Android encryption and data protection

3 minutes

The widespread use of teleworking and mobile devices at a professional level has led to the detection of security flaws. A study recently published by NordLocker reveals that this year, the five countries where companies are the most attacked are the United States, the United Kingdom, Canada, France and Germany. This is the umpteenth study confirming what you probably already know: it is essential today to protect your company’s data. Names, email addresses, passwords, credit cards etc. All of these data are hackable. Cybersecurity has become important and is now the focus of security concerns in the working world.

As a specialist in the management of Android devices within companies, TinyMDM protects the data circulating on mobiles through encryption.

Android device encryption adds an extra layer of protection to all stored data. The process involves scrambling the data into unreadable code and making it undecryptable by anyone without a password or recovery key that expressly allows it. Android supports two methods of device encryption:

Available as early as Android 5, but dropped as of Android 10. The FDE method uses the 128-Bit AES encryption algorithm, or 256-Bit on some devices, and its primary recovery key is kept in a Trusted Execution Environment (or fully secure execution environment).

Available from Android 7, which is now mandatory and automatically applied from Android 10. The FBE encryption method encrypts storage areas with unique, user-dependent recovery keys randomly generated by the AES 256-Bit encryption algorithm. The keys are also protected by a component similar to the Trusted Execution Environment, as in the FDE implementation.

Today, any Android device with an operating system version higher than 7, and which has the GMS (Google Mobile Services) license, will always be ready for encryption. Both of these requirements are also needed to be compatible with TinyMDM, since as an official Android EMM partner, we seamlessly integrate Android Enterprise (AFW) and thus the Android encryption protocol. In other words, if the device is not encrypted from the start (i.e. before Android 10), the encryption process will be automatically applied when the device is enrolled in Android Enterprise, i.e. when the device is enrolled in TinyMDM.

In addition to data encryption, an EMM solution helps companies on other levels of cybersecurity. Protection against malware, unwanted applications, device reset in case of theft, password policy implementation… All Android devices that a company manages via an EMM console such as TinyMDM automatically install a DPC (Device Policy Controller) application upon enrollment. A DPC is an agent that applies the management policies defined in the MDM console to the devices and ensures that the Android device complies with the policy defined by the administrator.

The work profile provides a secure and protected separation between work and personal applications on the same device. The policy is enforced via a DPC application installed in the work profile and controlled by TinyMDM. The separation of personal and business profile data is based on the multi-user logic of Android.

android encryption

This means that even if the personal part of the Android device is not encrypted, the business part will be encrypted automatically when the work profile is created via TinyMDM. In addition, file-based encryption (FBE), available from Android 6 onwards and mandatory on devices running Android 10 or higher, further strengthens data separation with different encryption keys for each profile.

  • Android encryption is based on the AES 256-Bit algorithm
  • Starting with Android 10, the FBE encryption method is mandatory and automatically applied
  • All devices enrolled with TinyMDM (Android 7 and above, with the GMS license) are imperatively and systematically encrypted during the enrollment process
  • Using an EMM solution such as TinyMDM allows you to ensure, via the DPC, that the devices comply with the policy set up by the company