This post reviews some security aspects to be taken into account when configuring devices with Google Android OS.
This article can be used as a checklist to ensure an Android device is properly configured before releasing it.
A standard operating environments (SOE) is a set operating system, application, and hardware configuration. Please remind that each SOE should be considered independently.
List of Security Aspects to be considered when Configuring Android Devices
Security aspects to be considered when setting up Android devices:
- Disk encryption
- Password and Digital Certification Storage
- App Code Hardening
- Remote Deletion
- Mobile Device Management (MDM) & Mobile Thread Protection (MTP)
- Data Leakage
- Admin Privilege
- Restrictions to App Installations
- Organization’s Policies, Procedures, Standards and Guidelines on IT Security
- Hardening Guides
- Security Feeds for Admins and IT-Sec
A proper control access should be activated in the device.
Depending on whether Android is install on a portable device or PC, it could have a bootloader or BIOS/UEFI.
Device admins should block access to bootloader to standard users.
This can be achieved, for example, by setting a password in the bootloader.
Most personal devices are not yet encrypted by default.
From an IT security point of view, it is recommended that you encrypt the disk. Otherwise, if you lose your Android device anyone could access the data inside it.
An antimalware application (or whatever alternative name it receives, like antivirus, thread protection, EDR or XDR) should be installed on the mobile device.
Ensure that all the components of the device are updated to the last version before handling in. That includes:
Ensure that device has automatic updates enabled.
If the device is managed by an organization, ensure that user cannot deactivate automatic updates.
Ensure that the different components of the device are receiving support from manufacturers and/or developers. That includes: hardware, OS, applications.
Check that passwords follow best practices.
Things to check about passwords:
- Authentication method (password, pattern, face recognition, etc.)
- Password Complexity (lowercase, uppercase, number, symbols, etc.)
- Password Length
- Password Expiration
- Password history
- Password lock
- Change default password
- Safe reset password method
- Masked passwords
You can check password best practices on this post.
A best practice is to lock screen automatically after inactivity. It is safer and also increases battery time.
Password and Digital Certificate Storage
Password and Digital Certificates may be stored within a device. It must be ensured that they are stored safely.
Ensure that TPM or similar is updated.
Virtual Private Network (VPN)
Consider using a Virtual Private Network (VPN) to protect the user and the device when browsing the internet.
A VPN client should be installed in order to access a VPN.
There may be a software firewall installed on the device.
App Code Hardening
If one or many of the apps installed within the device are self-developed, code hardening practices should be applied.
There is an official Android Developers section for app best security practices. You can have a look at it on this external link.
One check if to see if backups are automatically done.
In case the device is robbed, it is recommended that there is a mechanisms.
If there is only a single user, you may configure an app that allows to do this.
If the device is centrally managed by an organization, an MDM could be configured to allow remote deletion.
A web proxy service could be installed to control the traffic, specially if the device belongs to an organization.
Mobile Device Management (MDM) & Mobile Thread Protection (MTP)
If the device is managed by an organization, you must consider install an Mobile Device Management (MDM) agent on them.
An action is defined when device is not connected.
Mobile Thread Protection (MTP) can also be called Mobile Thread Defense (MTD).
If the computer belongs to an organization, data leakage is an aspect to be taking into account.
A Mobile Application Management (MAM) is a solution that secures and enables IT control over enterprise applications on end users’ corporate and personal data.
If the device is delivered by an organization, it is highly recommendable that the user is not admin of their own device.
In this case, admin privilege for user must be reviewed and restricted.
User should not be able to modify the device settings.
An admin user should be kept in the device, so administrators could operate on the mobile phone.
Restrictions to App Installations
If the device is managed by an organization, a whitelist or blacklist for apps could be used.
Set the configuration to avoid user installing third-party applications directly, without the control of a trustworthy app marketplace.
Even when Play Store is blocked in the device, check that users cannot install apps by setting up a Google account (like Gmail), then logging in from a different device to that account, access the Play Store web and send installations to a different device.
Organization’s Policy, Procedures, Standards and Guidelines on IT Security
Security-aware organizations may have in place IT Security policies, procedures, standards and guidelines.
Policies and procedures may enumerate controls that should be into place, for example: password length should be minimum 6 characters.
Standards may restrict the applications that are installed in the system for a particular purpose. Example: the standard application to read PDFs in Android is Adobe Acrobat.
Guidelines are only recommendation, but they could be useful.
Ensure that the configuration in the device follows the policies, procedures, standards and guidelines.
There are different free hardening guides available for Android OS.
From a IT security point of view, it is recommended that you followed this hardening guides.
To find a list of security hardening guides for Android, please check this post.
IT Security Feeds for Admins and IT-Sec
People in charge of device management, device administration or device information security should be updated with the latest news regarding the device, so they can be aware of new applicable configuration.
Consider subscribing yourself or yourself to both hardware and software feeds related to the device(s).