This post features some security hardening guides or baselines for operating system Google Android.
The parent post of this article is Android Security.
List of Android Hardening Guides
This is a non-exhaustive list of Android Hardening Guides
- AOSP Security Documentation
- Android Enterprise Security Documentation
- Android Developers Security Guides
- CIS Google Android Benchmarks
- DISA Android STIGs
- NIST NCP
- CNN STICs
- OWASP MASVS
- Intune Security Baselines
This hardening guides could also called benchmark, guideline, guide, baseline or STIG.
In this post, we understand hardening guide as a document that provide advice or instructions about how to securely configure or deploy a system, in this case Android OS.
You can read this external post from Google about features that hardened Android 11 on this link.
AOSP Security Documentation
Android Open Source Project (AOSP) offers the information and source code needed to create custom variants of the Android OS, port devices and accessories to the Android platform.
You can find documentation from AOSP about securing Android on this external link. This is a good starting point to find resources about Android Security.
Android Enterprise Security Documentation
There is one section about Android Enterprise Security on this external link.
On the bottom of this page, there are some interesting documents about Android:
- Android security white paper
- Android security datasheet
- “Android Enterprise: security overview” video
There is also one section about general Android Safety that can be found on this external link.
Android Developers Security Guides
These are guidelines for developers about how to consider security when coding for Android.
There is a set of guides about Android development security on this link.
CIS Google Android Benchmarks
Center of Internet Security (CIS) is a non-profit private organization for internet security.
CIS published a guide for securing Google Android OS, that can be found on this external link.
DISA Android STIGs
The Defense Information Systems Agency (DISA), that belongs to the Department of Defense (DoD) of the USA, develops Security Technical Implementation Guides (STIGs) for different operating system.
DISA develop and upload STIGs that are uploaded to the public STIG Document Library of the portal DoD Cyber Exchange, and can be access from this external link.
There is one Android STIG by DISA. You can filter them by choosing the filter group “Mobility” > “Smartphone”.
USA National Institute of Standards and Technology (NIST) does not develop its own guidelines or baselines, but has a catalog called NCP (National Checklist Program) that collects both CIS benchmarks and DISA guidelines.
You can find the NCP on this external link.
You can filter by Target “Google Android” plus the version number to find the linked. You can also search the keyword “Android”.
Centro Criptologico Nacional (CCN) of the Government of Spain issues STICs (from the Spanish Seguridad de las Tecnologías de Información y Comunicaciones), that are security guides on different topics.
Some of these STICs guides are specific to Android:
- CCN-STIC 453G: Guía práctica de seguridad en dispositivos móviles Android 9
- CCN-STIC 1611: Procedimiento de empleo seguro de dispositivos Samsung Galaxy (Android 11)
There is also an article from CCN that can be read on this external link.
OWASP MASVS and MASTG
OWASP Mobile Application Security Verification Standard (MASVS) defines baseline security requirements for mobile apps.
You can find more info on OWASP MASVS’s GitHub site on this external link.
OWASP Mobile Application Security Testing Guide (MASTG) describes technical processes for verifying the controls listed in MASVS.
You can find more info on OWASP MASTG’s GitHub site on this external link.
Intune Security Baselines
Intune is a Microsoft Mobile Device Management (MDM) tool that is compatible with Android devices.
Intune has a security baseline for Android.
Check this external link to read more about Intune’s Android Enterprise security configuration framework.