What is Android device management? 

More than 80% of all mobile devices worldwide run Android, a mobile operating system created by Google. This higher percentage means company employees are more likely to use Android for both work and personal use than other device types.

Android devices, if accessing critical business data, can threaten security if hacked, stolen or lost. But with a single ADM platform, IT and security departments can manage all of a company's mobile devices, keeping them secure and the workforce flexible and productive.

Android device management allows IT administrators to manage and secure Android devices. It provides system visibility, remote app management capabilities, automatic security updates and installs, kiosk mode, security alerts, geolocation or geofencing that can auto-lock lost or stolen devices.

Android OS is the most widely used mobile operating system in the world, according to Statista.¹ And logically, Android users encounter more security compromises compared to Apple iOS users and others. Two major Android security threats are malware and data leaks.

There are millions of Android apps available in the Google Play store. And while some are safe and treat personal data with the utmost care, many are unsafe. Apps can be compromised.

Compromised apps can lead to data leaks. Personal or corporate data can funnel to unscrupulous third-parties from unsafe apps. One way data can leak is through excessive app permissions. App permissions determine what functions an app has access to on a user's device. Some app permissions are riskier than others, so users need to pay attention to the permissions they grant.

According to Wandera’s study, “Understanding the mobile threat landscape,” 45% of the most requested permissions on Android are considered high-risk. But which permissions are high-risk and how so? Here’s a list of regularly accepted permissions on Android that Wandera considers as carrying higher risk:

– Find accounts: Allows the app to access the list of accounts known by that phone

– Read contacts: Allows the app to read data about contacts stored on that device

– Read phone status: Allows the app to access the device’s internal features, such as phone numbers and device IDs

– Read SD card: Allows the app to read the contents of an SD card

– Write to SD card: Allows the app to modify or delete an SD card’s contents

– Precise location: Allows the app to get a precise location, using GPS or network location sources

– Record audio: Allows the app to record audio with the microphone at any time

– Take pictures and video: Allows the app to use the camera at any time

Per Wandera's study, "65% of organizations have at least one device with an out-of-date operating system," and the data shows "57% of Android devices are running an OS at least two full versions behind the current one." Updated operating systems not only improve device performance but also include critical security patches. So without OS updates, Android devices remain vulnerable to cyberattacks.

Sideloading Android devices describes an app installation process outside of using the default Google Play store. While an Android OS default configuration doesn't allow sideloaded apps to be downloaded and installed from unofficial sources, it's possible to configure Android OS settings to allow apps from third-parties. So users can download application packages from websites or install apps from third-party app stores.

Wandera's research shows around 20% of Android devices have this setting enabled, which opens up the device to threats. Users that sideload apps face increased security risks because it bypasses Apple and Google's application vetting process on their official app stores. Thus, the device has less protection against inadvertently installed malware. "35% of organizations have at least one device with one or more sideloaded apps installed," according to Wandera's study.

Rooting is the process of allowing Android users to gain control over internal OS systems. And as the name implies, the technique provides root access to the device. Users of rooted Android devices can make drastic changes, up to and including changing the device's operating system. Rooting an Android OS is similar to jailbreaking an Apple's iOS. Both are privilege escalation methods, but rooting provides more control to Android users than Apple users gain through jailbreaking.

Per the Wandera study, "6% of organizations have at least one jailbroken or rooted device." Although popular with users trying to free a device from carrier lock, these risky configurations allow them to install unauthorized software functions and applications. Some users might jailbreak or root their mobile devices to install security enhancements. But most look for a more straightforward method to customize the OS or install applications that aren't available on the official app stores. Whatever the case, rooting opens up the device to cyberthreats.

A successful ADM program works best with Android Enterprise. Android Enterprise is a Google-led initiative, enabling the use of Android devices and apps in the workplace. It provides a fast, streamlined method for deploying corporate-owned Android devices, and it's the default management solution for Android devices running 5.0+.

The program offers APIs and other developers' tools to integrate support for Android into their enterprise mobility management (EMM) solutions. For example, IBM Security ® MaaS360, an Android Enterprise Recommended unified endpoint management (UEM) platform, integrates with Android Enterprise to support the Android EMM solution APIs. It brings a unified experience of management to the Android operating system.

An Android Enterprise integration allows an organization to:

– Gain insight into each device, including its OS system and version number, manufacturer details and root detection.

– Perform actions to locate devices and lock or wipe (full and selective) lost devices. And control apps with blocklist, allowlist and auto-install or removal. Plus, enforce geofencing on hardware features such as the camera, to protect sensitive data.

– Set policies to enable access to corporate resources from email to Wi-Fi and VPN. Manage passcode updates and length to meet evolving corporate standards, and enforce encryptions and kiosk mode.

– Disable hardware functions such as the camera, USB storage and microphone. Protect data-level leaks with feature restrictions for the clipboard, cut-and-paste and screen-capture functions.

• Enforce OS updates to reduce vulnerabilities or pause updates until your corporate applications are vetted and ready for deployment.
• Zero-day support for new Android OS versions and devices using OEMConfig.
• Zero-touch enrollment with out-of-the-box configuration and one-time setup for large-scale deployments.

Privacy and peace of mind are supported by BYOD — by shielding personal app information, device location, physical address, SSID and browsing history. With an Android work profile, personal data can stay private while work data remains secure. The user can switch between work and personal profiles without sharing data between the two.