Android provides a variety of device signals that administrators can use to determine the security posture of a device. In a Zero Trust security model, these signals are used to assess whether a device should be allowed to access corporate information.
Feature | Description | Fully Managed devices | Work profile on company-owned devices | Work profile on personally-owned devices (BYOD) | Unmanaged devices |
---|---|---|---|---|---|
Play Integrity API | A Trust
broker can retrieve the following signals:
|
Yes | Yes | Yes | Yes |
Secure Hardware Present / Key Attestation | A Trust broker can verify that their PKI credentials were generated and stored in secure hardware | Yes | Yes | Yes | Yes |
Device Properties Attestation | As part of key attestation, device properties can be included as part of the attestation record | Yes | Yes | Yes | Yes |
Device Security Patch Level | A Trust broker can validate the OS Security Patch Level | Yes | Yes | Yes | Yes |
Does the device have pending OTA | A Trust broker can check if there is a pending device OS update available | Yes | Yes | Yes | N/A |
Mainline Security Patch Level | A Trust broker can read the security patch level for the installed mainline train | Yes | Yes | Yes | Yes |
Enrollment Specific ID | A Trust broker can access a unique device ID specific to that enterprise. This ID survives work profile re-creation and device factory reset | Yes | Yes | Yes | N/A |
Management State (and managing app) | A Trust broker can use this to determine if a device is managed | Yes | Yes | Yes | N/A |
Disk encryption | A Trust broker can check if the device is encrypted (if Android 8 support is needed) | Yes | Yes | Yes | Yes |
OS Version | A Trust broker can check the device OS version and confirm it exceeds a certain version | Yes | Yes | Yes | Yes |
Access Network State (Network state and WiFi state) | A Trust broker can get information about the active network state (cellular and WiFi) | Yes | Yes | Yes | Yes |
Access the WiFi State (Android 11 and lower, Android 12 and higher support both a callback or an on-demand approach) | A Trust broker can get information about the active WiFi network | Yes | Yes | Yes | Yes |
Proxy Settings | A Trust broker can get information about the current default HTTP proxy settings. | Yes | Yes | Yes | Yes |
Screen lock quality check | A Trust broker can ensure a device has a certain quality screen lock configured before granting access | Yes | Yes | Yes | Yes |
Developer options enabled | A Trust broker can identify a device as having a broader attack surface when developer options are enabled | Yes | Yes | Yes | Yes |
Is DNS over TLS enabled | A Trust broker can leverage this to ensure that that the Private DNS mode is enabled | Yes | Yes | Yes | Yes |
SafetyNet Safe Browsing | A Trust broker can determine whether a particular URL has been classified by Google as a known threat. | Yes | Yes | Yes | Yes |
External Media Mounted | A Trust broker can be notified when an external storage is mounted | Yes | Yes | Yes | Yes |
UsageStatsManager | A Trust broker can study usage patterns of individual apps | Yes | Yes | Yes | Yes1 |
Security logging | A Trust broker can leverage this data as part of their contextual engine to ensure compliance and create a behavior based fingerprint | Yes | Yes2 | Yes2 | N/A |
Network logging | A Trust broker can leverage this data as part of their contextual engine to ensure compliance and create a behavior based fingerprint | Yes | Yes2 | Yes2 | N/A |
NetworkStatsManager | A Trust broker can query app's network usage within a given time interval | Yes | Yes | Yes2 | Yes1 |
Package Visibility (List all apps on device) | A Trust broker can query what apps are installed on the device | Yes | Yes3 | Yes3 | Yes |
Read Phone State | A Trust broker can get mobile network info, the status of any ongoing calls, and a list of PhoneAccount registered on the device | Yes | Yes | Yes | Yes |
When the device last rebooted | A Trust broker can get the system uptime | Yes | Yes | Yes | Yes |
Get Accounts | A Trust broker can leverage this to access the list of accounts in the Accounts Service | Yes | Yes3 | Yes3 | Yes1 |
Monitor significant changes in battery level | A Trust broker can monitor significant changes in battery level | Yes | Yes | Yes | Yes |
Location (Fine, Coarse, etc...) | A Trust broker can access the device physical location | Yes | Yes | Yes1 | Yes1 |
1 With user consent
2 Work profile only
3 Access limited to work profile information
Retrieve Mainline version
A Trust broker can access the PackageInfo for the
com.google.android.modulemetadata
module and retrieve from there the
versionName
:
private fun mainlineVersion(context: Context): String? {
val moduleProvider = "com.google.android.modulemetadata"
return try {
val pm = context.packageManager
val packageInfo = pm.getPackageInfo(moduleProvider, 0)
packageInfo.versionName
} catch (e: PackageManager.NameNotFoundException) {
null
}
}
You can parse the returned string into a Date
object using the
SimpleDateFormat
class:
private val VERSION_NAME_DATE_PATTERNS = Arrays.asList(
"yyyy-MM-dd",
"yyyy-MM"
)
private fun parseDateFromVersionName(text: String): Date? {
for (pattern in VERSION_NAME_DATE_PATTERNS) {
try {
val simpleDateFormat = SimpleDateFormat(
pattern,
Locale.getDefault()
)
simpleDateFormat.timeZone = TimeZone.getDefault()
return simpleDateFormat.parse(text)
} catch (e: ParseException) {
// ignore and try next pattern
}
}
return null
}
Remember that for Android 11 and newer you have to add a query declaration in
you AndroidManifest.xml
file to satisfy Android's package visibility:
<manifest package="com.example.game"> <queries> <package android:name="com.google.android.modulemetadata" /> </queries> ... </manifest>
Retrieve management state
A Trust broker can use these methods to verify if a device is under management mode and which management mode is active.
Check for device management
Use getActiveAdmins() to check if a device is under management. If this
method returns null
the device is unmanaged.
Check for fully managed device
Use isDeviceOwnerApp()
to check if the device is fully managed.
Check for work profile on a company-owned device
Use isOrganizationOwnedDeviceWithManagedProfile()
to check if a device
is using a work profile management mode for corporate-owned devices
Check for work profile on a personally-owned device
Use isProfileOwnerApp()
to check if an app is running inside a work
profile and verify that isOrganizationOwnedDeviceWithManagedProfile()
returns
false
.