Android security in the enterprise: Myths debunked

Confused about choosing Android devices for your company? Hold on! you might be thinking about all the security issues of Android devices. A lot of people still think that Android security in the enterprise is at stake. iOS indeed has an edge over Android devices, but the fact is that Android is also one of the most secure and cheap devices available for enterprise uses. When it comes to the workplace, some enterprises neglect Android because of the common misconceptions prevailing about Android security in the enterprise.

Android had security issues due to fragmentation. Even though Google releases timely OS updates to improve the security of devices, it takes a long time to reach the end-users because of the involvement of middle parties like SoC vendors and OEMs in delivering the updates. So, most of the OEMs restrict their devices with two major updates, which in turn have led to security gaps. Google has made strides to solve this problem; they released project treble with Android Oreo to reduce the dependence of OS updates on SoC vendors. Now, Android 12 has been released with project mainline, which focuses on becoming less dependent on OEMs for delivering security updates.

In this blog, I will talk about some of the common myths you may hear about Android security in the enterprise.

People still believe that Android is not an effective option for enterprise use

The fact is that Google has released Android Enterprise / Android for Work from the ‘lollipop’ version onwards, which has already been very effective in the work environment. Google also released a powerful set of APIs to manage Android features, and it has been made mandatory for all the GMS-certified devices above the OS version ‘marshmallow’. Android Enterprise is a device management framework that focuses on guarding and managing devices in the workplace. Enterprises can have more regulation on devices enrolled in Android Enterprise programs.

Android rugged devices are the most preferred devices for industries with harsh workplace conditions like factories, storehouses, etc. These devices are highly rigid and can withstand extreme physical conditions, which iOS devices may fail to do. Kiosk-enabled Android devices are used by frontline workers in almost all enterprises. OEMs build their applications called OEMconfig which when used along with the Android enterprise program, provides the best management capabilities possible over company devices.

So, it is clear that Android also has great potential in the enterprise and it is even possible to get a list of Google-approved enterprise-grade devices from the Android Enterprise Recommended website so that organizations can choose the best devices for work purposes.

Inbuilt Android security:

Android is built with powerful security features to protect sensitive data and proper measures are taken to safeguard enterprise devices or data from possible threats. Android possesses a secure operating system known as ‘Trusty‘ which provides a trusted execution environment for running a special security-sensitive operation called PIN verification and verified boot. Trusty is completely isolated from the rest of the system, which thereby helps in preventing the installation of malicious apps in it. Android supports ‘verified boot’ which ensures that the executed code is sourced from the OEMs and not from any suspicious origins. Each application in the Android OS is run on a separate environment called app sandbox, which prevents one application from accessing resources or information from another app. Google releases monthly security updates to safeguard the device from attacks.

Still if there are some flaws in the security of Android, security solutions like UEMs can make Android devices suitable for the work environment. Once an Android device is enrolled in the Hexnode portal, the admin can manage the device, enforce strong security policies and even manage files remotely, all together making Android even more secure in the workplace.

Android security is low because it has fewer management options for enterprise use

Android Enterprise provides four management modes:

• Work profile for employee-owned devices (BYOD) – Personal devices can be used safely in the workplace by setting up separate work containers for storing work apps, sensitive data, and confidential files. Enterprise will not have any access to the primary profile or personal data of the user, so corporate data can be protected without compromising users’ privacy.
• Full management for work-only company-owned devices – Corporate-owned devices can be fully managed with strict policies including device-level configurations. Enterprises have complete control over the device and cannot be used for personal use.
• Full management for dedicated devices – dedicated / corporate-owned single-use devices are locked into a single app or set of apps. It prevents users from accessing other apps or performing other actions. It provides granular control over the status bar, navigation bar, keyboard, and other features. Such devices can be used to show digital signages for addressing people at malls, airports, and public places.
• Fully managed corporate device with work profile to enable personal use – Company-owned devices are provided with Android work profile and that is completely controlled by the organization. Despite this, a company can enforce device-wide policies and restrictions that are also applied to personal profiles. It also provides users with personal privacy and meets the IT policies of the company.

Malware is a major unsolved issue for Android

Malware is any kind of malicious software created to harm or exploit any device, that enters mobile devices through malicious apps, suspicious emails, text messages, and non-secure WI-FI networks. Sensitive information in an employee’s device could be stolen or damaged by malware. It is a real threat to all operating systems and not something specific to Android. However, proper security measures can prevent malware. Some best practices include:

• Use Virtual Private Network – Data can be accessed and shared over WIFI networks securely using VPN. It acts as a secure tunnel and encrypts data sent through them that prevents malicious apps from entering the device.
• Use trusted WI-FI networks.
• Download apps from trusted sources only.
• Update software – Updating OS regularly solve potential vulnerabilities.

Android devices are difficult to deploy

Another myth is that Android devices cannot be deployed securely and users could skip the enrolment process, thereby leading to mismanagement. However, that’s not the case. Android has multiple deployment methods which can be chosen according to your need. UEM along with Android Enterprise can cover all management scenarios. Hence deploying Android work devices won’t be a problem.

Android supports zero-touch enrollment where users only need to power on the end device and connect to the internet to get enrolled in the UEM. It is one of the most secure ways to enroll devices in an enterprise as users are not able to skip the enrollment process. Moreover, if users try to remove management by factory resetting, they won’t be able to do it because the device automatically gets re-enrolled. UEMs can block the removal of the UEM profile by enforcing a UEM restriction.

Featured Resource

Hexnode Android Management Solution

Hexnode's Android MDM solution goes beyond delivering the basic Android management capabilities. Download the datasheet and get to know the all the key features Hexnode offers for Android device management.

Download Datasheet

Android apps are less secure and do not perform well compared to iOS apps

Many devices with different chipset configurations use Android, so Android apps should be compatible with all of these devices. This is the reason that Android apps are not optimized as iOS apps, but they do provide almost the same functionality and performance.

Compatibility Definition Document (CDD) from Google provides requirements, guidelines, and recommendations for OEMs to build their device, which in turn ensure compatibility of the device with the latest version of Android. Devices also have to pass Compatibility Test Suite (CTS), which reveals incompatibilities early and assures that the applications built are compatible with Android devices.

Android also has a built-in malware protection service called ‘Google Play Protect’ that consistently scans for billions of apps in the play store which prevents the entry of malicious apps. Even if any of such apps manage to enter the device, the service, with its always on protection, detects potentially harmful apps on the device. Android also provides an enterprise App Store called Managed Google Play, with which users are limited to installing only the approved apps.

SafetyNet is another built-in security feature of Android, which provides a set of services and APIs to protect apps against security attacks. SafetyNet Attestation API helps app developers to ensure their servers connect to the original app running on a genuine Android device. It examines the device’s software and hardware integrity, compares with reference data of approved Android devices, and provides a cryptographically signed attestation.

UEMs with their app management capabilities can associate the devices with a policy configured for verification of apps before installing. It also provides a facility for adding apps from Managed Google Play to Hexnode app inventory. So, enterprise apps can be safely deployed to the employee devices within the company from the Hexnode console. There is also an option for downgrading apps if any new versions of them have any bugs or issues. OS updates can be scheduled according to the company requirements to ensure the compatibility of apps with the devices.

Android being open-source is more vulnerable to security issues

People believe that showing source code to the public will expose vulnerabilities in Android. But the fact is that it helps developers to find and send security issues quickly with the help of support forums and issue queues. Also, attackers who break software do not need to look at the source code, they just need suitable hacking tools to detect vulnerabilities automatically. In the case of proprietary software, users must rely on software vendors to release an update or patch to solve security issues. The fact is that software quality is not measured by the flexibility of its license. Android has a large community of enthusiastic developers who are interested in improving the quality of the product than making money out of it. So, these passionate developers actively lookout for any bugs or issues that make Android less vulnerable to security issues.

So, in short, Android is a safe bet for enterprise use and its impact shouldn’t be overshadowed by the brand name of iOS. It is also noteworthy that rugged android devices can be used in harsh work environments like chemical factories where iOS won’t stand a chance. The choice is yours, but make sure it’s wise.