开发者

Hardening or securing android device

Is there a way to harden an android device? For example, my company wants to make an application for our clients. We will install the application on a selected android device. Since our application has sensitive data, we don't want anyone to be able to install anything other than the application we provide on the device. Is there a way 开发者_开发技巧to harden or secure an android device to make it enterprise ready? Any link or leads would be helpful.


In OS 2.2 Android introduced the ability to enforce a device level password policy from within an app and to remote wipe the device, e.g. from OS 2.1 the default Android e-mail application supports Microsoft Exchange policies for password policies and remote wipe.

Unfortunately at this time I don't think there is a way to enforce which applications can be installed on a device.

Device admin API for device level password policies and remote wipe (introduced in OS 2.2):
http://developer.android.com/guide/topics/admin/device-admin.html

General link about OS 2.2 features:
http://www.computerworld.com/s/article/9179423/With_2.2_release_Android_for_the_enterprise_deserves_a_second_look


The Center for Internet Security http://cisecurity.org is drafting a benchmark on how to do this. The community link is here: https://community.cisecurity.org

This is the link to the pdf file https://benchmarks.cisecurity.org/en-us/?route=downloads.form.android.100


Sounds like SEAndroid will be of interest, it's dubbed as the security enhanced version of Android, the NSA are big contributors.

Specifically, Android SE aims to offer:

  • Per-file security labeling support for yaffs2,
  • Filesystem images(yaffs2 and ext4) labeled at build time,
  • Kernel permission checks controlling Binder IPC,
  • Labeling of service sockets and socket files created by init,
  • Labeling of device nodes created by ueventd,
  • Flexible, configurable labeling of apps and app data directories,
  • Userspace permission checks controlling use of the Zygote socket commands,
  • Minimal port of SELinux userspace,
  • SELinux support for the Android toolbox,
  • Small TE policy written from scratch for Android,
  • Confined domains for system services and apps,
  • Use of MLS categories to isolate apps.


To accomplish what you're suggesting, you'd need to build a custom version of the OS and make the necessary modifications to the system to block app installations. You could either only allow one app to be installed, or you could preinstall your app as part of the OS and not allow any app installations. Unfortunately, modifying Android to accomplish this goal will be nontrivial.


There are some companies providing a Device Security Framework for Android which can harden and secure your android system. Check out https://mocana.com/dsf-android.html

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜