Android safety: Which smartphones can enterprises belief?

Google’s Android working system dominates smartphone utilization all through the world — in each area besides North America and Oceania, the truth is. Thus, companies in lots of areas are more likely to help and problem Android gadgets to workers as their mainstay cellular gadgets. Even in areas the place Apple’s iPhone dominates or is comparable in market share, companies are more likely to help or problem Android gadgets not less than as a secondary choice.

However Android safety has lengthy been an IT concern, regardless of vital safety enhancements made to the platform a decade in the past in response to safety requirements put in place for iPhones, which rapidly gained the safety seal approval in consequence. That makes the shopping for and help resolution round Android telephones extra complicated for CISOs — whether or not as corporate-liable gadgets (that’s, the gadgets that enterprises purchase for his or her workers) or as employee-liable gadgets or bring-your-own gadgets (BYOD) that IT permits entry not less than to work electronic mail and calendars, and infrequently to web-based providers.

This text surveys the important thing issues for Android safety after which classifies the main Android distributors based mostly on safety stage to assist slender IT’s buy and help selections. (Our sister publication Computerworld particulars different enterprise buying considerations for Android devices.)

Safety issues for Android gadgets

Apple tightly controls the iPhone and its iOS working system, which provides the CISO robust assurance about software program updates, safety patches, and manageability. In contrast, the Android world is extremely various, with dozens of producers utilizing Google’s Android platform however providing various ranges of high quality and help, and in lots of instances few or inconsistent OS and safety updates.

Within the early days of Android, safety was a significant IT concern for the rising smartphone market. Analysis in Movement’s BlackBerry had set excessive requirements within the Nineties and early 2000s for cellular safety, whereas the early Android (and iOS) gadgets fell far wanting IT expectations.

Apple after which Samsung moved to make cellular safety not less than pretty much as good as BlackBerry’s within the early 2010s, and Google adopted swimsuit a number of years later by making encryption normal in Android after which making container-based separation of work and personal data and apps a normal a part of 2015’s Android 5.0 Lollipop OS. By 2017, the Android platform had strong security capabilities. Extra refined capabilities grew to become accessible by way of each {hardware} and software program extensions, reminiscent of Samsung’s Knox platform in 2013 for its enterprise gadgets and Google’s Android for Work (later renamed Android Enterprise) for the remainder of the Android world. Android Enterprise help grew to become a normal function in 2018’s Android 9.0 Pie.

As we speak, IT can depend on all Android gadgets having the essential stage of safety wanted. However some customers — reminiscent of high-level executives who deal in delicate company information, or operations workers managing important infrastructure or provide chains — want extra safety.

The provision of Android distributors varies broadly throughout the globe, so the alternatives of suitably safe gadgets the place your group operates additionally fluctuate; our sister website Computerworld has outlined in which markets Android vendors have significant presence to information you to the possible candidates for your online business. Primarily based on StatCounter data, 13 present Android distributors have 1{5fba75f3cadd3372fbc72939dd50ac9529e84dafc110f1e88b23ff453b233623} or extra utilization share in not less than one area:

  • Google
  • Huawei
  • Infinix Mobility
  • Itel Cell
  • Lenovo-owned Motorola Mobility
  • Nokia
  • OnePlus
  • Oppo
  • Realme Chongqing Telecommunications
  • Samsung Electronics
  • Tecno Cell
  • Vivo Cell Communication
  • Xiaomi

Google has a certification referred to as Android Enterprise Recommended (AER) that focuses on enterprise considerations round efficiency, system administration, bulk system enrollment, and safety replace commitments. Google publishes an AER tool to assist IT see which gadgets meet that certification in numerous areas, in addition to discover supported Android variations and finish dates for safety updates. Simply remember that the AER device’s outcomes could be old-fashioned and incomplete, so don’t rely solely on it.

There are three Android safety ranges to contemplate, and lots of organizations will want multiple in place to cowl completely different units of workers.

Primary Android safety outlined

This stage is acceptable on private gadgets permitted to entry fundamental company programs like electronic mail. The fundamental safety stage gives system encryption, password enforcement, distant lock and wipe, and sandboxed execution of safety features. All present Android gadgets help this stage, with even only a fundamental administration device like Google Workspace or Microsoft 365 in place.

Reasonable Android safety outlined

This stage is acceptable for when IT requires or permits private gadgets for use for company entry and apps, in addition to for corporate-issued gadgets allowed to even be used for private functions. The average safety stage gives the essential stage plus separation of labor information and apps from private information and apps by way of containers, by way of a unified endpoint management (UEM) platform that helps Google’s Android Enterprise platform or, just for Samsung gadgets, Samsung Knox platform. Tip: Compare the leading UEM platforms’ capabilities in Computerworld’s information.

All present Android gadgets with not less than 3MB of RAM help work/private separation, however some UEM platforms could require that the gadgets run newer variations of Android than are deployed at your group.

Superior Android safety outlined

This stage is acceptable for executives, human assets professionals, finance professionals, and anybody coping with important information and programs entry reminiscent of in authorities, protection/army, finance, healthcare, and demanding infrastructure like utilities, vitality, and transport. The superior safety stage gives the average stage plus chip-based security enabled to scale back unauthorized entry by spies and hackers, in addition to compliance with the US’s latest Common Criteria security standard.

Chip-level safety detects hacks to the working system, firmware, reminiscence, and different core programs, and locks down or shuts down the system in consequence, by way of Android’s Keystore service. Such hardware-level safety shouldn’t be an Android Enterprise Beneficial requirement, however it’s important for military-grade safety.

Just a few gadgets use chip-level safety to guard system integrity: Samsung’s Android Secured by Knox phones use Arm’s TrustZone chip for its Trusted Boot, Google’s Pixel series makes use of its personal Titan-M chip for its Trusted Execution Surroundings (TEE), and Motorola says all its Android gadgets use Arm’s TrustZone chip for its Strongbox. (Apple’s iPhones have this functionality too by way of the Safe Enclave.) The opposite Android distributors didn’t reply to my inquiries about their safety capabilities however seem to not help hardware-based safety, based mostly on their web sites’ specification information.

Widespread Standards imposes particular safety approaches that the US authorities thus is aware of it will probably depend on throughout gadgets. Though additionally not an Android Enterprise Beneficial requirement, Widespread Standards is an efficient advanced-security normal for IT to make use of wherever on the planet.

Android fashions from a number of distributors adjust to Widespread Standards: a number of from Google, Huawei, Motorola, Oppo, Samsung, and Sony, in addition to some front-line specialty gadgets from Honeywell and Zebra Applied sciences. (Filter by “Mobility” within the Common Criteria web tool to get the present record.) Apple’s iPhone additionally complies.

Authorities safety certification for Android gadgets

Organizations could wish to look to authorities certifications to find out their Android system alternatives for delicate makes use of. When Apple and Samsung each gained US Protection Division, UK Authorities Communications Headquarters (GCHQ), and Australian Indicators Directorate approval to be used of their enterprise-class gadgets within the mid-2010s, it was enormous information — breaking BlackBerry’s longstanding monopoly on authorities approval.

As we speak, such bulletins are uncommon, and governments as an alternative give attention to making certain that accredited UEM platforms are in place to handle the broadly used iPhones and Android telephones. Just lately the US Department of Defense has approved a number of Samsung telephones and a few front-line Android gadgets from Honeywell and Zebra Applied sciences for delicate makes use of, because it strikes to utilizing the Widespread Standards normal. The Australia Signals Directorate has approved a number of Samsung telephones just lately as nicely.

Safety and OS replace assurances for Android gadgets

IT usually desires assurances that gadgets will get safety updates and OS updates for a number of years to scale back the danger of being hacked by way of outdated gadgets that haven’t saved up their defenses. Google’s Android Enterprise Beneficial certification requires just one future OS improve. For safety updates, it has no minimal, requiring solely that distributors publish their replace commitments on their web sites — and that info could be exhausting to search out.

In my survey of Android vendor websites, three to 5 years is typical for Android safety replace commitments on business-class gadgets, and one to a few future Android OS variations is typical for OS updates. (In contrast, Apple usually gives seven years of safety updates and 5 years of iOS updates.) The stingiest Android distributors when it comes to OS updates are Motorola, Oppo, and Xiaomi, which decide to only one main Android improve for his or her enterprise-class fashions. Google and Samsung have one of the best replace commitments.

Distributors’ printed replace commitments for business-class Android gadgets embrace:

  • Google: 5 years of safety updates, three years of OS upgrades
  • Motorola: three years of safety updates, one yr of OS upgrades
  • Nokia: three years of safety updates, two years of OS upgrades
  • OnePlus: 4 years of safety updates, three main OS upgrades
  • Oppo: three years of safety updates, one yr of OS upgrades
  • Realme: three years of safety updates, two main OS upgrades
  • Samsung: “not less than” 4 years of safety updates, three “generations” of OS upgrades
  • Vivo: three years of safety updates, three years of OS upgrades
  • Xiaomi: three years of safety updates, one main OS improve

I couldn’t discover replace info on the Huawei, Infinix, Itel, and Tecno websites, and the businesses didn’t reply to my requests for info.

For licensed gadgets, it’s also possible to use Google’s Android Enterprise Beneficial device to slender down by what date numerous distributors’ particular fashions’ safety updates will finish. Simply remember that the device could not record latest fashions. I additionally suggest you confirm whether or not distributors do what they promise by getting some older gadgets and seeing how latest the accessible safety updates are: Have they saved up the promised period?

Lastly, remember that mobile carriers can override, gradual, or block updates in lots of international locations, overriding no matter guarantees the system vendor has made. For instance, Google notes on its Pixel web page that Pixel telephones purchased immediately from Google usually get updates prior to these purchased by way of a service. That service management is a longstanding actuality, nicely pre-dating fashionable cellular gadgets, with solely Apple in a position to have totally wrested management over updates from the carriers.

Shopping for information: How Android telephones rank by safety stage

The Android market breaks down into 4 lessons of safety assurance, based mostly on how distributors deal with key enterprise IT safety considerations:

  • Superior safety: These distributors present excessive safety ranges applicable even for presidency and army use and entry to delicate information.
  • Reasonable safety: These distributors present enough safety ranges and enough replace assurance for fundamental use reminiscent of for productiveness apps and internet instruments.
  • Primary safety: These distributors present enough safety ranges however insufficient replace assurance.
  • Untrusted: These distributors have robust opposition to their use by main governments.

Superior safety: Essentially the most safe Android distributors

There’s only one Android producer with international system availability and enterprise-class (even military-grade) safety, plus multiyear software program and safety updates after buy: Samsung. That makes Samsung one of the best (and infrequently solely) alternative for corporate-liable Android gadgets in each area of the world. Its enterprise-grade fashions (what Samsung calls Android Secured by Knox) embrace the Galaxy S, Galaxy A5x, Galaxy A3x, Word, XCover, Z Flip3, and Z Fold3 sequence. For these fashions, security updates are promised for five years after preliminary launch; Samsung publishes the security lifespans for its enterprise-grade devices, which fluctuate by system.

Google’s Pixel 7 series telephones are equally safe. Google, too, guarantees five years of security updates after preliminary launch. Nevertheless, the Pixel 7 sequence is accessible in simply Australia, Canada, Denmark, France, Germany, India, Eire, Italy, Japan, the Netherlands, Norway, Singapore, Spain, Sweden, Taiwan, the UK, and the USA.