juanjo tugores - Fotolia
Beginning with Android L, Google is going to encrypt data by default. What affect will this have on the security posture of Android devices? Is this a good thing for enterprise BYOD policies?
Privacy has become a big concern for enterprises and individuals following revelations of NSA spying by former contractor Edward Snowden. However, people tend to be quite lethargic when it comes to actually changing a device's default settings. They may replace the basic avatar image with their own picture and change the default ringtone, but many never stray into further settings than that. Those who are more security-minded may try to enable data encryption, but it's often tricky to find how to do this as techspeak can make the instructions confusing and difficult to follow. To overcome this problem, many technology companies are introducing security features in their latest operating systems that are easier to use and more resistant to government snooping.
Android has offered optional encryption on some devices since 2011; but in Android 5 Lollipop, encryption happens automatically, removing the need for users or administrators to enable this important security control. The encryption key is the device's PIN code, which, according to Google, is secured on the device and can't be accessed by Google itself or the security services. This does mean, however, that forgetting the PIN code renders any data on the device inaccessible, though enterprise versions will be able to manage PIN codes centrally. (Note: Because of potential device performance issues, Google is now saying that although hardware must support encryption, OEMs aren't required to turn it on by default right now.)
To make locking and unlocking a device less irritating, Lollipop introduced "Trusted Places" and "Trusted Devices." If the device's GPS establishes that it is within a trusted physical location like the office or home, the device remains unlocked, but the lock screen returns once it moves away from a safe location. Trusted Devices works in a similar way when a near field communication- or Bluetooth-paired device -- for example a laptop, smartwatch or car radio -- is within range; moving out of range automatically locks the device. This a great feature, as not having to constantly unlock a device means security is not getting in the way of usability. The "Trusted Face" feature is a convenient way for all-purpose unlocking; it works after the user registers their face with the device (though Google warns someone who looks like the user may also be able to unlock the device).
While these features will certainly benefit all users, businesses will probably be more interested in the enterprise-oriented controls Google has introduced in Lollipop to improve the security of personal devices being used in a BYOD context. A subset of Samsung's Knox containerization technology allows administrators to apply separate security policies to personal and work data and apps. The data for each profile is isolated and secure from other profiles. Notifications for personal and work profiles are visible in a unified view with a "work badge" to indicate that an app and its data are administered inside of the work profile by an IT administrator. Administrators can also control which Google Play apps specific individuals or groups will be able to install through the work profile.
Android 5.0 is aimed at attracting a bigger adoption rate by enterprises, but administrators will need to be aware that manufacturers and cellular carriers whose devices use the Android operating system have different development cycles and push new versions to their customers at different times; it could be years before most Android encryption by default is on all devices. Check which employees' devices are actually running Lollipop -- Motorola helpfully provides an upgrade schedule for its devices -- and, where possible, try to avoid having to manage multiple versions of Android with different security capabilities.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)
Learn more about Android 5.0 Lollipop features
Uncover the latest settings to improve enterprise Android security
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading