DOC RABE Media - Fotolia
6 steps to increase Android security in the enterprise
Android is just as secure as its competitors' OSes, but IT should still remain vigilant. Here are six steps to secure Android devices for the enterprise.
Android phones might be a good choice for many consumers, but IT teams must test their endpoints against enterprise standards. How can IT make sure these devices measure up when it comes to corporate security?
Android security architecture has evolved significantly over the years. As an open source platform, the OS has faced scrutiny regarding its security capabilities, especially compared to more closed systems such as iOS. However, modern Android versions incorporate comprehensive security features, including the following:
- App sandboxing, which isolates applications from each other.
- Verified boot, which ensures only trusted software runs on the device.
- Google Play Protect, which continuously scans apps for malicious behavior.
While no OS is immune to security vulnerabilities, current Android versions offer enterprise-grade security when properly configured and maintained. But when using Android systems in an enterprise context, organizations can't merely rely on the default settings. These aren't enough to stop modern cyberthreats.
Instead, IT must enable key security settings, stay on top of maintenance tasks and deploy supplementary tools.
1. Maintain current Android versions
Keeping devices up to date with recent Android versions is fundamental to security. First, IT should determine the number of older Android devices in use within the organization. To do this, conduct a thorough inventory of all Android devices in the IT environment and identify any device that is more than two generations behind the current release.
Upgrading older devices is necessary to make sure that end users can take advantage of the latest Android security features. Older Android versions lack the essential security enhancements of newer releases. These include improved permission models, stronger encryption and stronger biometric authentication mechanisms.
Devices running Android Enterprise or vendor-specific security tools like Samsung Knox provide extra security layers. They include features such as secure folders, defense-grade encryption and advanced device management. In BYOD environments, IT should restrict employees from using older, outdated devices to connect to corporate systems. Admins can enforce this through compliance policies in the organization's management platform. The compliance policies verify OS versions before granting access to corporate data or apps.
2. Implement regular security updates
Beyond major OS versions, Google releases monthly security patches to address newly discovered vulnerabilities. IT pros should load all devices with periodic updates from Android, many of which address security issues. Check devices at least every 30 days for available updates and download new updates as soon as possible. This guarantees that the latest and most secure OS version is on each device. If IT admins can't upgrade current devices, they should replace them.
IT can automate the Android update process through a unified endpoint management (UEM) platform. The platform should provide compliance reporting and be able to force updates when necessary. Critical security patches should go out within days of release, not weeks or months.
Organizations should also establish a clear replacement policy for devices that no longer receive security updates from their manufacturers. This typically occurs about three to four years after the initial device release, although the time frame varies by manufacturer and device type. It's helpful to have a defined lifecycle management strategy to prevent any security gaps related to outdated devices.
3. Deploy comprehensive management tools
IT should deploy some form of management software, whether through a third-party service such as a mobile carrier or a UEM product that IT manages. This lets IT put work profiles and required app permissions in place, preventing data leakage and unauthorized access.
UEM technology provides the control and visibility necessary to secure Android devices across the entire IT environment. Using these tools, IT can enforce important security settings such as strong passwords, device storage encryption and restrictions on USB debugging.
UEM platforms also provide valuable inventory management capabilities, which let IT track device models, OS versions, security patch levels and installed applications. This visibility enables proactive security management and identifies potential vulnerabilities before hackers can exploit them.
4. Implement app security controls
Malicious apps are a key threat to Android security. IT should enforce strict app management policies to mitigate this risk effectively.
Organizations should configure Android devices so users can only install apps from trusted sources, such as the Google Play Store. For environments with higher security requirements, admins can set up application allowlisting through a UEM tool. This ensures users can only install IT-approved apps, while blocking unauthorized or risky apps.
IT should also carefully manage app permissions to limit access to sensitive device features and data. App permissions can be a threat vector in some cases. If an app requests access to seemingly unnecessary data or functions, for instance, it might contain spyware. Modern Android versions provide granular permission controls, which IT can manage from a central dashboard with UEM policies. Regular audits of app permissions across the device fleet can help identify overprivileged apps and other potential security risks.
5. Secure web browsing and network communications
Mobile devices often connect to untrusted networks, such as those in public places. As a result, secure communications are crucial when accessing corporate resources. IT should implement comprehensive web and network security measures to prevent external parties from intercepting communications.
To protect against phishing and malware, it can be helpful for IT to configure Chrome's Enhanced Safe Browsing feature across all devices. This feature can block access to fraudulent banking sites or malicious download links, for example. It can warn users when they install a malicious extension, even for those not previously known to Google. Organizations should also consider using a secure DNS service, such as Cloudflare or Google DNS, to filter out malicious domain requests at the network level.
Organizations handling sensitive customer data should deploy a mobile threat defense tool. These can detect and block network-based attacks, such as man-in-the-middle attempts on public Wi-Fi.
To secure data in transit, consider deploying an enterprise VPN tool. VPNs are extremely useful for protecting in-transit communications, particularly when users connect to public Wi-Fi networks. Modern UEMs can configure per-app VPN settings. This ensures that only corporate apps, like email or CRM tools, route traffic through a secure connection. For highly sensitive apps, implement always-on VPN to prevent corporate data transmission outside the secure tunnel.
6. Enable advanced authentication
Strengthen device security with layered authentication methods that go beyond simple passwords. One option is biometric authentication. IT can configure biometric authentication requirements to unlock devices or access sensitive apps like corporate email. Of course, this method is limited to devices that support it. Modern iPhones and Android devices do offer secure fingerprint sensors and facial recognition.
To access highly sensitive corporate apps, consider implementing multifactor authentication (MFA). This should combine biometrics with a PIN or token-based tool, such as Google Authenticator or hardware tokens. MFA ensures an additional layer of security, even if one factor is compromised.
In shared or high-security environments, enforce advanced authentication policies. For example, require reauthentication after 10 minutes of inactivity or when accessing sensitive apps like HR systems. UEMs can enforce these policies consistently across all managed devices. This ensures compliance and reduces the risk of unauthorized access.
Nihad A. Hassan is an independent cybersecurity consultant, digital forensics and cyber OSINT expert, online blogger and author with more than 15 years of experience in information security research. He has authored six books and numerous articles on information security. Nihad is highly involved in security training, education and motivation.
