Android data security for enterprises: Navigate the risk environment

Recent versions of Android have become increasingly more secure, but hackers are resourceful. Malware and Android data security vulnerabilities still find their way onto Android devices through the ingenious efforts of cybercriminals. 

These Android data security breaches come about through:

It's impossible to create perfect software. As computer scientist A. K. Dewdney once said, "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards—and even then I have my doubts." And Android data security breaches still occur. 

Fortunately, there's a way to improve Android data security, both in an enterprise and personal context. Let's dive into Android data security and what you must do to ensure your devices are protected in the best possible way. 

Data security in Android for business

The problem of data security in Android is terrible enough from a consumers' perspective, but the issues become particularly severe in a business context.

Companies, who create Android-based products, often have to go through the effort of customizing the AOSP (Android Open Source Project) to build modified versions of Android running on their hardware architecture because there is no official Google version of Android that fits all hardware boards. 

The complexity and cost of obtaining a license from Google and then using its proprietary solutions like the Google Play Store are even higher. 

Homegrown Android versions

Developing your own Android ROM is challenging. Homegrown and purchased solutions by hardware vendors typically lack the robust security for embedded systems that businesses require when building products. Over-the-Air software updates are just one of the vital Android data security features that these versions don't support. The ability to remotely update IoT devices requires an appropriate infrastructure that can support it. 

Compromised devices sold to customers have broader consequences than if a personal device is infiltrated. An embedded system for IoT might be connected to crucial infrastructure, or it could provide a hacker access to private consumer data, leading to hefty fines for the company due to privacy law violations. 

Outdated Android versions

Companies also commonly run older versions of Android since those versions typically come with the hardware they buy. This isn't necessarily a problem if updates and security patches are delivered regularly, which is usually not the case. 

Newer versions of Android are more resource-intensive, leading to incompatibility with weaker-performing hardware configurations. So, older versions are still a good solution for some use cases.

The other reason for working with older versions is that it takes time for custom Android ROMs to catch up to official Google Android OS releases. 

The above combination of factors makes the perfect hotbed for breaches of data security in Android in a product context. 

How secure is data on Android?

Although Android has become increasingly more secure, hackers can circumvent data security in Android through malicious apps distributed through the Google Play Store or by infiltrating production lines to insert malicious code into the core Android code. 

Notable events in data security for Android

Several notable events in the last few years highlight how important it is for businesses to take Android data security seriously. Just because a device is created by Google or one of the big players, such as Samsung, doesn't mean the device is secure. 

Let's examine a few noteworthy examples of violations of data security in Android. 

Bloatware as a privacy nightmare

Samsung came under the spotlight when Ars Technica exposed how much larger Samsung's version of Android is compared to Google's version. Samsung's version of Android takes up a mind-boggling 60 GB of space because of uninstallable bloatware that comes built into its version of Android. 

In addition to the massive footprint, the report says that Samsung makes this space available for hire to companies that want to install apps with more intrusive permissions than if they were installed from the Google Play Store. Apps built into the OS can do anything that the OS programmers decide they want them to do. 

Companies put themselves at risk by using these consumer devices in their business.  

Infiltrated supply chains

Security company Trend Micro recently discovered Android malware that had been pre-installed on new factory devices, without the OEM knowing about it. The hackers did it by criminally intercepting the supply chain and inserting malicious code during the device's production. This resulted in 50 brands shipping Android devices with preinstalled malware. 

The malware also shipped in Android TVs, Smart TVs, various display devices, and children's Android-based watches.

Such an Android data security breach is far worse than bloatware or malicious apps because it's built directly into the operating system and forms part of a much larger criminal business model. 

Google Play Store infiltration

Despite Google's promise to protect devices through Google Play Protect, malicious apps often make it through Google's automated app vetting procedures, resulting in Android data security violations for users. 

One successful violation happened because of a popular Android software module called SpinOK. This module specializes in circumventing Android data security measures, collecting info on device files, and transferring them externally. The module also has permission to read the Android clipboard. It then sends the contents to a remote server. 

The SpinOK module sold itself as a tool to keep users engaged in apps by providing mini-games and giveaways. The app made its way to over 101 apps in the Google Play Store. These apps were installed over 400 million times. 

The Google Play Store is only available on Google Mobile Services (GMS) certified devices—those devices are officially licensed by Google to use Google's proprietary version of Android. Obtaining GMS certification is a major and costly hassle for businesses that need custom fleets, prompting many to skip certification and use custom Android images without proprietary Google services. 

This inability to install GMS apps, such as the Google Play Store, on non-GMS devices might be a blessing in disguise in light of the above. 

More Android data security breaches through Google Play

Another Remote Access Trojan (RAT) recently made its way into the Google Play store in the form of a screen recorder. Phenomenally, the app is based on open-source RAT code freely available on Github, yet it made it into the Google Play Store undetected. After installing the app, it opens a backdoor in the user's device and uploads phone contacts to a remote server. 

Google's response to the rash of malicious apps recently discovered in the Google Play Store has been little more than the usual canned response, stating that it takes security very seriously, and so on. 

Consumers and businesses fortunately do have a choice when choosing an app store to use, to improve data security for Android. The Google Play Store is not the only option. Several Google Play Store alternatives exist, such as F-Droid.

Certificate leaks

When someone installs an app on Android, the OS checks that the original developer signed the application. The security certificates used to sign applications need to be kept absolutely private. If a hacker gains access to certificates from known companies, it can release malicious apps that purportedly come from those companies. 

That's exactly what happened in December, when several major companies suffered a certificate leak, including Samsung, LG, and MediaTek. Using these certificates, malicious actors can create fraudulent apps that appear to come from these reputable companies and so trick users into installing them. 

Does Android have any built-in security?

Android resolved several bugs in earlier versions that gave root access, preventing malicious apps from exploiting root. It takes considerable skill to infiltrate Android devices through malicious software. Unfortunately, top-level hackers appear to have those skills. 

Google and privacy

All malware aside, another real concern is that of Google's own Android data security violations. In December 2022, France's data authority fined Google €50 million for violating Europe's General Data Protection Regulation (GDPR). The court found that Google had processed user data for ad personalization without first obtaining user consent. 

That fine is a mere drop in the ocean compared to the near-$400-million penalty Google agreed to pay in the USA just the month before that. The penalty came in response to allegations that Google continued to track user locations even after users turned off location tracking on their devices. 

Meanwhile, Google announced a new Privacy Sandbox feature that will supposedly prevent users from being personally tracked by ads. This feature sounds good on the outside, but it has its doubters regarding data security for Android. In light of the company's past misbehavior regarding user privacy, it's not difficult to understand why. 

How do I protect my data on Android?

When companies are building their own devices, the best way for them to improve data security for Android is to create a thoroughly tested, well-supported, custom version of Android that receives regular security updates. Companies can also run their own app store that only allows whitelisted applications. 

Steps to harden data protection for Android

As a business, hardening data protection for Android devices build in your company is imperative.

To do this, you must make sure to:

Android data security with a trusted OS

The first thing to know about data protection for Android is that professional-grade and customized Android OSes do exist that take data security for Android seriously. Community-driven software is great, but it has its limitations in a business context. 

We celebrate the vibrant and enthusiastic Android community that contributes such valuable code to this incredible operating system. The challenge with using community-driven open-source code is the lack of accountability.  

One of the beautiful things about open-source code is that it can remain open while an economic ecosystem grows around it, adding a degree of accountability for companies seeking professional-grade services. For example, WordPress and Drupal's creators both founded companies offering pro-level services around their open-source code. 

When choosing to use a custom Android OS, look for professional-level Android versions and services that offer a degree of dedicated support and accountability, thereby greatly improving data security for Android. 

Remote device access and control

The company should be able to connect to and handle all devices remotely through a secure connection, to update out-of-date apps and the operating system itself. 

This feature can be a two-edged sword if implemented poorly, so the remote-access tool minimally should implement:

App updates

No software is perfect. That's why updates are crucial at the OS level and for apps themselves. 

One of the Android data security problems with apps on custom Android ROMs is the missing infrastructure to update those apps remotely. The same is true of updating the operating system itself. 

Any enterprise-grade solution should include the ability to carry out regular remote updates to ensure data security for Android. 

Device monitoring

Devices need to be monitored to ensure they're operating well. In case of anomalies, fleet managers can take action immediately. 

Some of the monitoring aspects related to Android data security include:

Custom app store

Relying on a third-party app store, including Google Play, should be considered the same way as handing someone the keys to your company safe. Do you trust the third party? If you do, are you 100% certain they haven't been infiltrated? 

You should (and can) maintain your own app store, implementing a marketplace-like app distribution that feels familiar to your customers but includes only company-approved or -developed apps. 

Android data security with emteria and custom Android

Emteria provides an automation solution that helps you build your own customized and secure Android version for enterprise use, or modify your company's Android version to ensure it meets the most essential Android data security needs, and so meeting all your requirements. 

Alternatively, you can always install our pre-designed emteria.OS Android version, which works on a wide variety of hardware configurations out-of-the-box and is great to build initial prototypes. 

Through emteria's Device Hub, which adheres to some of the most rigorous privacy regulations in the world—those of Germany—fleet managers can monitor device health and perform remote updates when necessary. 

Although Android's security is better today than it ever was, that security can be penetrated. At an enterprise level, the consequences can be dire. 

Android is superb for business IoT devices because of its wide support and familiar user interface. If the proper business support exists for it, there should be no reason not to adopt it entirely in your companies products. 

And if you need specific Android OS customizations to improve the version you're working on, emteria can help you with those.