Just over a year ago, Google announced the launch of Android Go *, a slimline operating system “optimised for low-end devices”. Within a year, several OEMs had started to release new lower-cost devices that use this version of Android and doubtless more will follow.
So, you may be wondering whether these more affordable devices could be used within your organisation as a way of saving on hardware costs. This blog takes a look at the platform, and answers some common questions: How is ‘Go’ different to standard Android? Are ‘Go’ devices secure? Why are ‘Go’ devices so cheap? Should I use them in my organisation?
What’s different about the ‘Android Go’ platform?
The technology underpinning Android Go is pretty similar to what you’d expect to see on a regular Android device, but specially optimised for lower-performance hardware and to work better in areas of limited or no data connectivity. OEMs can choose to pre-install Android Go on their low-end devices when they want to target markets with those constraints.
The Android blog goes into detail about the differences between Android and Android Go, explaining the differences in storage space requirements, data usage, and app optimisations. Their Android Go overview also goes on to discuss security, and Google promise not to compromise in this area.
All Android Go devices will have the same security that’s built into standard Android Oreo devices, including exploitation mitigations and features such as Find My Device and Google Play Protect. One key difference we note though is that data-at-rest encryption is not on by default, although this can be enabled if the device supports it.
And for the Enterprise?
So, to answer the question on everyone’s mind – can I use ‘Go’ edition devices in my organisation? Should I?
Our EUD guidance for Android makes use of the newest security features available within Android 8 (Oreo) and utilises the Android Enterprise Framework (in work-managed mode) to offer the best balance of usability and security on the Android platform. ‘Go’ devices, however, do not include support for Android Enterprise – meaning it’s not possible to follow our EUD guidance on Android Go devices.
That’s not to say that these devices are entirely unsuited to enterprise use. You may be able to take some limited control over Go devices by utilising an MDM (Mobile Device Management) product which uses the Device Administrator APIs **, or using container applications. But remember, these approaches are not recommended by the NCSC and you will be opening yourself up to additional risk.
Container Apps or MAM (Mobile Application Management) may be used to gain some control over users accessing corporate resources. This type of management enforces polices defined by your MDM product into the app itself. This gives admins the ability to loosely govern the app that is trying to access internal resources, but remember, you have no say on any device enforcement.
Android Enterprise Recommended
Clearly, Admins out there need help choosing their next round of devices, and fortunately, Google has a solution. Android Enterprise Recommended is a programme which recommends certain devices as being especially well-suited for enterprise use.
These devices go through a thorough testing process and must meet an elevated set of specifications for hardware, deployment, security updates and user experience. OEMs must also deliver security updates within 90 days and support devices for a minimum of three years.
As a result, the NCSC’s EUD guidance for Android now recommends organisations choose devices from this list. By doing so, and following our EUD guidance, you’ll be sure that your organisation’s Android devices have the best possible mix of usability and security.
As always, if you have any feedback on this blog or our Android 8 guidance please get in touch here or below.
Stuart G
EUD Security Research
* To make things slightly more confusing, Android Go shouldn’t be confused with Android One which is a different initiative from Google to release a bare-bone version of Android with very little to no OEM customisation.
** Remember, the legacy Device Administrator APIs will start to be deprecated from Android ‘P’ onwards. Make sure your MDM supports the modern Android Enterprise framework – watch this space for an upcoming blog on this in the next few months.
Source: National Cyber Security Centre