With the explosive growth of Android devices around the world in the last decade, it was inevitable that Android would become a major platform of choice for both corporate owned devices as well as BYOD cases. One of the massive factors in Android's rise has been the availability of numerous OEM (manufacturers) companies that sell Android devices. While this has led to some highly valued innovations, it has also been a challenge as not all OEMs are security focused and follow a consistent set of guidelines.

As IT administrators have to cater to an ever-increasing variety of Android devices, it has become essential to ensure that these devices are protected and the corporate data on them is safe. 
This comprehensive guide is written for this exact purpose : to provide a set of best practices for Android security and to help IT admins make the right decision. 

As an EMM solution, IBM Security MaaS360 with Watson is designed in a way that significantly reduces the security risks while accessing corporate data, without hampering employee productivity. A set of corporate security policies can be applied on both corporate owned as well as employee owned (BYOD) devices. These policies can be customized to a high degree to match each customer's requirements.

Pre-deployment checks

Compliance & certification requirements and/or regional regulations

Before embarking on creating effective security policies, each IT administrator must ensure that they adhere to the standards set for their respective industry or domain and for the regions in which they operate.

For example:

•         A healthcare organization must ensure that they comply with requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). 
•        An organization operating in Europe must ensure that they comply with the EU's GDPR act.

Once these requirements are clear, the IT admins can proceed to design and customize IBM MaaS360 so that it suits their operations.

Device Support

For corporate owned devices, IBM MaaS360 strongly recommends using "Android Enterprise" certified devices for deployment. Android Enterprise is an offering of the Android platform by Google which was designed keeping in mind day-to-day corporate use cases and security.
Receiving the Android Enterprise certification by Google is a good indicator that these devices can match up to the standards required for protecting the corporate usage.

For BYOD usage, a call can be taken on supporting the device after assessing the public trustworthiness of the OEM (manufacturer). Allowing OEM devices that are prone to security breaches or have other incidents of malicious usage is highly risky. It is better to not allow corporate data to exist on such devices in the first place rather than try to contain the damage later.

Best Practices
1) Password Enforcement

Although it sounds very basic, enforcing passwords with the right complexity is the first line of defense and can be done with minimal effort.

The payoff benefits of this simple activity are huge. While acting as an obvious deterrent to malicious actors, it adds an extra layer of safety as most Android devices use the password for internal data encryption too. As such, even if a device is lost or stolen, the underlying data can't be decrypted.

A variety of complexity levels are available through IBM MaaS360 to suit the standards of every industry. A non-exhaustive list of examples is provided below

Apart from complexity levels, there are other options to enhance the strength of the enforced passwords

• Minimum Length - Passwords can range from four to sixteen characters long. Longer Passwords are more secure, but hamper device usability. A good balance must be achieved so that it doesn't cut down on productive usage.
• Password Expiry - This is another standard process adopted by highly regulated industries (like Banking) to force the user to change the password after a certain period of time.
• Password Reuse - This can be used to prevent users from cycling through the same passwords repeatedly.
• Biometrics - The device can be customized to lock/unlock using the user's biometrics such as Fingerprints/Iris Scans/Face Recognition
• Timeout for Auto lock - If devices are left unlocked and unattended for a long period of time, it increases the risk factor. This option allows the device to locks itself after a specified period of time.

General recommendation

1. Passwords should be enforced.
2. It is desirable to find a balance so that the passwords comply with industry standards/requirements as well as keep the devices usable.
3. Additional factors of password expiry and reuse must be incorporated to enhance the security.

2) Device Encryption

This is a no-brainer in the context of corporate security. Only devices that support encryption must be utilized for accessing sensitive data. This might mean dropping support for lower versions of Android devices when the OS and the encryption support provided were still in its nascent stages.

General recommendation

1. Choose devices that support encryption. This has become a must have with the increase of cyberthreats
2. At the time of writing this document (2023), Android S is the latest version of Android available in the market. It is recommended to use devices that are, at the very least, running on Android O MR1 (8.1/Oreo MR1) and above.

3) Restrict Device Features

Android devices have evolved over the years with a plethora of new capabilities that are added regularly. While these capabilities provide a good deal of benefit to the end users, they might be challenging in a corporate environment.

For example, in highly regulated data sensitive domains, leaking of proprietary data or customer data can be a hugely damaging affair.
Such data leaks can happen both intentionally (for example - using the device camera to take pictures of sensitive assets/information, and sharing/transferring data over the network using BT/WiFi or local peer-to-peer sharing) or unintentionally (for example - accidentally triggering smart assistants).

These situations can be averted by appropriately blocking device features for usage. IBM MaaS360 provides a big list of controlling such "risky" capabilities like Camera/ Bluetooth/ WiFi etc. This list is periodically refreshed keeping in constant touch with the features available on newer devices.

General recommendation

Most organizations with a focus on security run a threat modelling activity regularly to ascertain the areas of possible security risks or breaches.
Match these areas with the capabilities of mobile devices and appropriately enforce restrictions.

4) Control of Apps on the device

The earlier guideline was focused on the hardware parts of a device that can carry a risk. But, a more significant threat comes in from the installation of unregulated/unauthorized apps on the device that may steal data silently or compromise the device on a whole.

IBM MaaS360 provides a good deal of flexibility to control apps on the device depending on the control level needed by the organization.
The table below lists some of these options in order, from providing the highest safety level to providing the least safety level.

General recommendation

It is recommended to exercise a form of control over the apps allowed to install on a managed device.
The strictness of the control levels is up to the security and compliance requirements of the organization.

5) Establish Secure Network Communication

Insecure networks are an easy target for allowing malicious actors to snoop in and access proprietary data from mobile devices.
A couple of things to help mitigate this:

• Provide an enterprise WiFi connection to access the company's servers from office locations/other company premises.
• Provide a VPN connection to access a company's internal servers from anywhere outside.

IBM MaaS360 provides an easy way to configure WiFi networks and VPN connections over-the-air and ensure proper authentication is done and network security is established before accessing an organization's internal servers.

General recommendation

1. Establish a certificate based WiFi configuration to allow access to the internet on company premises.
2. For employees that need to access the company's internal servers, provide a certificate based VPN connection.
3. Rotate these certificates for WiFi/VPN periodically on the user devices.
4. Certificate based connections are preferable over password based connections for enhanced security.
5. IBM MaaS360's Trusteer integration can also be leveraged to detect insecure WiFi connections on managed devices.

6) Device Integrity Checks

There are various ways in which the integrity of the device can be broken such as Device Rooting, Bootloader unlocking, Kernel tampering, Custom ROM installations etc. Almost always, there is a nefarious intent behind any of these activities on corporate devices. Allowing access to corporate data on such devices is an extremely risky aspect and can undermine the security of the organization.

As such, all managed devices must be checked regularly to ensure that they aren't compromised. An easy way to do this is to enable a process called SafetyNet Attestation. Google's SafetyNet Attestation process runs on all Android devices. Samsung has a version specific to its devices called Samsung Knox Attestation.
(In simple terms, the attestation process ascertains that the current state of the device matches the expected state of the Android OS. It uses several internal parameters to detect intrusions and other factors that can affect security.)

IBM MaaS360 provides an easy way to run this attestation check periodically every 24 hours. This can help in detecting devices that have been compromised regularly.
It is always better to stop enrollment and not provide access to corporate data than try to block compromised devices.
In this regard, IBM MaaS360 also provides the ability to check the attestation status as a precursor to enrollment. If the device fails the integrity test, it will not get enrolled at all and there is no risk of corporate data theft.

An additional layer of protection can be added by leveraging IBM MaaS360's Trusteer integration. Along with providing real-time root detection checks, it also scans for malware and other factors that can affect the device. This information can further be used to decide the compliance status of a device and take pertinent actions.

General recommendation

1. Establish the integrity of the device before enrollment.
2. Run periodic checks on managed devices after enrollment.
3. Security focused organizations should deploy additional measures to detect attempts to compromise the device in real time for enhanced protection.

7) Secure Corporate Container

Use of a secure "container" for accessing and using corporate data provides a lot of security benefits like

• Encrypted Emails & Attachments
• Prevent Unauthorized Backups, Copying & Pasting of Email Content
• Blocking attachments originating from Android Devices
• Provides users with a consistent experience on all versions of the Android OS

Native Email apps or the default GMail app on Android do not come loaded with these features. Another enticing bonus feature is that it is easier to quickly wipe the container and remove all corporate settings and data when an employee using a BYOD device leaves the company.

IBM MaaS360's Secure Productivity Suite provides a FIPS compliant secure container to manage the user's emails, contacts, calendars, documents, Intranet access and file management suites (like SharePoint, Fileshare, Box, Google Drive and OneDrive). Granular policies can be applied on the container for operations like sharing data, forwarding attachments, copying & pasting content & taking screenshots. Devices that are lost/stolen can be selectively wiped to remove corporate data from the container.

General recommendation

1. Use a separate corporate container that boasts enhanced security features
2. Apply granular policies to control access of corporate data
3. Wipe the container to delete data if the user leaves the company or if the device is compromised

8) Compliance Rules and Automated Remedies

All the best practices shared earlier can be neatly tied together by setting up compliance rules. These rules help in detecting violations of the deployed policies and configurations. The device can be marked as "Out of Compliance" and appropriate action(s) can be taken.
For example, the device can be non-compliant if:

• The current device has no password or the password doesn't match the desired complexity
• Google Attestation fails and detects an integrity compromise
• Unapproved accounts are added to the device
• IBM MaaS360's Trusteer integration flags malwares installed on the device or if the device is connected to an insecure WiFi network

and many more such conditions. The IT Administrator is now empowered to take appropriate countermeasures.

IBM MaaS360 provides a variety of such countermeasures ranging from a simple warning shown to the user, to barring of access to corporate data. In extreme conditions, even a full wipe of the device can also be performed.
Furthermore, these responses can also be automated to execute on the device so that the IT admin's work is easier while handling devices on a large scale.

General recommendation

1. Compliance Rules can be set up to detect violations of compliance in real-time so that appropriate actions can be taken.
2. Automated handling of violations can be set depending on severity and preferences of the customer
3. It is a good idea to first warn the users of an impending violation and give an opportunity to fix the problem if it is something that can be resolved (Eg : Password Complexity). Repeated violations or failures of an extreme nature (like loss of device integrity) should lead to more drastic countermeasures.

9) Test Deployments

Before undertaking large scale deployments, apply the configurations and policies on a test device/small set of test devices. Use these devices to test the three major lifecycle components.

• Enrollment(On-boarding) & Monitoring - Ability to see the device on the EMM portal and interact with it
• Access & Usage of Corporate Data - Ability to grant/revoke access as needed and apply other security measures
• Removing enrollment & Clean up - All data is wiped (IBM MaaS360 ensures this by default on Android Enterprise deployments)

Once the deployment is satisfactory, it can then be rolled out in succession to larger sets of users. This will help lower the risk of unintentional changes to the configurations pervading across the organization.

General recommendation

1. Apply new configurations on a set of test devices and slowly scale them across the organization.
2. Thoroughly test enrollment (on-boarding), data usage and access, and removing enrollment(clearing data)

10) Constant Monitoring and Periodic Review

Constant monitoring of devices will help in determining compromised devices. It will also help in finding out "rogue" devices - devices that have been enrolled but haven't communicated to the portal for a long period of time.

It is necessary to keep an eye out for new features provided by the EMM and tweak the policies and configurations as desired. As newer OS versions are rolled out, IBM MaaS360 consistently improves it's offering to provide zero day support and help the customers stay on top of new tech developments.

IBM MaaS360 can help in determining the security of the whole environment with features such as

• Regular insights showing the number of devices at risk
• A Risk Dashboard that showcases the trend of organization, user and device risk over a period of time.
  The data is refreshed every 24 hours to provide a comprehensive picture of the organization risks on a whole.
• Device Compliance reports
• Audit reports for the devices and the various actions performed on them.
• Customized alerts

General recommendation

1. Constantly monitor the overall "health" of managed devices
2. Periodically review assigned security policies to cover new tech developments and changes in requirements/usage of devices.