusedforWi-FiandVirtualPrivateNetwork
(VPN)certificates.
TheAndroidKeyStoreclassletsyoustoreprivatekeysinacontainertomakeitmoredifficultto
extractfromthedevice.ItwasintroducedinAndroid4.3andfocusesonapplicationsstoring
credentialsusedforauthentication,encryption,orsigningpurposes.
ApplicationscancallisBoundKeyAlgorithminKeyChainbeforeimportingorgeneratingprivatekeys
ofagivenalgorithm,todetermineifhardware-backedkeystoreissupportedtobindkeystothe
deviceinawaythatmakesthemnon-exportable.
Applicationsecurity
Applicationsareanintegralpartofanymobileplatformandusersincreasinglydownload
applicationstotheirdevices.Androidprovidesmultiplelayersofapplicationprotection,enabling
userstodownloadtheirfavoriteapplicationstotheirdeviceswiththepeaceofmindthattheyre
gettingahighlevelofprotectionfrommalware,securityexploits,andattacks.Thefollowing
subsectionsdefinethemainAndroidapplicationsecurityfeatures.
Applicationsandboxandpermissions
Androidapplicationsruninwhatisreferredtoasanapplicationsandbox.Justlikethewallsofa
sandboxkeepthesandfromgettingout,eachapplicationishousedwithinavirtualsandboxtokeep
itfromaccessinganythingoutsideitself.Bydefault,someapplicationsneedtousefunctionalityon
thedevicethatisntinthesandbox;forexample,accessingcontactinformation.Beforeinstallingan
application,determinewhetherornottheusercangrantpermissiontotheapptoaccesscertain
capabilitiesonthedevice(forexample,Makephonecalls).Aphonedialerapplicationshould
naturallybeabletomakephonecalls.Ontheflipside,iftheapplicationissupposedtobeapuzzle
AndroidforWorkSecuritywhitepaper6
game,thatsamerequestmightlookabitmoresuspicious.Byprovidingthesedetailsupfront,users
canmakeaneducateddecisionabouttrustinganappornot.
TheAndroidplatformtakesadvantageoftheLinuxuser-basedprotectionasameansofidentifying
andisolatingapplicationresources.TheAndroidsystemassignsauniqueuserID(UID)toeach
Androidapplicationandrunsitasthatuserinaseparateprocess.Thisapproachisdifferentfrom
otheroperatingsystems(includingthetraditionalLinuxconfiguration),wheremultipleapplications
runwiththesameuserpermissions.
Thissetsupakernel-levelapplicationsandbox.Thekernelenforcessecuritybetweenapplications
andthesystemattheprocesslevelthroughstandardLinuxfacilities,suchasuserandgroupIDs
thatareassignedtoapplications.Bydefault,applicationscantinteractwitheachotherand
applicationshavelimitedaccesstotheOS.Forexample,ifapplicationAtriestodosomething
maliciouslikereadapplicationBsdataordialthephonewithoutpermission(whichisaseparate
application),thentheOSprotectsagainstthisbecauseapplicationAdoesnthavetheappropriate
userprivileges.Thesandboxissimple,auditable,andbasedondecades-old,UNIX-styleuser
separationofprocessesandfilepermissions.
Becausetheapplicationsandboxisinthekernel,thissecuritymodelextendstonativecodeandto
OSapplications.AllofthesoftwareabovethekernelinFigure1(includingOSlibraries,application
framework,applicationruntime,andallapplications)runwithintheapplicationsandbox.
Onsomeplatforms,developersareconstrainedtoaspecificdevelopmentframework,setofAPIs,or
languagetoenforcesecurity.OnAndroid,therearenorestrictionsonhowanapplicationcanbe
writtenthatarerequiredtoenforcesecurity;nativecodeisjustassecureasinterpretedcode.
Insomeoperatingsystems,memorycorruptionerrorsgenerallyleadtocompletelycompromising
thesecurityofthedevice.ThisisnotthecaseinAndroidduetoallapplicationsandtheirresources
beingsandboxedattheOSlevel.Amemorycorruptionerroronlyallowsarbitrarycodeexecutionin
thecontextofthatparticularapplication,withthepermissionsestablishedbytheOS.
SecurityEnhancedLinux
AspartoftheAndroidsecuritymodel,theAndroidsandboxalsousesSecurityEnhancedLinux
(SELinux)toenforceMandatoryAccessControl(MAC)overallprocesses,evenprocessesrunning
withrootandsuperuserprivileges.SELinuxprovidesacentralizedanalyzablepolicyandstrongly
separatesprocessesfromoneanother.
AndroidincludesSELinuxinenforcingmode(forexample,securitypolicyisenforcedandlogged)
andacorrespondingsecuritypolicythatworksbydefaultacrossAndroidOpenSourceProject
(AOSP).Inenforcingmode,illegitimateactionsthatviolatepolicyarepreventedandallviolations
(denials)areloggedbythekerneltodmesgandlogcat.
TheAndroid5.0CDDmandatesthatdevicesmustimplementaSELinuxpolicythatallowsthe
SELinuxmodetobesetonaper-domainbasis,andalldomainsconfiguredinenforcingmode.No
permissivemodedomainsareallowed.TheCompatibilityTestSuite(CTS)forSELinuxensures
securitypolicycompatibilityandenforcessecuritybestpractices.
AndroidforWorkSecuritywhitepaper7
Applicationsigning
Androidrequiresthatallappsbedigitallysignedwithacertificatebeforetheycanbeinstalled.The
certificatedoesntneedtobesignedbyacertificateauthority.Androidusesthiscertificatetoidentify
theauthoroftheapplication.Androidapplicationsoftenuseself-signedcertificatesandthe
applicationdeveloperholdsthecertificatesprivatekey.Whenthesysteminstallsanupdatetoan
application,itcomparesthecertificateinthenewversionwiththoseintheexistingversion,and
allowstheupdateifthecertificatematches.
Androidallowsapplicationssignedbythesamecertificatetoruninthesameprocess,ifthe
applicationssorequest,sothatthesystemtreatsthemasasingleapplication.Androidprovides
signature-basedpermissionsenforcement,sothatanapplicationcanexposefunctionalityto
anotherappthatssignedwithaspecifiedcertificate.Bysigningmultipleappswiththesame
certificate,andusingsignature-basedpermissions,anappcansharecodeanddatainasecure
manner.
Thekeymusthaveavalidityperiodthatexceedstheexpectedlifespanoftheapp.(Avalidityperiod
of25yearsormoreisrecommended.)Whenakeysvalidityperiodexpires,userscannolonger
seamlesslyupgradetonewversionsoftheapplication.
Note:ApplicationspublishedonGooglePlaymustbesignedwithkeysthathaveavalidityperiod
endingafterOctober22,2033.GooglePlayenforcesthisrequirementtoensurethatuserscan
seamlesslyupgradeappswhennewversionsareavailable.
GooglePlayappreview
GooglePlayisAndroid'sappdistributionplatformthatprotectsusersfrompotentiallyharmfulapps.
GooglePlayhaspoliciesinplacetoprotectusersfromattackerstryingtodistributepotentially
harmfulapps.WithinGooglePlay,developersarevalidatedintwostages.Developersarefirst
reviewedwhentheycreatetheirGooglePlaydeveloperaccountbasedontheirprofileandcredit
cards.Developersarethenreviewedfurtherwithadditionalsignalsuponappsubmission.Google
regularlyscansPlayapplicationsformalwareandothervulnerabilities.Googlealsosuspends
developeraccountsthatviolatedeveloperprogrampolicies.
GooglePlayalsohasratingandreviewsthatprovideinformationaboutanapplicationbefore
installingit.Ifanapptriestomisleadusers,itslikelytohavealowstarratingandpoorcomments.
AnexampleofGooglesdevelopersecurityadvocacy,wasforappsrunningvulnerableversionsof
theApacheCordovaplatform.Googlenotified:
DevelopersviatheGooglePlayDeveloperConsoleandemail
Developersofappscontainingprivatekeysorkeystorefiles
AndroidforWorkSecuritywhitepaper8
Verifyapps
AndroiddevicesthathaveGooglePlayinstalledhavetheoptionofusingGooglesVerifyApps
feature,whichscansappswhenyouinstallthemandperiodicallyscansforpotentiallyharmfulapps.
Appverificationisturnedon,bydefault,butnodataissenttoGoogle,unlesstheuseragreesto
allowthiswhenpromptedinthedialogbox,priortoinstallingthefirstappfromasourceotherthan
GooglePlay.
VerifyAppsisavailableonAndroid2.3+withGooglePlay.OndevicesrunningAndroid4.2orhigher,
userscanenableordisableVerifyAppsfromGoogleSettings>Security>VerifyApps.
VerifyAppsnowcontinuallychecksdevicestoensurethatallappsbehaveinasafermanner,even
afterinstallation.Thisenhancementtakestheprotectionevenfurther,usingAndroidspowerfulapp
scanningsystemdevelopedbytheAndroidSecurityandSafeBrowsingteams.
Networksecurity
Inadditiontodata-at-restsecurityprotectinginformationstoredonthedevice,Androidprovides
networksecurityfordata-in-transittoprotectdatasenttoandfromAndroiddevices.Android
providessecurecommunicationsovertheInternetforwebbrowsing,email,instantmessaging,and
otherInternetapplications,bysupportingTransportLayerSecurity(TLS),includingTLSv1.0,TLS
v1.1,TLSv1.2,andSSLv3.
Wi-Fi
AndroidsupportstheWPA2-Enterprise(802.11i)protocol,whichisspecificallydesignedfor
enterprisenetworksandcanbeintegratedintoabroadrangeofRemoteAuthenticationDial-InUser
Service(RADIUS)authenticationservers.TheWPA2-EnterpriseprotocolsupportusesAES-128
encryptioninAndroid5.0,thusprovidingcorporationsandtheiremployeesahighlevelof
protectionwhensendingandreceivingdataoverWi-Fi.
Androidsupports802.1xExtensibleAuthenticationProtocols(EAPs),includingEAP-TLS,EAP-TTLS,
PEAPv0,PEAPv1,andEAP-SIM,introducedinAndroid5.0.
VPN
AndroidsupportsnetworksecurityusingVPN:
Always-onVPNTheVPNcanbeconfiguredsothatapplicationsdonthaveaccesstothe
networkuntilaVPNconnectionisestablished,whichpreventsapplicationsfromsending
dataacrossothernetworks.
PerUserVPNOnmultiuserdevices,VPNsareappliedperAndroiduser,soallnetwork
trafficisroutedthroughaVPNwithoutaffectingotherusersonthedevice.
PerProfileVPNVPNsareappliedperWorkProfile,whichallowsanITadministratorto
ensurethatonlytheirenterprisenetworktrafficgoesthroughtheenterprise-WorkProfile
VPNnottheuserspersonalnetworktraffic.
PerApplicationVPNAndroid5.0providessupporttofacilitateVPNconnectionson
allowedapplicationsorpreventsVPNconnectionsondisallowedapplications.
AndroidforWorkSecuritywhitepaper9
Third-partyapplications
GoogleiscommittedtoincreasingtheuseofTLS/SSLinallapplicationsandservices.Asapplications
becomemorecomplexandconnecttomoredevices,itseasierforapplicationstointroduce
networkingmistakesbynotusingTLS/SSLcorrectly.
TheAndroidSecurityteamhasbuiltatoolcallednogotofail,whichprovidesaneasywaytoconfirm
thatdevicesorapplicationsaresafeagainstknownTLS/SSLvulnerabilitiesandmisconfigurations.
ThenogotofailtoolworksforAndroidandotheroperatingsystems.Theresaneasy-to-useclientto
configurethesettingsandgetnotificationsonAndroid.Thenogotofailtoolisreleasedasanopen
sourceprojectsoapplicationdeveloperscantesttheirapplications,contributenewfeaturestothe
project,andhelpimprovethenetworksecurityonAndroid.
Deviceandprofilemanagement
Android5.0introducestheconceptofaDeviceOwnerandProfileOwnertosupportthecorporate
ownedandbringyourowndevice(BYOD)enterpriseusescases,respectively.Theconceptofa
ManagedProfileisbasedontheAndroidmultiuserconcept,firstintroducedinAndroid4.2(API17).
Androidusers
AnAndroiduserisintendedtobeusedbyadifferentphysicalpersonandhastheirownapplication
data,someuniquesettings,andUItoexplicitlyswitchbetweenthem.Ausercanruninthe
backgroundwhenanotheruserisactive.Ausersdataisalwaysisolatedfromotherusers.
AndroidsupportsPrimaryandSecondaryusersasdefinedbelow:
APrimaryuseristhefirstuseraddedtoadevice.Itcantberemoved,exceptbyfactory
reset.Thisuseralsohasspecialprivilegesandsettingsonlysetbythatuser.ThePrimary
userisalwaysrunningevenwhenotherusersareintheforeground.
ASecondaryuserisanyuseraddedtothedeviceotherthanthePrimaryuser.Asecondary
usercanberemovedbytheirowndoingandbytheprimaryuser,butcantimpactother
usersonadevice.Secondaryuserscanruninthebackgroundandcontinuetohavenetwork
connectivitywhentheydo.However,therearesomerestrictions;forexample,notbeing
abletodisplayUIorhaveBluetoothservicesactivewhileinthebackground.Background
secondaryusersarehaltedbythesystemprocessifthedevicerequiresadditionalmemory
foroperationsintheforegrounduser.
AndroidforWorkSecuritywhitepaper10
ManagedProfile
ADevicePolicyClient(DPC)isanapplicationusedtomanagethecorporatespaceonthedevice.The
DPChasaccesstothedevicemanagementAPIsavailableintheDevicePolicyManagerclassand
receivescallbacksfromthesystemviatheDeviceAdminReceiverclass.
AWorkProfileisamanagedprofilecreatedwhentheDPCinitiatesamanagedprovisioningflow.In
thisinstance,aWorkProfilefunctionslikearegularuser,butisassociatedwiththeprimaryuserin
suchawaythatnotificationsandtherecenttasklistareshared.Applications,notificationsand
widgetsfromtheManagedProfilearealwaysbadged.BecausetheWorkProfileisaseparate
Androiduser,theresastrongseparationbetweenthecorporateandpersonalprofile,andalldata
withintheWorkProfileismanagedseparatelybytheenterprise.
AProfileOwnerisaspecialcaseofadeviceadministrator,whocanonlymanagethecorporate
spaceonauserspersonaldevicetosupporttheBYODusecase.Profileownersarescopedtothe
WorkProfileandcanonlybedefinedaspartofthemanagedprovisioningprocess.Theuser
experienceisenhancedtoallowtheusertoeasilyaccessbothpersonalandWorkProfilesatonce.
TheProfileOwnercantbedeactivatedbytheuser;however,theuserisalwaysabletoviewand
validatethesettingsbeingenforcedwithintheWorkProfile.Theusercanchoosetoremovethe
WorkProfileandtheProfileOwneraltogetherwhenevertheydesire.
ADeviceOwnerislikeaProfileOwner,butscopedtothewholedevice.TheDeviceOwneristhe
deviceadministratorinthecorporate-owneddeviceusecase.
Crossprofileintents
IntheBYODcase,dataintheWorkProfileissegregatedfromtheuserspersonaldata.However,
thereareinstanceswhereallowingintentsfromoneprofiletoberesolvedintheothercanbeuseful
andenhancetheenterpriseusersproductivity.IntheWorkProfile,ITadministratorscontrolsharing
betweenmanagedandpersonalprofiles.TwonewmethodshavebeenaddedinAndroid5.0to
DevicePolicyManagerclassforcrossprofileintents:addCrossProfileIntentFilterand
clearCrossProfileIntentFilters.
Bydefault,thefollowingintentsareautomaticallyconfiguredbythesystemduringtheWorkProfile
creationtobeforwardedtothePrimaryProfile:
Telephonyintents
Mobilenetworksettings
HomeintentThelauncherdoesntrunintheWorkProfile.
GetcontentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
OpendocumentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
PictureTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfileifanapp
thatcanhandlecameraexistsintheWorkProfile.
SetclockTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
SpeechrecognitionTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
Additionally,theSENDintent,usedwhensharingcontent,isconfiguredtooffertheusertheoption
toforwardthecontentintotheWorkProfile.
AndroidforWorkSecuritywhitepaper11
Note:TheSENDintentisnotautomaticallyconfiguredtooffertheusertheoptiontoforwardtheir
contentfromtheWorkProfileintotheprimarybecausesomeITadministratorsconsiderthisa
securityrisk.Instead,theDPCapplicationhastheoptionofaddingthisfunctionality,ifallowedbya
companysITpolicy.
Deviceandprofilepolicies
Android5.0addsanumberofsecuritypoliciesandconfigurationsforbothdeviceandprofile
management.ITadministratorscansetthesepolicies(indirectly)viaamobiledevicemanagement
(MDM)solutiontosecureworkdataontheiremployeesdevices.Thefollowingtableliststhese
policies,indicatingwhethertheyapplytodevicesforcorporate-owneddevicecasesorprofilefor
BYODcases.
Policy
Device
Profile
addCrossProfileIntentFilter
addCrossProfileWidgetProvider
addPersistentPreferredActivity
addUserRestriction
clearDeviceOwnerApp
clearPackagePersistentPreferredActivities
clearUserRestriction
createAndInitializeUser
enableSystemApp
installCaCert
installKeyPair
lockNow
removeActiveAdmin
clearCrossProfileIntentFilters
removeCrossProfileWidgetProvider
removeUser
AndroidforWorkSecuritywhitepaper12
resetPassword
setAccountManagementDisable
setApplicationHidden
setApplicationRestrictions
setAutoTimeRequired
setCameraDisabled
setCrossProfileIdDisabled
setGlobalSetting
setKeyguardDisabledFeatures
setLockTaskPackages
setMasterVolumeMuted
setMaximumFailedPasswordsForWipe
setMaximumTimeToLock
setPasswordExpirationTimeout
setPasswordHistoryLength
setPasswordMinimumLength
setPasswordMinimumLetters
setPasswordMinimumLowerCase
setPasswordMinimumNonLetter
setPasswordMinimumNumeric
setPasswordMinimumSymbols
setPasswordMinimumUpperCase
setPasswordQuality
setPermittedAccessibilityServices
AndroidforWorkSecuritywhitepaper13
setPermittedInputMethods
setProfileEnabled
setProfileName
setRecommendedGlobalProxy
setRestrictionsProvider
setScreenCaptureDisabled
setSecureSetting
setStorageEncryption
setUninstallBlocked
switchUser
uninstallCaCert
wipeData
uninstallAllUserCaCerts
AndroidforWorkSecuritywhitepaper14
Applicationmanagement
AndroidforWorkcreatesasecureframeworkforcompaniestoputanyapplicationinGooglePlayto
workfortheminasimple,standardway.ThroughGooglePlayforWork,anenterpriseversionof
GooglePlay,ITadministratorscaneasilyfind,deploy,andmanageworkapplicationswhileensuring
malwareandotherthreatsareneutralized.
GooglePlayforWork
GooglePlayforWorkprovidesAPIsforusebyEnterpriseMobilityManagement(EMM)vendorsto
allowthemtomanageapplicationsondevicesinanAndroidforWorkdomain.TheAPIsprovide
functionalityforuse(indirectly)byadministratorsoftheenterprisesmanagedbytheEMMas
follows:
AnITadministratorcanremotelyinstallorremoveappsonmanagedAndroidforWork
devicesviatheEMMsapp.Thisactionislimitedtodevicesorprofilesthataremanagedby
theEMMsapp,whichensuresthattheuserhasconsentedtotheEMMsaccess.
AnITadministratorcandefinewhichusersshouldbeabletoseewhichapps.Auserrunning
thePlayStoreappwithintheWorkProfileonlyseestheappsvisibletothem.
Enterpriseadministratorscanseewhichusershaveappsinstalledorprovisioned,andthe
numberoflicensespurchasedandprovisioned.
InstallationofapplicationswithintheWorkProfileispossibleviaGooglePlayforWorkintheWork
Profile,eitherbydirectuserrequestinthemanagedPlayStoreapp(pull),orasaresultofacallto
theEMMAPI(push).WhentheuseropensthePlayStoreappintheWorkProfile,itonlydisplaysthe
appswhichtheITadministratorhasspecifiedtheusercanaccess.Theusercaninstallthese
applications,butnotothers.
Secureappserving
TransportofallAndroidapplicationpackages(APKs)andappmetadatabetweenGooglePlayand
AndroiddevicesisencryptedusingSSL.Appaccessisauthenticatedandauthorizedusingthe
GoogleAccountcreatedaspartofuserregistrationintheAndroidforWorkdomain.
Privateapps
WithGooglePlayforWork,appscanbepublishedbyanenterprisecustomerandtargetedprivately
(i.e.theyreonlyvisibleandinstallablebyuserswithinthatenterprisesAndroidforWorkdomain).
PrivateappsarelogicallyseparatedinGooglescloudinfrastructurefromGooglePlayfor
consumers.Therearetwomodesofdeliveryforprivateapps:
GooglehostedBydefault,GooglehoststheAPKinitssecuredatacenters.
externally-hostedEnterprisecustomershostAPKsontheirownserversaccessibleonly
ontheirintranetorviaVPN.Detailsoftherequestinguserandtheirauthorizationis
providedviaaJSONWebToken(JWT)withanexpirytime.TheJWTissignedbyGoogleusing
AndroidforWorkSecuritywhitepaper15
thekeypairassociatedwiththespecificappinPlay,andshouldbeverifiedbeforetrusting
theauthorizationcontainedintheJWT.
Inbothcases,GooglePlayforWorkstorestheappmetadatatitle,description,graphics,and
screenshots.AppsmustcomplywithallGooglePlaypoliciesinallcases.
Unknownsources
Bydefault,theUnknownsourcessettingunderSettings>Security>Unknownsourcesisoff.The
DeviceOwnerorProfileOwnercandisableusercontrolofUnknownsourcesintheManagedDevice
orWorkProfilebysettingtheDISALLOW_INSTALL_UNKNOWN_SOURCESuserrestrictiontoTrue
usingaddUserRestriction.ThedefaultvalueforDISALLOW_INSTALL_UNKNOWN_SOURCESuser
restrictioninbothDeviceOwnerandProfileOwnerisfalse.When
DISALLOW_INSTALL_UNKNOWN_SOURCESissettotruebytheDeviceOwnerorProfileOwner,the
usercannotmodifytheUnknownsourcessecuritysettingonthedeviceorWorkProfile;however,in
thecaseofWorkProfile,theusercanstillmodifyUnknownsourcessettingintheirpersonalspace.
Additionally,thesideloadingofapplicationsusingAndroidDebugBridge(adb)canbedisabledvia
theDISALLOW_DEBUGGING_FEATURESuserrestrictioninaManagedDevicebyDeviceOwner,or
WorkProfilebyProfileOwner.ThedefaultvalueofDISALLOW_DEBUGGING_FEATURESforboth
DeviceOwnerandProfileOwnerisfalse.
SettingDISALLOW_INSTALL_UNKNOWN_SOURCESandDISALLOW_DEBUGGING_FEATURESuser
restrictionstoTruebyEMMs,providesanextrameasureofassurancetoITadministratorsthatonly
company-approvedappswillbedeployedusingGooglePlayforWorktousersina
corporate-manageddeviceorprofile.
ManagedAppconfiguration
AndroidforWorkprovidestheabilitytosetpoliciesonaper-applicationbasis,wheretheapp
developerhasmadethisavailable.Forexample,anappcouldallowanITadministratortoremotely
controltheavailabilityoffeatures,configuresettings,orsetin-appcredentials.The
setApplicationRestrictionsmethodallowsEMMstoconfiguretheserestrictionsviathe
DevicePolicyManagerclass.
GoogleChromeisanexampleofanenterprise-managedappthatimplementspoliciesand
configurationsthatcanbefullymanagedaccordingtoenterprisepoliciesandrestrictions.
AndroidforWorkSecuritywhitepaper16
Securitybestpractices
GoogledesignedAndroidandGooglePlaytoprovideeveryonewithasaferexperience.Withthat
goalinmind,theAndroidSecurityteamworkshardtominimizethesecurityrisksonAndroid
devices.Googlesmultilayeredapproachstartswithpreventionandcontinueswithmalware
detectionandrapidresponseshouldanyissuesarise.
Morespecifically,Google:
Strivestopreventsecurityissuesfromoccurringthroughdesignreviews,penetration
testingandcodeaudits
PerformssecurityreviewspriortoreleasingnewversionsofAndroidandGooglePlay
PublishesthesourcecodeforAndroid,thusallowingthebroadercommunitytouncover
flawsandcontributetomakingAndroidthemostsecuremobileplatform
Workshardtominimizetheimpactofsecurityissueswithfeaturesliketheapplication
sandbox
DetectsvulnerabilitiesandsecurityissuesbyregularlyscanningGooglePlayapplicationsfor
malware,andremovingthemfromdevicesiftheresapotentialforseriousharmtotheuser
devicesordata
HasarapidresponseprograminplacetohandlevulnerabilitiesfoundinAndroidbyworking
withhardwareandcarrierpartnerstoquicklyresolvesecurityissuesandpushsecurity
patches
TheAndroidteamworksverycloselywiththewidersecurityresearchcommunitytoshareideas,
applybestpractices,andimplementimprovements.AndroidispartoftheGooglePatchReward
Program,whichpaysdeveloperswhentheycontributesecuritypatchestopopularopensource
projects,manyofwhichformthefoundationforAOSP.GoogleisalsoamemberoftheForumof
IncidentResponseandSecurityTeams(FIRST).
Conclusion
Foralongtime,beingsecurehasbeensynonymouswithbeingclosed.Butthemobileecosystemis
nowtransitioningfromclosed,isolatedplatformstowardsopenplatformsthatfosterinnovationand
allowinteroperabilitywithconfidence.Androidgainssecurityfrombeingmoreopen.Androids
securityisbuilttoprotectitsusersinacomplexecosystemthatincludessystem-on-a-chipvendors
(SoCs),OEMs,serviceproviders,independentsoftwarevendors(ISVs),andenterprises,justtoname
afew.
GooglescommitmenttosecurityforallAndroidusersincludesacombinationofbuilt-insecurity
featuresintheplatform(suchasapplicationsandboxing)andGoogleservices-basedprotections
(suchasGooglePlayandVerifyapps).BehindGooglePlay'sattempttoprotectagainstpotentially
harmfulapplicationsisavast,systemicknowledgeofAndroidapplicationsaccumulatedovermany
years,beginningwiththeonsetofAndroid.GooglePlayusesacombinationofstatic,dynamic,and
relationshipanalysis,combinedwiththousandsofuniquesignalstoanalyzeeachapplication.Every
applicationonGooglePlayisreviewedthroughacombinationoftechnology,humanreview,and
usercommunityflags.
AndroidforWorkSecuritywhitepaper17
Finally,Android5.0enhancesAndroiddevicemanagementcapabilitiesbyintroducingWorkProfiles.
InthecontextofAndroidforWork,enterprisesrelyonGooglePlayforWorkfordeploying
applications.Unknownsourcesandthird-partymarketplacescanbedisallowedbyEMMs,thus
protectingemployeesdevicesfromanypotentialmaliciousapplicationstobeinstalledintheWork
Profile.
AndroidforWorkSecuritywhitepaper18