Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security, an Enteprise Perspective

Pietro F. Maggi
September 04, 2017
Technology
0
440

Android Security, an Enteprise Perspective

DEBUNKING ANDROID SECURITY MYTHS WITH DATA

In this talk I’m presenting some hot topics for European Corporation in the process to adopt Android as COSU devices.
How features introduced in Android 6.0, Google Mobile Services and third party extensions collaborate to provide to the market state of art solutions.
This talk will answer to questions like:
1. Android threats, real or FUD?
2. Security updates, why are they critical for the Enterprise market
3. Security and Long Life Cycle of Android devices, what are the market best practices

This session is powered by Zebra

Pietro F. Maggi

September 04, 2017
Tweet

More Decks by Pietro F. Maggi

See All by Pietro F. Maggi
Building Android UIs for any screen size
nibble
0
220
ANDROID AT LARGE: HOW TO BRING OPTIMISED EXPERIENCES TO THE BIG SCREEN
nibble
0
23
Kotlin in 2019
nibble
1
160
Embracing WorkManager - DevFest19 edition
nibble
0
62
Embrace WorkManager
nibble
3
580
Enterprise Android - Mind the gap
nibble
0
60
Life of Android Enterprise Developers in the age of Android for Work
nibble
0
2k
Android: it's time to go to Work!
nibble
1
1.1k
Android KitKat & Lollipop New Features for Enterprise Developers
nibble
0
2.7k

Other Decks in Technology

See All in Technology
開発者がインフラ設計や運用に参加したら信頼性が上がった話~CloudWatch Evidently~ / SRE NEXT 2023
bengo4com
0
200
如何在 Elasticsearch 實現敏捷的資料建模與管理 @ DevOpsDays Taipei 2023
unclejoe
0
210
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
390
"SMB vs. EP" プロダクト特性の違いから考える「何をつくる?つくらない?」
miyashino
0
490
20230929_SRE_NEXT_エラーバジェット運用までの取り組み-信頼性の低下に対するアクションを定義しよう / Let's define actions against unreliability
gonkun
1
1.4k
SRE を実践するためのプラットフォームの作り方と技術マネジメント / Building a Platform for SRE
irotoris
0
3.4k
視え方と文字の大きさ
lemon
1
200
Runbookに何を書き、どのようにアラートを振り分けるか?
egmc
0
730
プロダクトオーナーとしてSLOに向き合う 〜Mackerelチームの事例〜 / SRE NEXT 2023
tatsuru
PRO
0
300
勘に頼らず原因を⾒つけるためのオブザーバビリティ
sansantech
PRO
4
3.3k
Swift Package Mangerのバグを直した話
k_koheyi
2
160
AWS CDKでインフラ、アプリを分離した際に困ったこと
smt7174
1
130

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Visualization
eitanlees
131
13k
It's Worth the Effort
3n
179
27k
Designing for Performance
lara
601
66k
Ruby is Unlike a Banana
tanoku
93
9.9k
Code Reviewing Like a Champion
maltzj
510
38k
How STYLIGHT went responsive
nonsquared
89
4.4k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
890
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.2k

Transcript

  1. ANDROID SECURITY
    an Enterprise Perspective
    Pietro Maggi
    EMEA SW Consultant Sales Engineer

    View Slide

  2. Pietro
    I like to take things apart to
    understand how they works

    View Slide

  3. Zebra Spotlight
    R&D spend
    10%+
    of Sales
    ~$3.65B
    Global Sales
    ~7,000
    Employees
    Worldwide
    4,500+
    US & Int’l
    Patents Issued
    and Pending

    View Slide

  4. Is Android secure?

    View Slide

  5. http://www.techrepublic.com/blog/it-security/androids-very-real-master-key-vulnerability/

    View Slide

  6. http://www.bbc.com/news/technology-28544443

    View Slide

  7. https://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/

    View Slide

  8. Using Data to Monitor Risk: Exploits
    Vulnerability Initial Claim Headline Unique APKs
    Peak exploitation after
    public release (per
    install)
    Exploitation before
    public release
    (absolute)
    Master Key
    99% of devices
    vulnerable
    1231 < 8 in a million 0
    FakeID
    82% of Android users at
    risk
    258 <1 in a million 0
    Stagefright
    95% of devices
    vulnerable
    N/A None confirmed N/A
    Source: Google Safety Net Data; Masterkey data collected from 11/15/2012 to 8/15/2013 and previously published at VirusBulletin 2013. Fake ID data collected data collected
    from 11/15/2012 to 12/11/2014 and previously published at the RSA Conference 2015. Stagefright data current through May 2016.

    View Slide

  9. https://arstechnica.com/security/2016/10/android-phones-rooted-by-most-serious-linux-escalation-bug-ever/
    https://source.android.com/security/bulletin/2016-11-01.html

    View Slide

  10. Overall…
    For a device to be affected, a user must download and install a PHA that takes
    advantage of one of the vulnerabilities.
    Using a Device Policy Controller or other lock-down systems is a very good idea
    for COSU devices.

    View Slide

  11. Google’s role in Android
    ecosystem security

    View Slide

  12. Marshmallow
    Device Owner APIs for COSU
    Polish for BYOD
    Nougat
    Addressed Customer feedback
    Boosted security and control for IT admin
    Polish and control for the user
    Lollipop
    Separate managed work profile
    and private user profile for BYOD
    Device Owner for corp-liable
    devices

    View Slide

  13. Google Security Services
    Google Play
    Android SDK
    Google services / APIs
    Security best practices
    Security improvement program
    Applications
    Applications updates
    AOSP
    CTS/CDD
    Security updates
    Security best practices
    Device with Android OS
    Security OTAs
    Google
    Application
    Developers
    Device Makers
    Users
    https://source.android.com/security/

    View Slide

  14. Robust
    Platform
    Comprehensive
    Services
    Ecosystem
    Updates
    1 2 3

    View Slide

  15. Android OS Offers Complete Platform Security
    1
    Application Isolation
    Sandboxes & Permissions
    SELinux
    TrustZone Services
    Seccomp
    Isolated Process
    1
    Device Integrity
    Hardware Root
    Verified Boot
    Data Encryption
    Security Services
    Smart Lock
    1
    Exploit Mitigation
    NX
    ASLR
    Fortify Source
    Updateable WebView
    Integer Overflows
    Hardened Media Server
    1
    Management
    Profiles
    Administrative APIs
    Security Integration
    (VPN, etc.)
    New or substantially changed since Android 5.0

    View Slide

  16. Constant, Independent Verification
    1
    1
    g.co/AndroidSecurityRewards
    Hundreds of active
    researchers
    Over $1 million paid in
    last 12 months

    View Slide

  17. Robust
    Platform
    Comprehensive
    Services
    Ecosystem
    Updates
    1 2 3

    View Slide

  18. Verify Apps
    SafetyNet: Complete Security Services for Android
    Sensor Network
    Android
    Device
    Manager
    APIS

    View Slide

  19. Architecture: Google’s Safety Net for Android
    Knowledge
    PHA or Not
    Data
    App installs
    Install Source
    Application Analysis
    Static
    Dynamic
    Reputation
    Etc.
    Other Google
    Services
    Search
    Drive
    Ads
    Etc.
    SafetyNet
    Analysis
    Exploit Detection
    ACE
    SIC
    Etc.
    Android
    App Sandbox
    Verified Boot
    Encryption
    Etc.
    Chrome
    Smart Lock
    Device Manager
    Safe Browsing
    SafetyNet
    Verify Apps
    Install Apps
    Apps
    Knowledge
    PHA or not
    Best practices
    Knowledge
    PHA or not
    Apps
    Knowledge
    Risk Signal
    Data
    Rare Apps
    App Install Checks
    Attest API
    Protections
    Warnings
    Configuration changes
    Etc
    Device Data
    Events
    Measurements
    Configurations
    Etc.
    Google Play
    App X App Y
    App Z

    View Slide

  20. 2 billion
    devices protected
    1+ billion
    device scans per day
    50+ billion
    apps checked per day

    View Slide

  21. Potentially Harmful Application Rates Since 2014
    1

    View Slide

  22. Potentially Harmful Application Rates Since 2014
    1

    View Slide

  23. Robust
    Platform
    Comprehensive
    Services
    Ecosystem
    Updates
    1 2 3

    View Slide

  24. Ecosystem Wide Updates
    Google
    Application
    Developers
    Device Makers

    View Slide

  25. Application Security Improvements
    1
    1

    View Slide

  26. Zebra’s role in Android
    devices security

    View Slide

  27. Zebra Security – 3 Key Paradigms
    Build on a
    solid
    foundation
    Android
    Enterprise
    Focus on
    the task
    EMM, Kiosk
    Security Life
    Cycle
    Management

    View Slide

  28. LIFEGUARD
    FOR
    ANDROID

    View Slide

  29. Zebra Extended Life Cycle Security Support
    HOW TO SECURE
    ENTERPRISE PLATFORMS?
    Enterprise Demand
    New OS Platforms
    1
    Consumer Market
    Adoption is required
    2
    Successful Consumer OS
    Will Be Aggressively Attacked
    3
    30 Day / Quarterly Security Patch Updates

    View Slide

  30. Zebra Extended Life Cycle Security Support
    HOW DO I STAY SECURE MEETING MY
    TOTAL COST OF OWNERSHIP GOALS?
    Consumer Operating Systems
    Have limited security support life
    1
    Security Patches 2+ Years Beyond End-of-Sale
    Enterprise Customers keep
    devices in services for 5yrs or more.
    2

    View Slide

  31. Zebra Extended Life Cycle Security Support
    HOW DO I STAY SECURE
    DURING OS UPDATES?
    Security OS Transition Period (OTP)
    Consumer Operating Systems
    Have limited security support life
    1
    Enterprise Customers keep
    devices in services for 5yrs or more.
    2

    View Slide

  32. Zebra Extended Life Cycle Security Support
    Zebra vs Consumer
    Typical Consumer Zebra
    Device Life Cycle
    Device Avail for Sale No commit, <2yrs 3, 4 or 5yrs
    Post End of Ship Service None
    Additional
    3, 4 or 5yrs
    Typical Customer Device Refresh 24-29 months* 3-7yrs +
    Security Life
    Cycle
    30 Days Security Updates Some Vendors Yes1
    Security Patch Level Indication Yes (M+) Yes (M+)
    Update Duration from First Ship 36 months / 40 months *60 months / 84months
    OS Transition Period None 12 months
    Extended OS Transition Period None Available ($)
    1 Security Updates released every quarter during the extended life cycle

    View Slide

  33. Source: USA Department of Homeland Security: Study on Mobile Device Security: link
    The most important defense against mobile device security threats is to
    ensure devices are patched against publicly known security
    vulnerabilities and are running the most recent operating system version.
    Installation of patches ensures that devices cannot be trivially targeted
    with well- known public exploits, but rather an attacker must invest time,
    resources, and risk of detection into developing more sophisticated
    attack methods. Running the most recent operating system ensures
    devices are benefiting from general security architecture improvements
    that provide resilience against vulnerabilities that may not yet be publicly
    known.

    View Slide

  34. References
    • Android security bulletins:
    https://source.android.com/security/bulletin/index.html
    • Android Security 2016 Year in Review:
    https://security.googleblog.com/2017/03/diverse-protections-for-diverse.html
    • LifeGuard for Android:
    https://www.zebra.com/us/en/products/software/mobile-computers/lifeguard.html
    • USA Department of Homeland Security: Study on Mobile Device Security:
    https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile
    %20Device%20Security%20-%20April%202017-FINAL.pdf
    • Google’s Best Practices for Security and Privacy
    https://developer.android.com/training/best-security.html

    View Slide

  35. THANK YOU

    View Slide