Security
56 TopicsIs there any way to disable Google Play Protect (GPP) from an EMM or to otherwise whitelist apps from scanning?
I am very concerned about the Enhanced GPP features coming soon that are currently being piloted in other regions. https://security.googleblog.com/2023/10/enhanced-google-play-protect-real-time.html This is not a welcome feature whatsoever for the fully managed space where we have business apps written internally that are being installed on business devices, owned by that business. In no way do we want Google sitting in between deciding whether a very legitimate app written internally for an organization should be installed on devices that are purchased and owned by the same organization on fully managed devices. I would like a way to disable GPP completely, or at a minimum whitelist applications from scanning as we don't want Google interfering in the business operations. GPP is a helpful consumer protection features but fully managed devices should have the ability to be opted in or out of the program. Otherwise GPP can incorrectly flag a mission critical app and disable or remove it from a device, thereby bringing down a line-of-business application and an end customers operations. While the intentions of GPP are good, by blocking business apps Google themselves is becoming the malicious actor that GPP is ironically trying. to prevent.Solved40KViews13likes57CommentsIntroducing The Secure Element podcast - Episode #1 is LIVE!
Hey friends, I'm pleased to announce the launch of our brand new security podcast: "The Secure Element"! This podcast is dedicated to all things security, covering topics relevant to our community and beyond. Plus, I am joined by some incredible people across the ecosystem along the way. We're kicking things off with our first episode, featuring special guest Bhavesh Kumar, Senior Director of Product Management at Omnissa. In Episode 1, we dive into: UEM controls to manage security Ecosystem of malware protection New capabilities for Device Trust principles You can listen to the first episode below: We'd love to carry on the conversation after you have listened/watched the video, so please do share your thoughts on any of the topics discussed in the comments below and/or any suggestions you might have for future topics. Stay secure, Burr621Views12likes1CommentMaster ownership of Android devices
Factory Reset Protection / persistence is a powerful tool but it does not yet feel complete, and it is quite frustrating and potentially dangerous in its current state. It is not always apparent whether any given device is persistently linked using ZeroTouch, Intune or even Google Account FRP. While these tools are available to some, they are not a financially viable option for everyone, especially for consumers. There may be documentation describing the intimate intricacies of how all of these tools work and when/where they leave signs of their presence, but I cannot find it. I have not found a PSA from google for consumers saying "if you buy a second hand phone, check x, y and z to make sure it is not locked, otherwise someone can potentially remotely brick it." As a small company we have various scenarios where we provide phones to employees and also distribute loan/event devices for other small-medium companies, and don't necessarily have the ability to invest in enterprise-grade tools like ZT, InTune or Android Enterprise. If you think, on Windows all you need is to set the BIOS password and the Admin password and User Account Control takes care of the rest. Now take the android example, you add a google account and think it's safe with the user not knowing the password, but there is nothing to stop the user from adding their own personal google account, removing yours (no password required), setting their own PIN, and turning a $1000 phone into a paperweight. If they can unlock the phone, they are the master owner. There did used to be a feature for Multi-User on android but I haven't seen it in a long time, and I think there were performance issues with it as they all had to be loaded at once. While I may be lacking understanding knowledge and making some assumptions, should a consumer really need to know exactly how Android Enterprise works in depth just to buy a second hand/"refurbished" phone? And I dare anyone to get into a device after it's been factory reset while attached to a personal google account with a PIN set without hacking tools. I know there have been exploits with Talkback in the past but it's been patched now, and again these are not lengths to which consumers should need to go. If I knew someone's pattern (most common security type and very hard to hide effectively), and had their phone for 2 minutes, I could turn it into a paperweight simply by adding a disposable google account, removing theirs, and setting a PIN. How are we supposed to protect against that as a small business?14KViews7likes17Comments[PRODUCT UPDATE] Zero-touch enhancement: Audit logs
Hey everyone, We're pleased to announce a significant enhancement to the zero-touch customer portal, designed to provide greater transparency over your data. Comprehensive audit logs, offering a detailed and accessible record of all actions affecting your customer data will soon be available in the customer portal. Key Improvements: Comprehensive Logging: Captures actions taken from all possible sources eg: zero-touch customer and reseller portal, customer and reseller API. Tracks all data related to a zero-touch customer, including: Users Devices Resellers Configurations Terms of Service CSV Files Zero-touch customer accounts Easy Access and Analysis: Access audit logs through a user-friendly interface within the portal. Download logs in CSV format for further analysis and reporting. Benefits: Accessibility and Analysis: Ensures easy access and analysis of logs. Enhanced Security: Provides a detailed record of all activities impacting customer data, enabling better monitoring. Streamlined Troubleshooting: Quickly identify and resolve data-related issues with detailed activity logs. Increased Transparency: Offers greater visibility into how your customer data is being accessed and managed. Important Note: The audit logs are only available via the zero-touch customer portal. There is no change to the zero-touch reseller portal, Reseller API, and Customer API. Migration Timeline: This feature will be enabled during the next few weeks. Only logs after March 2025 are available in the zero-touch customer portal. If you require older audit logs, please contact your reseller who can raise a support ticket. We hope you find this enhancement useful. To learn more, please refer to this Help Center guide. It would be fantastic to hear your feedback or any questions below. Thanks so much.766Views7likes28CommentsDo you really need a long pass code on Android?
Do you really need a long complicated pass code on Android? Traditionally, IT admins applied similar pass code requirements to Android devices as with server and desktop operating systems. However, this approach can be excessive and unnecessarily restrictive. Unlike laptops or desktops, where unlocking grants access to all user apps and services, Android operates differently. As “Android is now the most common interface for global users to interact with digital services”*(1) with many organizations, from small businesses to large multinational corporations and government agencies, relying on Android devices to access sensitive company data, it’s important to understand the distinction. The key difference lies in how these operating systems handle app permissions. While server/desktop OS's typically consider all apps running within the context of the logged-in user account as fully authorized, Android operates with a more granular approach. Android apps are not inherently granted full authorization for all user actions.*(1) This inherent security measure within Android mitigates the risk of malicious code exploiting the vulnerabilities of server/desktop OS's. On server/desktop systems, attackers often only need to execute malicious code with the currently logged in user's privileges to gain significant control. Android's more restrictive environment makes this type of attack more challenging. Windows, macOS, and Chrome will typically use a username and password coupled with Single Sign-On (SSO) or Multi-Factor Authentication (MFA) that is tied to a corporate account to log into the OS. Android simply uses a PIN, pass code, or pattern that is not tied to a user’s LDAP or domain account to unlock the device. This separates the device unlock on Android by not having that tied to a corporate identity. This difference keeps an Android pass code to unlock a device separate from the user's account to access corporate services and applications. In this way, the Android security model grants less power to users versus traditional OS's that do not require multi-consent models. The immediate benefit to users is that one app cannot act with full user privileges. The user cannot be tricked into letting it access data controlled by other apps due to the robust app sandboxing on Android. So, do you really need a long pass code on Android if the unlock pass code is not tied to your corporate account? Let's consider some more interesting facts to determine if a long pass code is needed to protect an Android device. NIST passcode guidelines: A shift in perspective What does the National Institute of Standards and Technology (NIST) have to say? The general password guidance from the latest version of SP 800-63b *(2) are listed below: Pass code Length: Minimum 8 digits Complexity (Special characters, uppercase, lowercase, number): No longer required Pass code hints: Do not allow Simple or known pass codes: Do not allow Periodic pass code changes (every 90 days, etc.): Not required. Only force changes when a known compromise is detected. SMS for MFA Codes: Do not use Pass code guess prevention (Throttling): Implement NIST’s updated requirements are a result of technology advances that prevent guessing a pass code. As an example, 8 digits without special characters, upper and lower case, and pass code changing requirements are no longer recommended. An 8-digit pass code of non-repeating numbers is now sufficient to provide very strong protection. On Android we actually changed our PASSWORD_COMPLEXITY_HIGH to 6 digits back in Android 12. Let's explore this a little more. Rate limiting and password guessing Android implements a very strong default rate-limiting capability, which imposes increasing delays after the 5th failed login attempt, culminating in a 24-hour lockout after 100 attempts. The benefit to a managed device is that Android Enterprise can limit the attempts to a specific number before a device wipe is triggered automatically. This helps prevent access to personal and company data. Assuming that an Android device is properly managed with a limited number of failed pass code attempts, let's say 10 tries, enforcing a device wipe by policy renders an attack mostly infeasible. Even the latest version of the password-guessing USB tool, rubber ducky, is ineffective. Now, let's explore a simplified explanation of what a hash is in this context. Imagine your pass code to unlock your Android device is "019283". Android has an "algorithm machine" (called a hash function, or algorithm such as SHA256) that takes that password and generates a unique string of characters that represents that specific data, such as "a5f4g6h7j8k9l0". This is the hash of your password. It looks nothing like your original password, making it virtually impossible to figure out your lock screen pass code "019283" just by looking at the hash. Additionally, reversing the hashing calculations is infeasible and the algorithms are created in such a way as to protect against a reversing calculation. Now, every time you try to unlock your device, Android securely feeds what you type into the unlock prompt and puts it through the same hashing algorithm. If the resulting hash matches what is stored in secure hardware on the device, then Android knows you've entered the correct password and it unlocks. What is stored in secure hardware on Android is the hash of your pass code, not your pass code itself. We have all seen the following image on social media, but it portrays incorrect data when it comes to Android. This table does not take into consideration that the attacker has successfully been able to capture the hash of the pass code. Extracting the hash of a pass code from a locked Android device's secure hardware is non-trivial and is extremely difficult, actually infeasible on Android. Conclusion: Rethinking pass code complexity for Android In conclusion, it is important to note that I have only covered a small portion of a very complicated topic that involves encryption, key storage, hashing, and rate-limiting in Android kernel and services. While anything is potentially possible, the reality of exfiltrating a hash from secure hardware is really not feasible or practical. Requiring a pass code that is long and complicated is not a factor in 2025 on Android. With the proper management policies, guessing a pass code to unlock a stolen or lost device should not be a concern any longer. Have a look at what your EMM provider options are when setting a pass code requirement and consider how you can make the user experience for your users better by not having to enforce long complex pass codes, it just frustrates users. *(1) Android Security Model: https://arxiv.org/pdf/1904.05572 *(2) https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf1.6KViews6likes9CommentsEnhanced Factory Reset Protection in Android 15
Factory Reset Protection: A Shield for Everyone Smartphones and tablets have become integral to our work and personal lives, however, they can also be easily lost, and on occasion, stolen by opportunistic thieves. Many times these bad actors will simply wipe the device to remove any personal and business data, with the intent of selling or using the device themselves. That's where Factory Reset Protection (FRP) steps in as a crucial line of defense. FRP is an Android security feature designed to prevent the reuse of a lost or stolen Android device. It requires your Google account or lockscreen credentials after a factory reset, ensuring that only the rightful owner can access and use the device once it has been wiped. Enhanced Factory Reset Protection Building on its initial purpose, FRP has evolved significantly with the release of Android 15. In the past, tech-savvy thieves and users found ways to bypass FRP, but Android 15 closes those loopholes with powerful new protections. These enhancements were added to combat unauthorized access and make stolen devices much less appealing to thieves, whether they're targeting personal or company-owned devices. Prior to Android 15, the Setup Wizard was responsible for determining whether FRP should be activated, and for enforcing it, including determining whether you have authenticated with the correct credentials to get out of FRP mode and proceed with setup normally. But the Setup Wizard was designed to be a user-friendly tool to walk through setting up a device, not a security enforcement barrier. In Android 15, FRP enforcement has been moved deep into the system, where it’s much harder to overcome. Benefits You Can Count On These enhancements translate into real-world benefits for everyone: Individuals: Deters Theft: FRP makes stolen devices far less valuable, as thieves can't bypass the Google account login or lock screen credential check. This significantly reduces the incentive for theft. Peace of Mind: Knowing that your Android device has this robust security feature gives you peace of mind. You can rest assured that if your device falls into the wrong hands, it cannot be used for anything. Enterprise and Managed Devices: Enhanced Device Security: Factory Reset Protection makes it much harder to reuse or sell stolen devices, which discourages thieves from stealing them in the first place. Simplified Device Management: FRP integrates seamlessly with enterprise mobility management (EMM) solutions, allowing IT administrators to enforce FRP policies and ensure devices are protected. With Android 15, FRP has evolved into a powerful deterrent against device theft by making stolen devices unusable.5.9KViews6likes7CommentsRead this year's 2024 Android Security Paper
Hey Friends, this year's new 2024 Android Security paper is now available, take a look! In today’s modern world, we use mobile devices everywhere – at home, on the go, and at the office. So, protecting them against cyber threats has never been more important. Mobile devices are attractive targets for bad actors to steal or compromise to gain access to personal and business data. 83% of all phishing sites specifically target mobile devices and render in mobile browsers differently than desktop browsers. With that in mind, I’m happy to announce the updated Android Security Paper. Here, we detail our latest security measures to help protect your fleet of devices. By combining Zero Trust principles, enhanced privacy features, and advanced security capabilities, Android continues to set the standard for a secure, privacy preserving, and user-friendly mobile platform across use cases. What's new in Android 15 Android 15 brings more robust anti-theft protection capabilities, Private space to help protect users personal apps, and more dynamic audit logging. Additionally, we have introduced a simplified eSIM management feature, artificial intelligence management capabilities for IT admins, and a host of privacy preserving features. Plus, you’ll discover improvements to make customer sign-up and account governance easier and more secure. Finally, we have hardened the OS by enhancing memory safety to help minimize vulnerabilities. Enjoy! 2024 Android Security Paper3.9KViews6likes3Comments[Guide] Learn more about Generative AI controls from Android Enterprise
Hey everyone, As generative AI increasingly integrates into the workplace, we recognize that your teams may already be exploring these experiences. Android Enterprise is here to help provide the effective control and secure deployment for the generative AI experiences your teams use every day, ensuring you can leverage this technology securely. We’ve heard your questions here in the Customer Community about controlling business data and managing AI tools on Android, and so I’m pleased to share with you this Guide to Generative AI controls, which covers key business concerns, from ensuring the security and integrity of company data to exploring Android Enterprise and Google controls for generative AI experiences. We hope this guide will provide insights into the ways you can leverage the power of generative AI in your business, while implementing the necessary controls to protect your data. Get the insights today → Android Enterprise Guide: Generative AI controls For more details, please also view this Help Center article. AI is ever evolving, so we’d love to keep the conversation going here in the community. Are there any other things related to AI that you would like to hear more about? Are you finding that employees in your company are keen to use AI in the workplace? Thanks, Lizzie *Help Center article added May 15, 2025392Views6likes9CommentsPreferred Password / Passkey / Autofill Missing Policy
Since the installation of Android 15, I'm now unable to set a preferred Passkey / Password service on the phone, and it says its being blocked by an IT policy, contact an admin. Being the admin, and reviewing setting multiple times, there is no policy set that comes close to this. Is there a way to allow this to be used in an enterprise, or is there no fix and it's a hidden policy?852Views5likes4Comments[Product Update] Signup and Device Enrollment: New Features and upcoming plans
Hello everyone, As we kickstart a new year, we are pleased to update you on enhancements we’ve made in the areas of signup and device enrollment and give you an advanced look at some features we’ll be adding in the near future. Background We’ve heard from many customers that they prefer being able to administer Android management capabilities (e.g signing up for Android Enterprise, logging into the Managed Play store, etc.) using their corporate email address rather than a gmail address. This provides increased security, along with better administrative capabilities including self-service fixes for lost account credentials and changing access when team members change. We’ve also heard that for knowledge worker devices, customers prefer being able to log in to their devices with their work email, and being able to have the convenience of shared experiences across their phone and desktop. (More details can be found in this Android Enterprise blog post) To improve the experience for both IT admins and end users, we’ve been working on changes in signup and enrollment that emphasize the use of work email accounts, and minimize Managed Google Play accounts except for dedicated devices that don't have logged in users. Here is an update on our recent announcements as well as our plans for the next few quarters: 1) Improved signup Flow (Launched and rolled out to all EMMs) In Q2 2024, we announced a new signup flow that encourages all new customer IT admins to sign up with their corporate email rather than a gmail account. We also made it possible to bind multiple EMM instances to a customer’s domain to allow for using multiple EMMs simultaneously in testing and in production. As of July 2024, all of our EMM partners have adopted this new flow so new customer signups should use managed Google Domains by default. 2) New Android Enterprise enrollment flow In early Q3 2024 for EMM partners with solutions based on Android Management API, we added the ability to enable “Authenticate using Google” which allows managed Google Accounts with work email addresses to be enrolled for end users. In addition, we added a new enrollment method, which is the ability to trigger enrollment by adding managed Google accounts directly from the Settings>Accounts section in Android OS. Enabling “Authenticate using Google” requires our EMM partners to make some changes to allow userless dedicated devices to enroll without being prompted to add a work account, but all AMAPI partners should be working to adopt these changes and all EMMs will be enabled by Q1 2025. For EMM Partners that build custom solutions based on Play EMM API, similar new enrollment capabilities will be available to begin development starting in Q1 2025. 3) Upgrade Managed Google Play Enterprises to Managed Google Domains (Q1 2025) Next, following up on our new signup flow from earlier in the year, we are making it possible for ALL organizations to upgrade their Managed Google Play accounts enterprises, and have their binding moved to their managed Google domain. This will involve switching out the gmail addresses used by IT admins for currently bound enterprises and replacing them with work email addresses associated with a managed Google domain. 4) Upgrading users to Managed Google accounts (later 2025) Finally, later in 2025, we’re going to be offering the capability to upgrade end user Managed Google Play accounts installed on devices to managed Google accounts corresponding to user email addresses. Stay tuned for more details in the coming quarters. We extend our thanks to the AE community for your continued support and collaboration. As we continue to enhance the signup and device enrollment experience, we encourage you to stay tuned for more updates and exciting developments in the coming quarters. Plus, feel free to let us know below if you are interested in hearing more about any of the above. The Android Enterprise Team2.5KViews4likes0Comments