What is SafetyNet and how does it improve Android security?
SafetyNet from Google offers a complete suite of features to keep the Android ecosystem in check.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Oct 25, 2021
9 min read
Confused about choosing Android devices for your company? Hold on! you might be thinking about all the security issues of Android devices. A lot of people still think that Android security in the enterprise is at stake. iOS indeed has an edge over Android devices, but the fact is that Android is also one of the most secure and cheap devices available for enterprise uses. When it comes to the workplace, some enterprises neglect Android because of the common misconceptions prevailing about Android security in the enterprise.
Android had security issues due to fragmentation. Even though Google releases timely OS updates to improve the security of devices, it takes a long time to reach the end-users because of the involvement of middle parties like SoC vendors and OEMs in delivering the updates. So, most of the OEMs restrict their devices with two major updates, which in turn have led to security gaps. Google has made strides to solve this problem; they released project treble with Android Oreo to reduce the dependence of OS updates on SoC vendors. Now, Android 12 has been released with project mainline, which focuses on becoming less dependent on OEMs for delivering security updates.
In this blog, I will talk about some of the common myths you may hear about Android security in the enterprise.
The fact is that Google has released Android Enterprise / Android for Work from the ‘lollipop’ version onwards, which has already been very effective in the work environment. Google also released a powerful set of APIs to manage Android features, and it has been made mandatory for all the GMS-certified devices above the OS version ‘marshmallow’. Android Enterprise is a device management framework that focuses on guarding and managing devices in the workplace. Enterprises can have more regulation on devices enrolled in Android Enterprise programs.
Android rugged devices are the most preferred devices for industries with harsh workplace conditions like factories, storehouses, etc. These devices are highly rigid and can withstand extreme physical conditions, which iOS devices may fail to do. Kiosk-enabled Android devices are used by frontline workers in almost all enterprises. OEMs build their applications called OEMconfig which when used along with the Android enterprise program, provides the best management capabilities possible over company devices.
So, it is clear that Android also has great potential in the enterprise and it is even possible to get a list of Google-approved enterprise-grade devices from the Android Enterprise Recommended website so that organizations can choose the best devices for work purposes.
Android is built with powerful security features to protect sensitive data and proper measures are taken to safeguard enterprise devices or data from possible threats. Android possesses a secure operating system known as ‘Trusty‘ which provides a trusted execution environment for running a special security-sensitive operation called PIN verification and verified boot. Trusty is completely isolated from the rest of the system, which thereby helps in preventing the installation of malicious apps in it. Android supports ‘verified boot’ which ensures that the executed code is sourced from the OEMs and not from any suspicious origins. Each application in the Android OS is run on a separate environment called app sandbox, which prevents one application from accessing resources or information from another app. Google releases monthly security updates to safeguard the device from attacks.
Still if there are some flaws in the security of Android, security solutions like UEMs can make Android devices suitable for the work environment. Once an Android device is enrolled in the Hexnode portal, the admin can manage the device, enforce strong security policies and even manage files remotely, all together making Android even more secure in the workplace.
Android Enterprise provides four management modes:
Malware is any kind of malicious software created to harm or exploit any device, that enters mobile devices through malicious apps, suspicious emails, text messages, and non-secure WI-FI networks. Sensitive information in an employee’s device could be stolen or damaged by malware. It is a real threat to all operating systems and not something specific to Android. However, proper security measures can prevent malware. Some best practices include:
Another myth is that Android devices cannot be deployed securely and users could skip the enrolment process, thereby leading to mismanagement. However, that’s not the case. Android has multiple deployment methods which can be chosen according to your need. UEM along with Android Enterprise can cover all management scenarios. Hence deploying Android work devices won’t be a problem.
Android supports zero-touch enrollment where users only need to power on the end device and connect to the internet to get enrolled in the UEM. It is one of the most secure ways to enroll devices in an enterprise as users are not able to skip the enrollment process. Moreover, if users try to remove management by factory resetting, they won’t be able to do it because the device automatically gets re-enrolled. UEMs can block the removal of the UEM profile by enforcing a UEM restriction.
Many devices with different chipset configurations use Android, so Android apps should be compatible with all of these devices. This is the reason that Android apps are not optimized as iOS apps, but they do provide almost the same functionality and performance.
Compatibility Definition Document (CDD) from Google provides requirements, guidelines, and recommendations for OEMs to build their device, which in turn ensure compatibility of the device with the latest version of Android. Devices also have to pass Compatibility Test Suite (CTS), which reveals incompatibilities early and assures that the applications built are compatible with Android devices.
Android also has a built-in malware protection service called ‘Google Play Protect’ that consistently scans for billions of apps in the play store which prevents the entry of malicious apps. Even if any of such apps manage to enter the device, the service, with its always on protection, detects potentially harmful apps on the device. Android also provides an enterprise App Store called Managed Google Play, with which users are limited to installing only the approved apps.
SafetyNet is another built-in security feature of Android, which provides a set of services and APIs to protect apps against security attacks. SafetyNet Attestation API helps app developers to ensure their servers connect to the original app running on a genuine Android device. It examines the device’s software and hardware integrity, compares with reference data of approved Android devices, and provides a cryptographically signed attestation.
UEMs with their app management capabilities can associate the devices with a policy configured for verification of apps before installing. It also provides a facility for adding apps from Managed Google Play to Hexnode app inventory. So, enterprise apps can be safely deployed to the employee devices within the company from the Hexnode console. There is also an option for downgrading apps if any new versions of them have any bugs or issues. OS updates can be scheduled according to the company requirements to ensure the compatibility of apps with the devices.
People believe that showing source code to the public will expose vulnerabilities in Android. But the fact is that it helps developers to find and send security issues quickly with the help of support forums and issue queues. Also, attackers who break software do not need to look at the source code, they just need suitable hacking tools to detect vulnerabilities automatically. In the case of proprietary software, users must rely on software vendors to release an update or patch to solve security issues. The fact is that software quality is not measured by the flexibility of its license. Android has a large community of enthusiastic developers who are interested in improving the quality of the product than making money out of it. So, these passionate developers actively lookout for any bugs or issues that make Android less vulnerable to security issues.
So, in short, Android is a safe bet for enterprise use and its impact shouldn’t be overshadowed by the brand name of iOS. It is also noteworthy that rugged android devices can be used in harsh work environments like chemical factories where iOS won’t stand a chance. The choice is yours, but make sure it’s wise.
Managing Android devices shouldn’t be hard as it sounds, try Hexnode free for 30 days to know what we mean.Sign Up