Security posture signals

AI-generated Key Takeaways

Android provides various device signals to assess device security posture in a Zero Trust model.
Device Trust from Android Enterprise is an API solution offering these signals for evaluating Android device security.
These signals can be used on devices with work profiles on company-owned or personally-owned devices, and some signals are also available on unmanaged devices.

Android provides a variety of device signals that administrators can use to determine the security posture of a device. In a Zero Trust security model, these signals are used to assess whether a device should be allowed to access corporate information.

Feature

Description

Fully Managed devices

Work profile on company-owned devices

Work profile on personally-owned devices (BYOD)

Unmanaged devices

Play Integrity API

A Trust broker can retrieve the following signals:

Device integrity

App integrity

Play license details

Environment details including the new Play Protect verdict

Yes

Secure Hardware Present / Key Attestation

A Trust broker can verify that their PKI credentials were generated and stored in secure hardware

Yes

Device Properties Attestation

As part of key attestation, device properties can be included as part of the attestation record

Yes

Device Security Patch Level

A Trust broker can validate the OS Security Patch Level

Yes

Does the device have pending OTA

A Trust broker can check if there is a pending device OS update available

Yes

N/A

Mainline Security Patch Level

A Trust broker can read the security patch level for the installed mainline train

Yes

Enrollment Specific ID

A Trust broker can access a unique device ID specific to that enterprise. This ID survives work profile re-creation and device factory reset

Yes

N/A

Management State (and managing app)

A Trust broker can use this to determine if a device is managed

Yes

N/A

Disk encryption

A Trust broker can check if the device is encrypted (if Android 8 support is needed)

Yes

OS Version

A Trust broker can check the device OS version and confirm it exceeds a certain version

Yes

Access Network State (Network state and WiFi state)

A Trust broker can get information about the active network state (cellular and WiFi)

Yes

Access the WiFi State ( Android 11 and lower , Android 12 and higher support both a callback or an on-demand approach)

A Trust broker can get information about the active WiFi network

Yes

Proxy Settings

A Trust broker can get information about the current default HTTP proxy settings.

Yes

Screen lock quality check

A Trust broker can ensure a device has a certain quality screen lock configured before granting access

Yes

Developer options enabled

A Trust broker can identify a device as having a broader attack surface when developer options are enabled

Yes

Is DNS over TLS enabled

A Trust broker can leverage this to ensure that that the Private DNS mode is enabled

Yes

SafetyNet Safe Browsing

A Trust broker can determine whether a particular URL has been classified by Google as a known threat.

Yes

External Media Mounted

A Trust broker can be notified when an external storage is mounted

Yes

UsageStatsManager

A Trust broker can study usage patterns of individual apps

Yes

Yes ¹

Security logging

A Trust broker can leverage this data as part of their contextual engine to ensure compliance and create a behavior based fingerprint

Yes

Yes ²

N/A

Network logging

A Trust broker can leverage this data as part of their contextual engine to ensure compliance and create a behavior based fingerprint

Yes

Yes ²

N/A

NetworkStatsManager

A Trust broker can query app's network usage within a given time interval

Yes

Yes ²

Yes ¹

Package Visibility (List all apps on device)

A Trust broker can query what apps are installed on the device

Yes

Yes ³

Yes

Read Phone State

A Trust broker can get mobile network info, the status of any ongoing calls, and a list of PhoneAccount registered on the device

Yes

When the device last rebooted

A Trust broker can get the system uptime

Yes

Get Accounts

A Trust broker can leverage this to access the list of accounts in the Accounts Service

Yes

Yes ³

Yes ¹

Monitor significant changes in battery level

A Trust broker can monitor significant changes in battery level

Yes

Location (Fine, Coarse, etc...)

A Trust broker can access the device physical location

Yes

Yes ¹

¹ With user consent

² Work profile only

³ Access limited to work profile information

Retrieve Mainline version

A Trust broker can access the PackageInfo for the com.google.android.modulemetadata module and retrieve from there the versionName :

  private 
  
 fun 
  
 mainlineVersion 
 ( 
 context 
 : 
  
 Context 
 ): 
  
 String? 
  
 { 
  
 val 
  
 moduleProvider 
  
 = 
  
 "com.google.android.modulemetadata" 
  
 return 
  
 try 
  
 { 
  
 val 
  
 pm 
  
 = 
  
 context 
 . 
 packageManager 
  
 val 
  
 packageInfo 
  
 = 
  
 pm 
 . 
 getPackageInfo 
 ( 
 moduleProvider 
 , 
  
 0 
 ) 
  
 packageInfo 
 . 
 versionName 
  
 } 
  
 catch 
  
 ( 
 e 
 : 
  
 PackageManager 
 . 
 NameNotFoundException 
 ) 
  
 { 
  
 null 
  
 } 
 }

You can parse the returned string into a Date object using the SimpleDateFormat class:

  private 
  
 val 
  
 VERSION_NAME_DATE_PATTERNS 
  
 = 
  
 Arrays 
 . 
 asList 
 ( 
  
 "yyyy-MM-dd" 
 , 
  
 "yyyy-MM" 
 ) 
 private 
  
 fun 
  
 parseDateFromVersionName 
 ( 
 text 
 : 
  
 String 
 ): 
  
 Date? 
 { 
  
 for 
  
 ( 
 pattern 
  
 in 
  
 VERSION_NAME_DATE_PATTERNS 
 ) 
  
 { 
  
 try 
  
 { 
  
 val 
  
 simpleDateFormat 
  
 = 
  
 SimpleDateFormat 
 ( 
  
 pattern 
 , 
  
 Locale 
 . 
 getDefault 
 () 
  
 ) 
  
 simpleDateFormat 
 . 
 timeZone 
  
 = 
  
 TimeZone 
 . 
 getDefault 
 () 
  
 return 
  
 simpleDateFormat 
 . 
 parse 
 ( 
 text 
 ) 
  
 } 
  
 catch 
  
 ( 
 e 
 : 
  
 ParseException 
 ) 
  
 { 
  
 // ignore and try next pattern 
  
 } 
  
 } 
  
 return 
  
 null 
 }

Remember that for Android 11 and newer you have to add a query declaration in you AndroidManifest.xml file to satisfy Android's package visibility :

<manifest  
package="com.example.game">  
<queries>  
<package  
android:name="com.google.android.modulemetadata"  
/>  
</queries>  
...
</manifest>

Retrieve management state

A Trust broker can use these methods to verify if a device is under management mode and which management mode is active.

Check for device management

Use getActiveAdmins() to check if a device is under management. If this method returns null the device is unmanaged.

Check for fully managed device

Use isDeviceOwnerApp() to check if the device is fully managed.

Check for work profile on a company-owned device

Use isOrganizationOwnedDeviceWithManagedProfile() to check if a device is using a work profile management mode for corporate-owned devices

Check for work profile on a personally-owned device

Use isProfileOwnerApp() to check if an app is running inside a work profile and verify that isOrganizationOwnedDeviceWithManagedProfile() returns false .

Security posture signals Stay organized with collections Save and categorize content based on your preferences.

AI-generated Key Takeaways

Retrieve Mainline version

Retrieve management state

Check for device management

Check for fully managed device

Check for work profile on a company-owned device

Check for work profile on a personally-owned device

Security posture signals