Security Aspects of Mobile Device Configuration

This post reviews some security aspects to be taken into account when configuring devices with Google Android OS.

This article can be used as a checklist to ensure an Android device is properly configured before releasing it.

A standard operating environments (SOE) is a set operating system, application, and hardware configuration. Please remind that each SOE should be considered independently.

List of Security Aspects to be considered when Configuring Android Devices

Security aspects to be considered when setting up Android devices:

  1. Disk encryption
  2. Antimalware
  3. Updates
  4. Support
  5. Password and Digital Certification Storage
  6. VPN
  7. App Code Hardening
  8. Backup
  9. Remote Deletion
  10. Mobile Device Management (MDM)
  11. Data Leakage
  12. Admin Privilege
  13. Restrictions to App Installations
  14. Organization’s Policies, Procedures, Standards and Guidelines on IT Security
  15. Hardening Guides
  16. Security Feeds for Admins and IT-Sec

Access

A proper control access should be activated in the device.

Disk Encryption

Most personal devices are not yet encrypted by default.

From an IT security point of view, it is recommended that you encrypt the disk. Otherwise, if you lose your Android device anyone could access the data inside it.

Antimalware

An antimalware application (or whatever alternative name it receives, like antivirus, thread protection, EDR or XDR) should be installed on the mobile device.

Update

Ensure that all the components of the device are updated to the last version before handling in. That includes:

  • UEFI/BIOS
  • Firmware
  • OS
  • Applications

Ensure that device has automatic updates enabled.

If the device is managed by an organization, ensure that user cannot deactivate automatic updates.

Support

Ensure that the different components of the device are receiving support from manufacturers and/or developers. That includes: hardware, OS, applications.

Authentication

Check that passwords follow best practices.

Things to check about passwords:

  • Authentication method (password, pattern, face recognition, etc.)
  • Password Complexity (lowercase, uppercase, number, symbols, etc.)
  • Password Length
  • Password Expiration
  • Password history
  • Password lock
  • Change default password
  • Safe reset password method
  • Masked passwords

You can check password best practices on this post.

Lock Screen

A best practice is to lock screen automatically after inactivity. It is safer and also increases battery time.

Password and Digital Certificate Storage

Password and Digital Certificates may be stored within a device. It must be ensured that they are stored safely.

Ensure that TPM or similar is updated.

Virtual Private Network (VPN)

Consider using a Virtual Private Network (VPN) to protect the user and the device when browsing the internet.

A VPN client should be installed in order to access a VPN.

Firewall

There may be a software firewall installed on the device.

App Code Hardening

If one or many of the apps installed within the device are self-developed, code hardening practices should be applied.

There is an official Android Developers section for app best security practices. You can have a look at it on this external link.

Backup

One check if to see if backups are automatically done.

Remote Deletion

In case the device is robbed, it is recommended that there is a mechanisms.

If there is only a single user, you may configure an app that allows to do this.

If the device is centrally managed by an organization, an MDM could be configured to allow remote deletion.

Web proxy

A web proxy service could be installed to control the traffic, specially if the device belongs to an organization.

Mobile Device Management (MDM)

If the device is managed by an organization, you must consider install an Mobile Device Management (MDM) agent on them.

An action is defined when device is not connected to

Data Leakage

If the computer belongs to an organization, data leakage is an aspect to be taking into account.

A Mobile Application Management (MAM) is a solution that secures and enables IT control over enterprise applications on end users’ corporate and personal data.

Admin Privilege

If the device is delivered by an organization, it is highly recommendable that the user is not admin of their own device.

In this case, admin privilege for user must be reviewed and restricted.

User should not be able to modify the device settings.

An admin user should be kept in the device, so administrators could operate on the mobile phone.

Restrictions to App Installations

If the device is managed by an organization, a whitelist or blacklist for apps could be used.

Set the configuration to avoid user installing third-party applications directly, without the control of a trustworthy app marketplace.

Organization’s Policy, Procedures, Standards and Guidelines on IT Security

Security-aware organizations may have in place IT Security policies, procedures, standards and guidelines.

Policies and procedures may enumerate controls that should be into place, for example: password length should be minimum 6 characters.

Standards may restrict the applications that are installed in the system for a particular purpose. Example: the standard application to read PDFs in Android is Adobe Acrobat.

Guidelines are only recommendation, but they could be useful.

Ensure that the configuration in the device follows the policies, procedures, standards and guidelines.

Hardening Guides

There are different free hardening guides available for Android OS.

From a IT security point of view, it is recommended that you followed this hardening guides.

To find a list of security hardening guides for Android, please check this post.

IT Security Feeds for Admins and IT-Sec

People in charge of device management, device administration or device information security should be updated with the latest news regarding the device, so they can be aware of new applicable configuration.

Consider subscribing yourself or yourself to both hardware and software feeds related to the device(s).

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *