Zero Trust signals

Android provides a variety of device signals that administrators can use to determine the security posture of a device. In a Zero Trust security model, these signals are used to assess whether a device should be allowed to access corporate information.

Feature Description Fully Managed devices Work profile on company-owned devices Work profile on personally-owned devices (BYOD) Unmanaged devices
Play Integrity API A Trust broker can retrieve the following signals:
  • Device integrity
  • App integrity
  • Play license details
  • Environment details including the new Play Protect verdict
  • Yes Yes Yes Yes
    Secure Hardware Present / Key Attestation A Trust broker can verify that their PKI credentials were generated and stored in secure hardware Yes Yes Yes Yes
    Device Properties Attestation As part of key attestation, device properties can be included as part of the attestation record Yes Yes Yes Yes
    Device Security Patch Level A Trust broker can validate the OS Security Patch Level Yes Yes Yes Yes
    Does the device have pending OTA A Trust broker can check if there is a pending device OS update available Yes Yes Yes N/A
    Mainline Security Patch Level A Trust broker can read the security patch level for the installed mainline train Yes Yes Yes Yes
    Enrollment Specific ID A Trust broker can access a unique device ID specific to that enterprise. This ID survives work profile re-creation and device factory reset Yes Yes Yes N/A
    Management State (and managing app) A Trust broker can use this to determine if a device is managed Yes Yes Yes N/A
    Disk encryption A Trust broker can check if the device is encrypted (if Android 8 support is needed) Yes Yes Yes Yes
    OS Version A Trust broker can check the device OS version and confirm it exceeds a certain version Yes Yes Yes Yes
    Access Network State (Network state and WiFi state) A Trust broker can get information about the active network state (cellular and WiFi) Yes Yes Yes Yes
    Access the WiFi State (Android 11 and lower, Android 12 and higher support both a callback or an on-demand approach) A Trust broker can get information about the active WiFi network Yes Yes Yes Yes
    Proxy Settings A Trust broker can get information about the current default HTTP proxy settings. Yes Yes Yes Yes
    Screen lock quality check A Trust broker can ensure a device has a certain quality screen lock configured before granting access Yes Yes Yes Yes
    Developer options enabled A Trust broker can identify a device as having a broader attack surface when developer options are enabled Yes Yes Yes Yes
    Is DNS over TLS enabled A Trust broker can leverage this to ensure that that the Private DNS mode is enabled Yes Yes Yes Yes
    SafetyNet Safe Browsing A Trust broker can determine whether a particular URL has been classified by Google as a known threat. Yes Yes Yes Yes
    External Media Mounted A Trust broker can be notified when an external storage is mounted Yes Yes Yes Yes
    UsageStatsManager A Trust broker can study usage patterns of individual apps Yes Yes Yes Yes1
    Security logging A Trust broker can leverage this data as part of their contextual engine to ensure compliance and create a behavior based fingerprint Yes Yes2 Yes2 N/A
    Network logging A Trust broker can leverage this data as part of their contextual engine to ensure compliance and create a behavior based fingerprint Yes Yes2 Yes2 N/A
    NetworkStatsManager A Trust broker can query app's network usage within a given time interval Yes Yes Yes2 Yes1
    Package Visibility (List all apps on device) A Trust broker can query what apps are installed on the device Yes Yes3 Yes3 Yes
    Read Phone State A Trust broker can get mobile network info, the status of any ongoing calls, and a list of PhoneAccount registered on the device Yes Yes Yes Yes
    When the device last rebooted A Trust broker can get the system uptime Yes Yes Yes Yes
    Get Accounts A Trust broker can leverage this to access the list of accounts in the Accounts Service Yes Yes3 Yes3 Yes1
    Monitor significant changes in battery level A Trust broker can monitor significant changes in battery level Yes Yes Yes Yes
    Location (Fine, Coarse, etc...) A Trust broker can access the device physical location Yes Yes Yes1 Yes1

    1 With user consent

    2 Work profile only

    3 Access limited to work profile information

    A Trust broker can access the PackageInfo for the com.google.android.modulemetadata module and retrieve from there the versionName:

    private fun mainlineVersion(context: Context): String? {
        val moduleProvider = "com.google.android.modulemetadata"
    
        return try {
                val pm = context.packageManager
                val packageInfo = pm.getPackageInfo(moduleProvider, 0)
                packageInfo.versionName
            } catch (e: PackageManager.NameNotFoundException) {
                null
            }
    }
    

    You can parse the returned string into a Date object using the SimpleDateFormat class:

    private val VERSION_NAME_DATE_PATTERNS = Arrays.asList(
          "yyyy-MM-dd",
          "yyyy-MM"
    )
    
    private fun parseDateFromVersionName(text: String): Date? {
        for (pattern in VERSION_NAME_DATE_PATTERNS) {
            try {
                val simpleDateFormat = SimpleDateFormat(
                    pattern,
                    Locale.getDefault()
                )
                simpleDateFormat.timeZone = TimeZone.getDefault()
                return simpleDateFormat.parse(text)
            } catch (e: ParseException) {
                // ignore and try next pattern
            }
        }
        return null
    }
    

    Remember that for Android 11 and newer you have to add a query declaration in you AndroidManifest.xml file to satisfy Android's package visibility:

    <manifest package="com.example.game">
        <queries>
            <package android:name="com.google.android.modulemetadata" />
        </queries>
        ...
    </manifest>
    

    A Trust broker can use these methods to verify if a device is under management mode and which management mode is active.

    Check for device management

    Use getActiveAdmins() to check if a device is under management. If this method returns null the device is unmanaged.

    Check for fully managed device

    Use isDeviceOwnerApp() to check if the device is fully managed.

    Check for work profile on a company-owned device

    Use isOrganizationOwnedDeviceWithManagedProfile() to check if a device is using a work profile management mode for corporate-owned devices

    Check for work profile on a personally-owned device

    Use isProfileOwnerApp() to check if an app is running inside a work profile and verify that isOrganizationOwnedDeviceWithManagedProfile() returns false.