Android provides
powerful, multi-layered
security to protect
enterprise customers
Android invests in technologies and services that strengthen
the security of devices, apps, and the global ecosystem.
Challenge Operating system
Android is the most popular mobile enterprise platform, Android OS utilizes industry leading techniques to harden
powering four out of every five devices shipped for business the platform by providing strong app isolation and sandboxing
use. The challenge for businesses is they need to trust processes, exploit mitigation, and separation of work
their mobile devices to complete critical workflows and personal data.
and handle sensitive corporate data in their day-to-day use.
Application sandboxing - Every Android app is contained in
Organizations need to find a way to protect their data
an application sandbox, which is enforced by SELinux. This
against a range of risks and threats on these devices.
ensures apps can only access data within their own sandbox
unless explicitly authorized. In Android 10, we've introduced
“constrained sandboxes,” which further isolate components
The Android difference granting them even fewer privileges. Media Codecs now run
Google provides powerful, multi-layered security built into in these constrained sandboxes, significantly reducing
every device to protect data. Combining hardware security the severity and impact of any attempted exploitation.
with Android OS hardening ensures device integrity. Encryption - Encryption is mandatory and always on out of the
Industry leading exploit mitigation, sandboxing, and remote box. Android 7.0 introduced support for AES 256-bit file-based
attestation services help detect and prevent exploitation encryption, which is now mandatory with Android 10. A user’s
and data loss. Google Play Protect, the world’s largest encryption key is derived by using their lock-screen PIN
threat detection system, runs on all devices, protecting or passcode and is backed by secure hardware. In Android 9.0
against potentially harmful apps. Finally, we deliver a robust and higher, the use of Smart Lock, biometric unlocking, and
set of enterprise APIs that provide controls to secure data, notifications on the lock screen are temporarily disabled by holding
preserve privacy, and help ensure device integrity. the power button and selecting Lockdown mode. End users can
easily evict the work profile encryption key by turning off the work
profile, or this can be performed remotely by an EMM Admin.
Hardware backed security Userspace hardening - Every Android device utilizes various
Hardware based protection is the foundation to help technologies to protect user applications and data. ASLR (address
secure the rest of the platform. Android devices utilize space layout randomization) and DEP (data execution prevention)
a trusted execution environment (TEE) to run privileged protect the OS and applications from exploits and many code
and security-sensitive operations such as PIN verification. reuse attacks. Android also implements KASLR (kernel address
As of Android 8.0, compatible devices can optionally use space layout randomization) to harden the kernel from attacks.
tamper-resistant hardware to verify the lock screen passcode. In Android 9, Control flow integrity (CFI) for the userspace
If verification succeeds, the tamper-resistant hardware and kernel were introduced. In Android 10 additional hardening
returns a high entropy secret that can be used to derive techniques were added such as execute only memory (XOM).
the disk encryption key. Verified Boot confirms the device's
Regular, consistent updates - Google releases monthly security
integrity during boot up with a cryptographic chain of trust.
patches to help ecosystem partners keep their devices updated.
Each stage is verified and combined with rollback protection,
Project Treble, released in 2018, provided OEMs a method
which prevents persistent exploits. Hardware components
to deliver updates much faster. In Android 10, we introduced
also protect private keys and prevent brute-force attacks
Google Play System Updates, which enables Google to update OS
of screen lock PINs and passwords. To further enhance
security components using Google Play without requiring a full
protection, the SafetyNet remote attestation service
operating system update. Android 10 also introduced the ability
can use hardware to detect compromised devices. for offline device updates directly from their EMM provider.
Google Play Protect Management
Google Play Protect continuously works to keep your device Android offers robust management and policy controls to
free from PHAs (Potentially Harmful Apps) and is active secure devices deployed with many deployment models.
on over 2.5 billion devices. It automatically scans devices There are controls for admins to enable that meet specific
every day to include system apps, apps from Google Play, security requirements at every layer of the Android security
and sideloaded apps from unknown sources. Carrier OTA model from hardware, OS, apps, and services.
(Over The Air) updates that include new or updated apps are
Network security - Android apps on Android 9 and higher
also scanned at the time of installation. Google Play Protect
devices default to using TLS for network connections.
will even scan devices when devices are offline and not
Android apps on Android 10 default to TLS 1.3, which
connected. Google Play Protect has helped keep installs
encrypts more of the handshake and can be up to 40%
of PHAs in 2019 to under 0.033%.
faster than previous versions. DNS over TLS in Android 10
Safe Browsing - Safe Browsing in the Chrome browser protects prevents DNS query leaks and the ability for users
users against phishing attacks and sites that push malware. to change DNS settings. VPN controls in Android 10
Users are warned when visiting a potentially dangerous site can now force apps to only use the VPN with optional
before it loads. Safe Browsing protection is also extended controls for connections to be allowed if the VPN is down.
into webview, which is a component in most Android apps Finally, in Android 10, IT admins can also disable the ability
that renders web content, further extending the protection for users to turn off always-on VPN connections.
inside applications.
App management - Managed Google Play provides powerful
SafetyNet Attestation - SafetyNet attestation is a free service and secure app management features. Admins can
from Google which tests a device's integrity. Developers and securely distribute and remotely configure internal private
EMMs can add SafetyNet attestation into their apps and applications as well as public applications. A rich set of
solutions to provide strong assurance that a device's integrity policy controls allow admins to secure apps and associated
has not been compromised. Verify Apps APIs, part of SafetyNet, data and scan applications for vulnerabilities. Finally,
can be used to query the status of Play Protect for mitigation managed Google Play is ISO 27001 certified and has
and remediation by applying automatic compliance rules SOC 2 & 3 reports to ensure customer data is safe.
controlled by their EMM solution.
Conclusion
Android has been recognized as the leader in mobile device security by many security
ecosystem partners and independent analyst firms. The platform offers multiple layers of
security to help enterprise customers protect their data. From hardware-backed security for
sensitive operations to a robust OS that isolates and effectively mitigates threats to maintain
device integrity, Android provides a firm foundation so you can be confident your devices and
data are secure. Android also delivers services such as always-on app analysis and scanning
through Google Play Protect, remote attestation services with SafetyNet, and a host of
enterprise grade management APIs for every deployment scenario and every enrollment type.
Powered by Google intelligence, Android security gets smarter each day and provides peace
of mind to enterprise customers and users.
Get started today. For more information, visit Android.com/enterprise