juanjo tugores - Fotolia

Get started Bring yourself up to speed with our introductory content.

How will Android encryption by default affect enterprise BYOD?

Google is beginning to encrypt data by default on its Android devices. Expert Michael Cobb explains how this change will affect enterprise BYOD security.

Beginning with Android L, Google is going to encrypt data by default. What affect will this have on the security posture of Android devices? Is this a good thing for enterprise BYOD policies?

Privacy has become a big concern for enterprises and individuals following revelations of NSA spying by former contractor Edward Snowden. However, people tend to be quite lethargic when it comes to actually changing a device's default settings. They may replace the basic avatar image with their own picture and change the default ringtone, but many never stray into further settings than that. Those who are more security-minded may try to enable data encryption, but it's often tricky to find how to do this as techspeak can make the instructions confusing and difficult to follow. To overcome this problem, many technology companies are introducing security features in their latest operating systems that are easier to use and more resistant to government snooping.

Android has offered optional encryption on some devices since 2011; but in Android 5 Lollipop, encryption happens automatically, removing the need for users or administrators to enable this important security control. The encryption key is the device's PIN code, which, according to Google, is secured on the device and can't be accessed by Google itself or the security services. This does mean, however, that forgetting the PIN code renders any data on the device inaccessible, though enterprise versions will be able to manage PIN codes centrally. (Note: Because of potential device performance issues, Google is now saying that although hardware must support encryption, OEMs aren't required to turn it on by default right now.)

To make locking and unlocking a device less irritating, Lollipop introduced "Trusted Places" and "Trusted Devices." If the device's GPS establishes that it is within a trusted physical location like the office or home, the device remains unlocked, but the lock screen returns once it moves away from a safe location. Trusted Devices works in a similar way when a near field communication- or Bluetooth-paired device -- for example a laptop, smartwatch or car radio -- is within range; moving out of range automatically locks the device. This a great feature, as not having to constantly unlock a device means security is not getting in the way of usability. The "Trusted Face" feature is a convenient way for all-purpose unlocking; it works after the user registers their face with the device (though Google warns someone who looks like the user may also be able to unlock the device).

While these features will certainly benefit all users, businesses will probably be more interested in the enterprise-oriented controls Google has introduced in Lollipop to improve the security of personal devices being used in a BYOD context. A subset of Samsung's Knox containerization technology allows administrators to apply separate security policies to personal and work data and apps. The data for each profile is isolated and secure from other profiles. Notifications for personal and work profiles are visible in a unified view with a "work badge" to indicate that an app and its data are administered inside of the work profile by an IT administrator. Administrators can also control which Google Play apps specific individuals or groups will be able to install through the work profile.

Android 5.0 is aimed at attracting a bigger adoption rate by enterprises, but administrators will need to be aware that manufacturers and cellular carriers whose devices use the Android operating system have different development cycles and push new versions to their customers at different times; it could be years before most Android encryption by default is on all devices. Check which employees' devices are actually running Lollipop -- Motorola helpfully provides an upgrade schedule for its devices -- and, where possible, try to avoid having to manage multiple versions of Android with different security capabilities.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about Android 5.0 Lollipop features

Uncover the latest settings to improve enterprise Android security

This was last published in April 2015

Dig Deeper on BYOD and mobile device security best practices