What is SafetyNet and how does it improve Android security?
Learn the need for SafetyNet on Androids, and what the 4 SafetyNet APIs can do.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Jun 16, 2021
15 min read
Android devices are built to be customized. A well-recognized fact that even Google acknowledges. It’s the very reason there exists a remarkable open-source community for Android (the AOSP), filled with modders, developers, testers, and users from all around the world. It comes as no surprise then, that the choices for custom Android OS that exist today are innumerable.
But is custom Android OS viable in the workplace? What benefits do they provide that sets them apart from their stock counterparts? And the big one. How do you manage them? These are some of the issues that we shall try to assess in this blog.
A custom Android OS (or, a custom ROM) is basically a personalized Android firmware, that’s designed based on the Android open-source code provided by Google. With this code, developers can design their own custom versions of Android, and flash them to the supported devices, to enable access to new features and functionalities that would otherwise be unavailable on the Android.
Well, safe is a matter of perspective. Before I get on to explain, I’ll just state that – officially, any modification to the device firmware is not recommended by Google. The reason being that, not all custom ROMs go through the same officially verified quality checks that the stock firmware goes through.
However, in my personal opinion, flashing a custom ROM on your Android is as safe as trusting your original stock firmware. That is, as long as you’re installing the right one. This statement strictly depends on the source from which you download the firmware.
If you’re downloading from a verified developer, you’ll be safe. Well, as safe as you can be. There is always a chance of vulnerabilities affecting your system, but this chance is more or less the same for both stock and custom firmware. Moreover, if the code for your custom ROM is open-sourced, vulnerabilities can be quickly identified and patched by developer communities.
As an IT admin, the most sensible option to ensure that your custom Android OS is safe is to have it configured by your registered OEM vendor itself.
However, Google also holds another way to identify if your Android OS is reliable. Enter the SafetyNet APIs (special mention to the SafetyNet Attestation API), and Google’s Compatibility Test Suite (CTS).
This is because, – among other reasons – custom ROM enabled Androids that don’t pass the CTS test, have a high chance of having the application sandboxing feature compromised. For banking apps, this means that all your transactions and banking details may be accessed by the rest of your device, or by third-party software. So yeah, SafetyNet is a critical check that will ensure the reliability of your custom Android OS.
This is by far one of the most attractive reasons to flash a custom OS on your Android. Most manufacturers take a long time to deploy the latest software and OS update to their Androids. Especially if it’s the older models. Moreover, OS releases may be delayed in some regions, or sometimes completely unavailable. Patiently waiting for an anticipated update only to be disappointingly let down is something we all may have faced at some point.
Well not anymore! As soon as a new OS update is released, developers modify it to create a new custom Android OS, enabling end-users to access the new features and functionalities, even before it officially hits the shelves on their stock ROMs.
With new and updated software and OS comes access to additional features and functionalities, and the ability to tweak the Androids to your liking even further. Don’t want users to access the headphone jack? Disable it. Don’t like the volume warning when your headphones are plugged in? Get rid of it. Wanna run your apps in tablet mode? Just do it. There are very few limits to options you can tweak on a custom Android OS.
Today, most Androids tend to come with a lot of pre-installed applications and software, most of which you may never use. These apps just end up being nothing but a source of revenue for manufacturers. Ergo – possibly why they’re there in the first place.
Flashing a custom ROM enables you to remove this bloatware from your users’ Android, and retain only the applications you may need. This in turn reinforces your ITs’ ability to easily provision company endpoints with just the approved software.
By removing all that bloatware, custom ROMs enable you to eliminate all the useless clutter that pollutes your RAM and provisions memory for your essential applications and software to use. Moreover, with custom ROMs, users can overclock or underclock their Android depending on their ever-changing demands and ensure optimal performance at all times.
When it comes to the UI, most manufacturers can’t help but go overboard, presumably to make their Android stand out among all the competition, and that’s understandable. But sometimes, the folks at UI just can’t control themselves and ends up lighting up your device like a Van Gogh painting with all their tweaks and adjustments.
I’ve been on the receiving end and trust me, it’s not fun. If that’s your case, you can install a custom ROM on your Android and unlock access to a whole suite of customizable options, enabling you to personalize Android devices to your company requirements.
This comes as maybe a subdivision of our earlier point. Less bloatware equals fewer battery-draining applications and hence, improved battery life. Underclocking your device also enables you to improve battery life in critical conditions.
Now it’s true that if you own a smartphone, asking for privacy can be akin to asking Santa Claus for a rainbow-colored unicorn. In fact, I think he’d sooner get you the unicorn. But with a custom Android OS, you can to a certain limit, have a greater say in what data is accessible to third-party software. And if you need to ensure maximum privacy on your company Androids, I’d also suggest making use of a UEM solution to gain access to deeper options for securing your Androids.
Manufacturers release devices such that their models usually stop receiving new updates after around 2 years of use. Also, unless you’re using a flagship device, the support period becomes considerably shorter. In such cases, installing a custom ROM on your non-traditional Androids enables you to receive updates that were not originally available for your device, along with proper support from the developers.
Flashing a custom Android OS on your devices require a complete factory reset. So, in case your users have got some important information stored on their Androids, you’ll need to advise them to back up all their data to a temporary location until the flashing process is complete.
When flashing a custom ROM by yourself, you run a high chance of bricking your device. Granted, if you choose the right ROM for the right model, follow the instructions to the letter, and stay away from the less popular ROMs, you’re bound to have a successful installation. However, there still rests the small chance that you may inadvertently brick the device.
Custom ROMs will make changes to the software on your phone. So, there lies a small chance that some of your device hardware may become slightly unstable with your installed ROM. You might notice this in the form of apps force-closing, random bugs, reduced camera quality, and maybe even occasional restarts. However, this too depends on the custom ROM you have flashed. As long as you’ve chosen a popular ROM for your device (or a ROM configured by your OEM vendor), you won’t run into these problems. And even if you do, you’ll receive regular updates and bug fixes for your firmware.
Flashing a custom ROM that’s not approved by your device manufacturer will void the warranty on your Androids. You should make sure that users are aware of this clause before deciding to install a custom ROM.
For security reasons, some applications will refuse to run on devices with a custom Android OS. This includes banking apps, apps with in-app purchases, apps that store personal information and more. In short, any app that examines the SafetyNet status of your device may not provide support on a custom ROM.
A custom Android OS equips enterprises with immense options to customize their work devices according to their corporate requirements. Remove certain device functionalities, personalize the UI, and more. All this becomes possible by flashing a custom ROM.
Stock Androids usually stop receiving software updates after a couple of years, and this may pose an issue if your enterprise requires their work devices to be updated to the latest security patches. This is where custom Android builds can help you. Custom ROM developers can provide software updates and patches along with support that would otherwise be unavailable on users’ devices.
You don’t want your enterprise endpoints to be filled with useless apps that take up both your space and your computing memory. Such applications may end up reducing your employee productivity. Devices with custom Android OS gets rid of all this bloatware and enables access to features and functionalities that would otherwise be unobtainable on stock Androids.
IT can enroll their custom Android OS devices in Hexnode as device admin, using a variety of methods, including enrolling using Active Directory credentials, self/Email/SMS enrollment and QR code enrollment. Rooted devices can be quickly identified and managed, enabling IT to easily monitor the status and health of custom Android OS devices.
ROM configured enrollment is one of the easiest and foolproof methods of UEM enrollment that exists for Androids. This method is usually used by enterprises collaborating with an OEM vendor. (Pssst, this method usually requires no work from the IT admin.)
So here are the steps involved for ROM configured enrollment.
Edit and set up the custom ROM image for the Android, and copy the Hexnode UEM apk to the,
Grant the following permissions to the Hexnode UEM app.
Optionally, you can also copy the Hexnode Remote view apk to the device, and make the app non-removable, by copying it to the ‘system/priv-app’ or ‘system/app folder’.
Now, as the IT admin, you need to generate a configuration file from the Hexnode portal. Once you generate a new configuration file, you’re gonna have to provide a password for this file. Why? Cuz this password is important for when your end-users turn on their Androids for the first time. We’ll get to that part soon. Okay so once it is created, you download the configuration file and send it to your OEM vendor. That’s it. As the IT admin, your part in this affair is done.
Next, your vendor will have to make sure that the configuration file they received is named exactly as ‘hex_rom_config.txt’. No mistakes. Then, they must copy it to ‘system’ folder on the ROM image. Once that’s done, they flash the ROM to the required devices and done! All that’s left is to ship the Androids to your end-users.
So, what exactly happens at the user-end for this process? Alright so once your users receive their ROM configured Androids, naturally, they’ll turn it on.
When a ROM configured Android is turned on for the first time, it boots up into lost mode, with options to connect to the internet. Now, this is where the password you’ve set for the configuration file becomes relevant. Without access to the configuration file password, end-users cannot go out of lost mode.
Now, once the device connects to a network, the enrollment process begins, and as soon as the device is successfully enrolled to your Hexnode portal, it automatically leaves lost mode. All the policies and settings you’ve configured for your endpoints from the Hexnode portal, are applied over-the-air.
With Hexnode’s ROM configured enrollment, enterprises are equipped with plenty of options to manage their corporate Androids, that would otherwise be impossible without using Android Enterprise enrollment.
Custom Android OSes are living testimony to the Android style of being open, free-for-all, and constantly evolving. They succeed in taking control from the manufacturers and returning it to the people, to decide how they would like software to be designed.
Enrolling Androids by configuring ROM offers enterprises with immense device management possibilities on par with most management solutions, just the way Google does with their Android Enterprise program.