AndroidforWork

Securitywhitepaper
Lastupdated:May2015

Contents

Aboutthisdocument
Introduction
AndroidOS
AndroidSecureOSservices
Cryptographyanddataprotection
Deviceencryption
KeyChainandKeyStore
Applicationsecurity
Applicationsandboxandpermissions
SecurityEnhancedLinux
Applicationsigning
GooglePlayappreview
Verifyapps
Networksecurity
Wi-Fi
VPN
Third-partyapplications
Deviceandprofilemanagement
Androidusers
ManagedProfile
Crossprofileintents
Deviceandprofilepolicies
Applicationmanagement
GooglePlayforWork
Secureappserving
Privateapps
Unknownsources
ManagedAppconfiguration
Securitybestpractices
Conclusion

AndroidforWorkSecuritywhitepaper2

Aboutthisdocument
ThiswhitepaperprovidesanoverviewofvarioussecurityfeaturesthatareinplaceattheOSlevel
andattheGoogleserviceslayer.Italsointroducesthenewdevicemanagementcapabilities
developedforwork,whichgiveenterprisestheabilitytomanageaworkspaceontheirusers
devices,preventworkdataleakage,securethecommunicationbacktotheenterprise,andmanage
theapplicationsinstalledintheirworkspace,preventinganyunapprovedappsfrombeinginstalled
forwork.

Introduction
TheAndroidoperatingsystemleveragestraditionalOSsecuritycontrolstoprotectuserdataand
systemresources,protectsdeviceintegrityagainstmalware,andprovidesapplicationisolation.
Additionally,GoogleprovidesanumberofserviceslayeredontopoftheOSthat,whencombined
withAndroidOSsecurity,helptocontinuouslyprotecttheAndroiduser.

AndroidOS
AndroidisanopensourceOSthatsbuiltontheLinuxkernelandprovidesanenvironmentfor
multipleapplicationstorunsimultaneously.Theseapplicationsaresignedandisolatedinto
applicationsandboxesassociatedwiththeirapplicationsignature.Theapplicationsandboxdefines
theprivilegesavailabletotheapplication.ApplicationsaregenerallybuiltusingAndroidRuntime
andinteractwiththeOSthroughaframeworkthatdescribessystemservices,platformApplication
ProgrammingInterfaces(APIs),andmessageformats.Otherhigh-levellanguages(forexample,
JavaScript)andlower-levellanguages(forexample,ARMassembly)areallowedandoperatewithin
thesameapplicationsandbox.Systemservicesareimplementedasapplicationsandare
constrainedbyanapplicationsandbox.Abovethekernel,theresnoconceptofasuperuserorroot
thathasunconstrainedaccesstothesystem.

Figure1summarizesthesecuritycomponentsandconsiderationsofthevariouslevelsofthe
AndroidOS.

AndroidforWorkSecuritywhitepaper3

AndroidSecureOSservices
Androidisamultipurposeoperatingsystem.ManyAndroiddevicesprovideasecondary,isolated
environmenttorunprivilegedorsecurity-sensitiveoperationsthatdontneedthefunctionalityofa
multipurposeOS.ThisenvironmentissometimesreferredtoasaSecureOS.Thesecapabilitiescan
beimplementedonaseparateprocessor(suchasastandaloneSecureElementorTrustedPlatform
Module[TPM]),orcanbeisolatedbeneaththekernelonasharedprocessor(suchasARM
TrustZonetechnology).

TheSecureOScanbeusedbytheoriginalequipmentmanufacturer(OEM)toprovidedevice-specific
servicesandapplications.MostAndroiddevicesimplementWidevineDRM-protectedvideoplayback
serviceswithintheSecureOS.StartingwithAndroid4.3,cryptographicservicesbasedinthe
SecureOShavealsobeenexposedtoAndroidapplicationsviatheKeyChainAPI.ThisAPIprovides
theabilityforapplicationstocreatekeysthatcannotbeexported,evenintheeventofanAndroid
compromise.

AndroidforWorkSecuritywhitepaper4

Cryptographyanddataprotection
CryptographyisusedthroughoutAndroidtoprovideconfidentialityandintegrity.Googlesupports
mostoftheindustry-standardalgorithms.Thefollowinglistsmajorusesofcryptographyon
Android:
Deviceencryption
Applicationsigning
Networkconnectivityandencryption,includingSSL,Wi-Fi,andVPN

Deviceencryption
EncryptionistheprocessofencodinguserdataonanAndroiddeviceusinganencryptedkey.Once
adeviceisencrypted,alluser-createddataisautomaticallyencryptedbeforecommittingittodisk
andallreadsautomaticallydecryptdatabeforereturningittothecallingprocess.

Androiddiskencryptionisbasedondm-crypt,whichisakernelfeaturethatworksattheblock
devicelayer.Theencryptionalgorithmis128AdvancedEncryptionStandard(AES)withcipher-block
chaining(CBC)andESSIV:SHA256.Themasterkeyisencryptedwith128-bitAESviacallstothe
AndroidOpenSSLlibrary.OEMscanuse128-bitorhighertoencryptthemasterkey.

Android5.0introducesthefollowingnewencryptionfeatures:
Fastencryption,whichonlyencryptsusedblocksonthedatapartitiontoavoidfirstboot
takingalongtime.
Addedtheforceencryptflagtoencryptonfirstboot.
Addedsupportforpatternsandencryptionwithoutapassword.
Addedhardware-backedstorageoftheencryptionkey.

IntheAndroid5.0release,therearefourkindsofencryptionstates:
Default
PIN
Password
Pattern

Ifdefaultencryptionisenabledonadevice,thenuponfirstboot,thedevicegeneratesa128-bitkey,
whichisthenencryptedwithadefaultpassword,andtheencryptedkeyisstoredinthecrypto
metadata.HardwarebackingisimplementedbyusingtheTrustedExecutionEnvironments(TEEs)
signingcapability.Thegenerated128-bitkeyisvaliduntilthenextfactoryreset(i.e.untilthe/data
partitioniserased).Uponfactoryreset,anew128-bitkeyisgenerated.

WhentheusersetsthePINorpasswordonthedevice,onlythe128-bitkeyisre-encryptedand
stored(i.e.userPIN/Password/Patternchangesdontcausere-encryptionofuserdata).
TheAndroid5.0CompatibilityDefinitionDocument(CDD)requiresthatifadeviceimplementation
hasalockscreen,thedevicemustsupportfull-diskencryptionoftheapplicationprivatedata;thatis,
the/data
andtheSDcardpartition,ifitsapermanent,non-removablepartofthedevice.

AndroidforWorkSecuritywhitepaper5

Notes:
1. Theencryptionkeymustnotbewrittentostorageatanytimewithoutbeingencrypted.
Otherthanwheninactiveuse,theencryptionkeymustbeAES-encryptedwiththelock
screenpasscodestretched,usingaslowstretchingalgorithm.Iftheuserhasntspecifieda
lockscreenpasscodeorhasdisabledpasscodeuseforencryption,thesystemusesadefault
passcodetowraptheencryptionkey.Ifthedeviceprovidesahardware-backedkeystore,the
passwordstretchingalgorithmmustbecryptographicallyboundtothatkeystore.
2. Devicesencryptedatfirstbootcannotbereturnedtoanunencryptedstateafterfactory
reset.

KeyChainandKeyStore
AndroidprovidesasetofcryptographicAPIsforusebyapplications.TheseAPIsinclude
implementationsofstandardandcommonlyusedcryptographicprimitives,suchasAES,
Rivest-Shamir-Adleman(RSA),DigitalSignatureAlgorithm(DSA),andSecureHashAlgorithm(SHA).
Additionally,APIsareprovidedforhigher-levelprotocols,suchasSecureSocketLayer(SSL)and
HTTPS.

Android4.0introducedtheKeyChainclasstoallowapplicationstousethesystemcredentialstorage
forprivatekeysandcertificatechains.TheKeyChainAPIisusedforWi-FiandVirtualPrivateNetwork
(VPN)certificates.

TheAndroidKeyStoreclassletsyoustoreprivatekeysinacontainertomakeitmoredifficultto
extractfromthedevice.ItwasintroducedinAndroid4.3andfocusesonapplicationsstoring
credentialsusedforauthentication,encryption,orsigningpurposes.

ApplicationscancallisBoundKeyAlgorithminKeyChainbeforeimportingorgeneratingprivatekeys
ofagivenalgorithm,todetermineifhardware-backedkeystoreissupportedtobindkeystothe
deviceinawaythatmakesthemnon-exportable.

Applicationsecurity
Applicationsareanintegralpartofanymobileplatformandusersincreasinglydownload
applicationstotheirdevices.Androidprovidesmultiplelayersofapplicationprotection,enabling
userstodownloadtheirfavoriteapplicationstotheirdeviceswiththepeaceofmindthattheyre
gettingahighlevelofprotectionfrommalware,securityexploits,andattacks.Thefollowing
subsectionsdefinethemainAndroidapplicationsecurityfeatures.

Applicationsandboxandpermissions
Androidapplicationsruninwhatisreferredtoasanapplicationsandbox.Justlikethewallsofa
sandboxkeepthesandfromgettingout,eachapplicationishousedwithinavirtualsandboxtokeep
itfromaccessinganythingoutsideitself.Bydefault,someapplicationsneedtousefunctionalityon
thedevicethatisntinthesandbox;forexample,accessingcontactinformation.Beforeinstallingan
application,determinewhetherornottheusercangrantpermissiontotheapptoaccesscertain
capabilitiesonthedevice(forexample,Makephonecalls).Aphonedialerapplicationshould
naturallybeabletomakephonecalls.Ontheflipside,iftheapplicationissupposedtobeapuzzle

AndroidforWorkSecuritywhitepaper6

game,thatsamerequestmightlookabitmoresuspicious.Byprovidingthesedetailsupfront,users
canmakeaneducateddecisionabouttrustinganappornot.

TheAndroidplatformtakesadvantageoftheLinuxuser-basedprotectionasameansofidentifying
andisolatingapplicationresources.TheAndroidsystemassignsauniqueuserID(UID)toeach
Androidapplicationandrunsitasthatuserinaseparateprocess.Thisapproachisdifferentfrom
otheroperatingsystems(includingthetraditionalLinuxconfiguration),wheremultipleapplications
runwiththesameuserpermissions.

Thissetsupakernel-levelapplicationsandbox.Thekernelenforcessecuritybetweenapplications
andthesystemattheprocesslevelthroughstandardLinuxfacilities,suchasuserandgroupIDs
thatareassignedtoapplications.Bydefault,applicationscantinteractwitheachotherand
applicationshavelimitedaccesstotheOS.Forexample,ifapplicationAtriestodosomething
maliciouslikereadapplicationBsdataordialthephonewithoutpermission(whichisaseparate
application),thentheOSprotectsagainstthisbecauseapplicationAdoesnthavetheappropriate
userprivileges.Thesandboxissimple,auditable,andbasedondecades-old,UNIX-styleuser
separationofprocessesandfilepermissions.

Becausetheapplicationsandboxisinthekernel,thissecuritymodelextendstonativecodeandto
OSapplications.AllofthesoftwareabovethekernelinFigure1(includingOSlibraries,application
framework,applicationruntime,andallapplications)runwithintheapplicationsandbox.
Onsomeplatforms,developersareconstrainedtoaspecificdevelopmentframework,setofAPIs,or
languagetoenforcesecurity.OnAndroid,therearenorestrictionsonhowanapplicationcanbe
writtenthatarerequiredtoenforcesecurity;nativecodeisjustassecureasinterpretedcode.
Insomeoperatingsystems,memorycorruptionerrorsgenerallyleadtocompletelycompromising
thesecurityofthedevice.ThisisnotthecaseinAndroidduetoallapplicationsandtheirresources
beingsandboxedattheOSlevel.Amemorycorruptionerroronlyallowsarbitrarycodeexecutionin
thecontextofthatparticularapplication,withthepermissionsestablishedbytheOS.
SecurityEnhancedLinux
AspartoftheAndroidsecuritymodel,theAndroidsandboxalsousesSecurityEnhancedLinux
(SELinux)toenforceMandatoryAccessControl(MAC)overallprocesses,evenprocessesrunning
withrootandsuperuserprivileges.SELinuxprovidesacentralizedanalyzablepolicyandstrongly
separatesprocessesfromoneanother.

AndroidincludesSELinuxinenforcingmode(forexample,securitypolicyisenforcedandlogged)
andacorrespondingsecuritypolicythatworksbydefaultacrossAndroidOpenSourceProject
(AOSP).Inenforcingmode,illegitimateactionsthatviolatepolicyarepreventedandallviolations
(denials)areloggedbythekerneltodmesgandlogcat.

TheAndroid5.0CDDmandatesthatdevicesmustimplementaSELinuxpolicythatallowsthe
SELinuxmodetobesetonaper-domainbasis,andalldomainsconfiguredinenforcingmode.No
permissivemodedomainsareallowed.TheCompatibilityTestSuite(CTS)forSELinuxensures
securitypolicycompatibilityandenforcessecuritybestpractices.

AndroidforWorkSecuritywhitepaper7

Applicationsigning
Androidrequiresthatallappsbedigitallysignedwithacertificatebeforetheycanbeinstalled.The
certificatedoesntneedtobesignedbyacertificateauthority.Androidusesthiscertificatetoidentify
theauthoroftheapplication.Androidapplicationsoftenuseself-signedcertificatesandthe
applicationdeveloperholdsthecertificatesprivatekey.Whenthesysteminstallsanupdatetoan
application,itcomparesthecertificateinthenewversionwiththoseintheexistingversion,and
allowstheupdateifthecertificatematches.

Androidallowsapplicationssignedbythesamecertificatetoruninthesameprocess,ifthe
applicationssorequest,sothatthesystemtreatsthemasasingleapplication.Androidprovides
signature-basedpermissionsenforcement,sothatanapplicationcanexposefunctionalityto
anotherappthatssignedwithaspecifiedcertificate.Bysigningmultipleappswiththesame
certificate,andusingsignature-basedpermissions,anappcansharecodeanddatainasecure
manner.

Thekeymusthaveavalidityperiodthatexceedstheexpectedlifespanoftheapp.(Avalidityperiod
of25yearsormoreisrecommended.)Whenakeysvalidityperiodexpires,userscannolonger
seamlesslyupgradetonewversionsoftheapplication.

Note:ApplicationspublishedonGooglePlaymustbesignedwithkeysthathaveavalidityperiod
endingafterOctober22,2033.GooglePlayenforcesthisrequirementtoensurethatuserscan
seamlesslyupgradeappswhennewversionsareavailable.

GooglePlayappreview
GooglePlayisAndroid'sappdistributionplatformthatprotectsusersfrompotentiallyharmfulapps.
GooglePlayhaspoliciesinplacetoprotectusersfromattackerstryingtodistributepotentially
harmfulapps.WithinGooglePlay,developersarevalidatedintwostages.Developersarefirst
reviewedwhentheycreatetheirGooglePlaydeveloperaccountbasedontheirprofileandcredit
cards.Developersarethenreviewedfurtherwithadditionalsignalsuponappsubmission.Google
regularlyscansPlayapplicationsformalwareandothervulnerabilities.Googlealsosuspends
developeraccountsthatviolatedeveloperprogrampolicies.

GooglePlayalsohasratingandreviewsthatprovideinformationaboutanapplicationbefore
installingit.Ifanapptriestomisleadusers,itslikelytohavealowstarratingandpoorcomments.

AnexampleofGooglesdevelopersecurityadvocacy,wasforappsrunningvulnerableversionsof
theApacheCordovaplatform.Googlenotified:
DevelopersviatheGooglePlayDeveloperConsoleandemail
Developersofappscontainingprivatekeysorkeystorefiles

AndroidforWorkSecuritywhitepaper8

Verifyapps
AndroiddevicesthathaveGooglePlayinstalledhavetheoptionofusingGooglesVerifyApps
feature,whichscansappswhenyouinstallthemandperiodicallyscansforpotentiallyharmfulapps.
Appverificationisturnedon,bydefault,butnodataissenttoGoogle,unlesstheuseragreesto
allowthiswhenpromptedinthedialogbox,priortoinstallingthefirstappfromasourceotherthan
GooglePlay.

VerifyAppsisavailableonAndroid2.3+withGooglePlay.OndevicesrunningAndroid4.2orhigher,
userscanenableordisableVerifyAppsfromGoogleSettings>Security>VerifyApps.
VerifyAppsnowcontinuallychecksdevicestoensurethatallappsbehaveinasafermanner,even
afterinstallation.Thisenhancementtakestheprotectionevenfurther,usingAndroidspowerfulapp
scanningsystemdevelopedbytheAndroidSecurityandSafeBrowsingteams.

Networksecurity
Inadditiontodata-at-restsecurityprotectinginformationstoredonthedevice,Androidprovides
networksecurityfordata-in-transittoprotectdatasenttoandfromAndroiddevices.Android
providessecurecommunicationsovertheInternetforwebbrowsing,email,instantmessaging,and
otherInternetapplications,bysupportingTransportLayerSecurity(TLS),includingTLSv1.0,TLS
v1.1,TLSv1.2,andSSLv3.

Wi-Fi
AndroidsupportstheWPA2-Enterprise(802.11i)protocol,whichisspecificallydesignedfor
enterprisenetworksandcanbeintegratedintoabroadrangeofRemoteAuthenticationDial-InUser
Service(RADIUS)authenticationservers.TheWPA2-EnterpriseprotocolsupportusesAES-128
encryptioninAndroid5.0,thusprovidingcorporationsandtheiremployeesahighlevelof
protectionwhensendingandreceivingdataoverWi-Fi.

Androidsupports802.1xExtensibleAuthenticationProtocols(EAPs),includingEAP-TLS,EAP-TTLS,
PEAPv0,PEAPv1,andEAP-SIM,introducedinAndroid5.0.

VPN
AndroidsupportsnetworksecurityusingVPN:
Always-onVPNTheVPNcanbeconfiguredsothatapplicationsdonthaveaccesstothe
networkuntilaVPNconnectionisestablished,whichpreventsapplicationsfromsending
dataacrossothernetworks.
PerUserVPNOnmultiuserdevices,VPNsareappliedperAndroiduser,soallnetwork
trafficisroutedthroughaVPNwithoutaffectingotherusersonthedevice.
PerProfileVPNVPNsareappliedperWorkProfile,whichallowsanITadministratorto
ensurethatonlytheirenterprisenetworktrafficgoesthroughtheenterprise-WorkProfile
VPNnottheuserspersonalnetworktraffic.
PerApplicationVPNAndroid5.0providessupporttofacilitateVPNconnectionson
allowedapplicationsorpreventsVPNconnectionsondisallowedapplications.

AndroidforWorkSecuritywhitepaper9

Third-partyapplications
GoogleiscommittedtoincreasingtheuseofTLS/SSLinallapplicationsandservices.Asapplications
becomemorecomplexandconnecttomoredevices,itseasierforapplicationstointroduce
networkingmistakesbynotusingTLS/SSLcorrectly.

TheAndroidSecurityteamhasbuiltatoolcallednogotofail,whichprovidesaneasywaytoconfirm
thatdevicesorapplicationsaresafeagainstknownTLS/SSLvulnerabilitiesandmisconfigurations.

ThenogotofailtoolworksforAndroidandotheroperatingsystems.Theresaneasy-to-useclientto
configurethesettingsandgetnotificationsonAndroid.Thenogotofailtoolisreleasedasanopen
sourceprojectsoapplicationdeveloperscantesttheirapplications,contributenewfeaturestothe
project,andhelpimprovethenetworksecurityonAndroid.

Deviceandprofilemanagement
Android5.0introducestheconceptofaDeviceOwnerandProfileOwnertosupportthecorporate
ownedandbringyourowndevice(BYOD)enterpriseusescases,respectively.Theconceptofa
ManagedProfileisbasedontheAndroidmultiuserconcept,firstintroducedinAndroid4.2(API17).

Androidusers
AnAndroiduserisintendedtobeusedbyadifferentphysicalpersonandhastheirownapplication
data,someuniquesettings,andUItoexplicitlyswitchbetweenthem.Ausercanruninthe
backgroundwhenanotheruserisactive.Ausersdataisalwaysisolatedfromotherusers.
AndroidsupportsPrimaryandSecondaryusersasdefinedbelow:

APrimaryuseristhefirstuseraddedtoadevice.Itcantberemoved,exceptbyfactory
reset.Thisuseralsohasspecialprivilegesandsettingsonlysetbythatuser.ThePrimary
userisalwaysrunningevenwhenotherusersareintheforeground.

ASecondaryuserisanyuseraddedtothedeviceotherthanthePrimaryuser.Asecondary
usercanberemovedbytheirowndoingandbytheprimaryuser,butcantimpactother
usersonadevice.Secondaryuserscanruninthebackgroundandcontinuetohavenetwork
connectivitywhentheydo.However,therearesomerestrictions;forexample,notbeing
abletodisplayUIorhaveBluetoothservicesactivewhileinthebackground.Background
secondaryusersarehaltedbythesystemprocessifthedevicerequiresadditionalmemory
foroperationsintheforegrounduser.

AndroidforWorkSecuritywhitepaper10

ManagedProfile
ADevicePolicyClient(DPC)isanapplicationusedtomanagethecorporatespaceonthedevice.The
DPChasaccesstothedevicemanagementAPIsavailableintheDevicePolicyManagerclassand
receivescallbacksfromthesystemviatheDeviceAdminReceiverclass.
AWorkProfileisamanagedprofilecreatedwhentheDPCinitiatesamanagedprovisioningflow.In
thisinstance,aWorkProfilefunctionslikearegularuser,butisassociatedwiththeprimaryuserin
suchawaythatnotificationsandtherecenttasklistareshared.Applications,notificationsand
widgetsfromtheManagedProfilearealwaysbadged.BecausetheWorkProfileisaseparate
Androiduser,theresastrongseparationbetweenthecorporateandpersonalprofile,andalldata
withintheWorkProfileismanagedseparatelybytheenterprise.

AProfileOwnerisaspecialcaseofadeviceadministrator,whocanonlymanagethecorporate
spaceonauserspersonaldevicetosupporttheBYODusecase.Profileownersarescopedtothe
WorkProfileandcanonlybedefinedaspartofthemanagedprovisioningprocess.Theuser
experienceisenhancedtoallowtheusertoeasilyaccessbothpersonalandWorkProfilesatonce.
TheProfileOwnercantbedeactivatedbytheuser;however,theuserisalwaysabletoviewand
validatethesettingsbeingenforcedwithintheWorkProfile.Theusercanchoosetoremovethe
WorkProfileandtheProfileOwneraltogetherwhenevertheydesire.

ADeviceOwnerislikeaProfileOwner,butscopedtothewholedevice.TheDeviceOwneristhe
deviceadministratorinthecorporate-owneddeviceusecase.

Crossprofileintents
IntheBYODcase,dataintheWorkProfileissegregatedfromtheuserspersonaldata.However,
thereareinstanceswhereallowingintentsfromoneprofiletoberesolvedintheothercanbeuseful
andenhancetheenterpriseusersproductivity.IntheWorkProfile,ITadministratorscontrolsharing
betweenmanagedandpersonalprofiles.TwonewmethodshavebeenaddedinAndroid5.0to
DevicePolicyManagerclassforcrossprofileintents:addCrossProfileIntentFilterand
clearCrossProfileIntentFilters.

Bydefault,thefollowingintentsareautomaticallyconfiguredbythesystemduringtheWorkProfile
creationtobeforwardedtothePrimaryProfile:
Telephonyintents
Mobilenetworksettings
HomeintentThelauncherdoesntrunintheWorkProfile.
GetcontentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
OpendocumentTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
PictureTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfileifanapp
thatcanhandlecameraexistsintheWorkProfile.
SetclockTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.
SpeechrecognitionTheuserhastheoptiontoresolveineitherthePrimaryorWorkProfile.

Additionally,theSENDintent,usedwhensharingcontent,isconfiguredtooffertheusertheoption
toforwardthecontentintotheWorkProfile.

AndroidforWorkSecuritywhitepaper11

Note:TheSENDintentisnotautomaticallyconfiguredtooffertheusertheoptiontoforwardtheir
contentfromtheWorkProfileintotheprimarybecausesomeITadministratorsconsiderthisa
securityrisk.Instead,theDPCapplicationhastheoptionofaddingthisfunctionality,ifallowedbya
companysITpolicy.

Deviceandprofilepolicies
Android5.0addsanumberofsecuritypoliciesandconfigurationsforbothdeviceandprofile
management.ITadministratorscansetthesepolicies(indirectly)viaamobiledevicemanagement
(MDM)solutiontosecureworkdataontheiremployeesdevices.Thefollowingtableliststhese
policies,indicatingwhethertheyapplytodevicesforcorporate-owneddevicecasesorprofilefor
BYODcases.

Policy

Device

Profile

addCrossProfileIntentFilter

addCrossProfileWidgetProvider

addPersistentPreferredActivity

addUserRestriction

clearDeviceOwnerApp

clearPackagePersistentPreferredActivities

clearUserRestriction

createAndInitializeUser

enableSystemApp

installCaCert

installKeyPair

lockNow

removeActiveAdmin

clearCrossProfileIntentFilters

removeCrossProfileWidgetProvider
removeUser

AndroidforWorkSecuritywhitepaper12

resetPassword

setAccountManagementDisable

setApplicationHidden

setApplicationRestrictions

setAutoTimeRequired

setCameraDisabled

setCrossProfileIdDisabled

setGlobalSetting

setKeyguardDisabledFeatures

setLockTaskPackages

setMasterVolumeMuted

setMaximumFailedPasswordsForWipe

setMaximumTimeToLock

setPasswordExpirationTimeout

setPasswordHistoryLength

setPasswordMinimumLength

setPasswordMinimumLetters

setPasswordMinimumLowerCase

setPasswordMinimumNonLetter

setPasswordMinimumNumeric

setPasswordMinimumSymbols

setPasswordMinimumUpperCase

setPasswordQuality

setPermittedAccessibilityServices

AndroidforWorkSecuritywhitepaper13

setPermittedInputMethods

setProfileEnabled

setProfileName

setRecommendedGlobalProxy

setRestrictionsProvider

setScreenCaptureDisabled

setSecureSetting

setStorageEncryption

setUninstallBlocked

switchUser

uninstallCaCert

wipeData

uninstallAllUserCaCerts

AndroidforWorkSecuritywhitepaper14

Applicationmanagement
AndroidforWorkcreatesasecureframeworkforcompaniestoputanyapplicationinGooglePlayto
workfortheminasimple,standardway.ThroughGooglePlayforWork,anenterpriseversionof
GooglePlay,ITadministratorscaneasilyfind,deploy,andmanageworkapplicationswhileensuring
malwareandotherthreatsareneutralized.

GooglePlayforWork
GooglePlayforWorkprovidesAPIsforusebyEnterpriseMobilityManagement(EMM)vendorsto
allowthemtomanageapplicationsondevicesinanAndroidforWorkdomain.TheAPIsprovide
functionalityforuse(indirectly)byadministratorsoftheenterprisesmanagedbytheEMMas
follows:

AnITadministratorcanremotelyinstallorremoveappsonmanagedAndroidforWork
devicesviatheEMMsapp.Thisactionislimitedtodevicesorprofilesthataremanagedby
theEMMsapp,whichensuresthattheuserhasconsentedtotheEMMsaccess.

AnITadministratorcandefinewhichusersshouldbeabletoseewhichapps.Auserrunning
thePlayStoreappwithintheWorkProfileonlyseestheappsvisibletothem.

Enterpriseadministratorscanseewhichusershaveappsinstalledorprovisioned,andthe
numberoflicensespurchasedandprovisioned.

InstallationofapplicationswithintheWorkProfileispossibleviaGooglePlayforWorkintheWork
Profile,eitherbydirectuserrequestinthemanagedPlayStoreapp(pull),orasaresultofacallto
theEMMAPI(push).WhentheuseropensthePlayStoreappintheWorkProfile,itonlydisplaysthe
appswhichtheITadministratorhasspecifiedtheusercanaccess.Theusercaninstallthese
applications,butnotothers.
Secureappserving
TransportofallAndroidapplicationpackages(APKs)andappmetadatabetweenGooglePlayand
AndroiddevicesisencryptedusingSSL.Appaccessisauthenticatedandauthorizedusingthe
GoogleAccountcreatedaspartofuserregistrationintheAndroidforWorkdomain.
Privateapps
WithGooglePlayforWork,appscanbepublishedbyanenterprisecustomerandtargetedprivately
(i.e.theyreonlyvisibleandinstallablebyuserswithinthatenterprisesAndroidforWorkdomain).
PrivateappsarelogicallyseparatedinGooglescloudinfrastructurefromGooglePlayfor
consumers.Therearetwomodesofdeliveryforprivateapps:

GooglehostedBydefault,GooglehoststheAPKinitssecuredatacenters.

externally-hostedEnterprisecustomershostAPKsontheirownserversaccessibleonly
ontheirintranetorviaVPN.Detailsoftherequestinguserandtheirauthorizationis
providedviaaJSONWebToken(JWT)withanexpirytime.TheJWTissignedbyGoogleusing

AndroidforWorkSecuritywhitepaper15

thekeypairassociatedwiththespecificappinPlay,andshouldbeverifiedbeforetrusting
theauthorizationcontainedintheJWT.
Inbothcases,GooglePlayforWorkstorestheappmetadatatitle,description,graphics,and
screenshots.AppsmustcomplywithallGooglePlaypoliciesinallcases.

Unknownsources
Bydefault,theUnknownsourcessettingunderSettings>Security>Unknownsourcesisoff.The
DeviceOwnerorProfileOwnercandisableusercontrolofUnknownsourcesintheManagedDevice
orWorkProfilebysettingtheDISALLOW_INSTALL_UNKNOWN_SOURCESuserrestrictiontoTrue
usingaddUserRestriction.ThedefaultvalueforDISALLOW_INSTALL_UNKNOWN_SOURCESuser
restrictioninbothDeviceOwnerandProfileOwnerisfalse.When
DISALLOW_INSTALL_UNKNOWN_SOURCESissettotruebytheDeviceOwnerorProfileOwner,the
usercannotmodifytheUnknownsourcessecuritysettingonthedeviceorWorkProfile;however,in
thecaseofWorkProfile,theusercanstillmodifyUnknownsourcessettingintheirpersonalspace.

Additionally,thesideloadingofapplicationsusingAndroidDebugBridge(adb)canbedisabledvia
theDISALLOW_DEBUGGING_FEATURESuserrestrictioninaManagedDevicebyDeviceOwner,or
WorkProfilebyProfileOwner.ThedefaultvalueofDISALLOW_DEBUGGING_FEATURESforboth
DeviceOwnerandProfileOwnerisfalse.

SettingDISALLOW_INSTALL_UNKNOWN_SOURCESandDISALLOW_DEBUGGING_FEATURESuser
restrictionstoTruebyEMMs,providesanextrameasureofassurancetoITadministratorsthatonly
company-approvedappswillbedeployedusingGooglePlayforWorktousersina
corporate-manageddeviceorprofile.

ManagedAppconfiguration
AndroidforWorkprovidestheabilitytosetpoliciesonaper-applicationbasis,wheretheapp
developerhasmadethisavailable.Forexample,anappcouldallowanITadministratortoremotely
controltheavailabilityoffeatures,configuresettings,orsetin-appcredentials.The
setApplicationRestrictionsmethodallowsEMMstoconfiguretheserestrictionsviathe
DevicePolicyManagerclass.

GoogleChromeisanexampleofanenterprise-managedappthatimplementspoliciesand
configurationsthatcanbefullymanagedaccordingtoenterprisepoliciesandrestrictions.

AndroidforWorkSecuritywhitepaper16

Securitybestpractices
GoogledesignedAndroidandGooglePlaytoprovideeveryonewithasaferexperience.Withthat
goalinmind,theAndroidSecurityteamworkshardtominimizethesecurityrisksonAndroid
devices.Googlesmultilayeredapproachstartswithpreventionandcontinueswithmalware
detectionandrapidresponseshouldanyissuesarise.

Morespecifically,Google:
Strivestopreventsecurityissuesfromoccurringthroughdesignreviews,penetration
testingandcodeaudits

PerformssecurityreviewspriortoreleasingnewversionsofAndroidandGooglePlay

PublishesthesourcecodeforAndroid,thusallowingthebroadercommunitytouncover
flawsandcontributetomakingAndroidthemostsecuremobileplatform

Workshardtominimizetheimpactofsecurityissueswithfeaturesliketheapplication
sandbox

DetectsvulnerabilitiesandsecurityissuesbyregularlyscanningGooglePlayapplicationsfor
malware,andremovingthemfromdevicesiftheresapotentialforseriousharmtotheuser
devicesordata

HasarapidresponseprograminplacetohandlevulnerabilitiesfoundinAndroidbyworking
withhardwareandcarrierpartnerstoquicklyresolvesecurityissuesandpushsecurity
patches

TheAndroidteamworksverycloselywiththewidersecurityresearchcommunitytoshareideas,
applybestpractices,andimplementimprovements.AndroidispartoftheGooglePatchReward
Program,whichpaysdeveloperswhentheycontributesecuritypatchestopopularopensource
projects,manyofwhichformthefoundationforAOSP.GoogleisalsoamemberoftheForumof
IncidentResponseandSecurityTeams(FIRST).

Conclusion
Foralongtime,beingsecurehasbeensynonymouswithbeingclosed.Butthemobileecosystemis
nowtransitioningfromclosed,isolatedplatformstowardsopenplatformsthatfosterinnovationand
allowinteroperabilitywithconfidence.Androidgainssecurityfrombeingmoreopen.Androids
securityisbuilttoprotectitsusersinacomplexecosystemthatincludessystem-on-a-chipvendors
(SoCs),OEMs,serviceproviders,independentsoftwarevendors(ISVs),andenterprises,justtoname
afew.

GooglescommitmenttosecurityforallAndroidusersincludesacombinationofbuilt-insecurity
featuresintheplatform(suchasapplicationsandboxing)andGoogleservices-basedprotections
(suchasGooglePlayandVerifyapps).BehindGooglePlay'sattempttoprotectagainstpotentially
harmfulapplicationsisavast,systemicknowledgeofAndroidapplicationsaccumulatedovermany
years,beginningwiththeonsetofAndroid.GooglePlayusesacombinationofstatic,dynamic,and
relationshipanalysis,combinedwiththousandsofuniquesignalstoanalyzeeachapplication.Every
applicationonGooglePlayisreviewedthroughacombinationoftechnology,humanreview,and
usercommunityflags.

AndroidforWorkSecuritywhitepaper17

Finally,Android5.0enhancesAndroiddevicemanagementcapabilitiesbyintroducingWorkProfiles.
InthecontextofAndroidforWork,enterprisesrelyonGooglePlayforWorkfordeploying
applications.Unknownsourcesandthird-partymarketplacescanbedisallowedbyEMMs,thus
protectingemployeesdevicesfromanypotentialmaliciousapplicationstobeinstalledintheWork
Profile.

AndroidforWorkSecuritywhitepaper18