Maintaining Android in the enterprise
Risk Management
Admins and security experts are losing more and more control over devices within the enterprise, as the presenters of the SUSECon keynotes largely agreed in early November in Orlando [1]. SUSE's CEO Nils Brauckmann was the first to address the problem, and people at IBM, SAP, and Cisco are also aware of the drama.
New management tools, cloud solutions, and mobile computing are adding complications to the quest for better enterprise security. A main concern for many admins is the flood of insecure personal devices that are now used to check email, update calendars, and even access the home network through remote login. The wave of Bring Your Own Device (BYOD) networking is turning the LAN into unsafe terrain.
BYOD Destroys Security Concepts
Integrating mobile devices into the rapidly changing networking landscape (with deep packet inspection, software-defined networking, etc.) would be difficult enough, even in the best of circumstances. Compounding the issue, the majority of endpoints are inherently insecure [2]. Admins need to come to terms with the fact that Google ignores basic security concepts of the Unix and Linux world in Android.
If you have a large enough budget and enough power in your company, you can impose policies on users, turn to expensive crypto phones, or implement one of many commercial offers for mobile device management software. If not, you can use Linux to improve the situation without investing in expensive mobile device management software.
In this article, we show how you can use tools from the Android SDK [3] to retrieve information about the state of the device. You'll learn about apps that are useful in the analysis, and we'll explain how admins can restore equipment to a safe condition – including by backing up user data and flashing a bootloader. These techniques require a high level of access to the Android device, and this discussion is intended for cases in which the phones belong to the company or the owner gives permission for significant modifications.
Rooting Android
Because Google has overturned the popular Linux architecture, anyone who needs to do a little more on an Android device than Google allows first needs root access. Root access is not always easy to come by; in fact, rooting is most likely to succeed if the equipment manufacturer is cooperative. Cooperative vendors include Google with its Nexus devices, as well as Samsung's Galaxy; Sony and HTC usually play along, too.
Caution: If you want to do this (like almost everything in this article) on a third-party device – for example, one owned by an employee – you need the owner's written consent. The following text assumes that the admin has obtained the consent of the employee or has equipment that can be issued to employees. Although this scenario is not strictly BYOD, the problems remain the same because of Android's vulnerabilities.
Superuser Apps
The approaches to gaining root access are so diverse that providing a generic guide is impossible. The only solution here is to search for each device in the developer forums and the usual websites – from XDA Developers [4] to AndroidPIT [5]. If you have managed to root the device with an app like Superuser [6], you can access a number of apps that Google does not want you use that offer advanced features.
These features range from defining a proxy for the browser, setting an ad blocker, and sniffing traffic to the secure configuration of the default route or the DNS server. They also include various settings that would involve major overhead if you wanted to implement them on a desktop PC (e.g., individual firewall rules for each app).
Don't forget that security experts cannot agree whether or not to root their Androids. We subscribe to the principle of equality of arms: An attacker could root the device at any time through exploits with malware. Why should the owner give up this right? Additionally, the features that rooting opens up are likely to convince an experienced Linux user pretty quickly.
Buy this article as PDF
(incl. VAT)