Android in the Enterprise New Security Enhancements: Google and BlackBerry Strengthen the Case

White Paper

Executive Summary

BlackBerry® and Google have worked together to enhance and simplify secure mobile productivity. The collaboration brings the leader in mobile security together with the world’s most popular mobility platform.

With enterprises rapidly embracing the AndroidTM platform to transform their workflows and processes through mobile innovation, Google has made a number of significant improvements in Android-specific security. These enhancements add to Google-provided security services, which are continuously updated to address both new and ongoing threats.

While security at the application and operating system level is critical, enterprises can go further by choosing the right mobility management platform. Building on Google’s security enhancements, BlackBerry Secure EMM Suites deliver the best Android security, productivity, and flexibility, to meet all enterprise use cases.1

The complementary solutions delivered by BlackBerry and Google accelerate change while ensuring compliance with corporate security guidelines. This paper describes how these developments work together to keep enterprise Android users productive and protected.

Getting a grip on mobile security in the enterprise is no small feat. Inevitably, just when CIOs, CSOs and IT administrators think they’ve got things under control, a new media report emerges to keep them up at night.

It’s often difficult to assess the true level of risk, and tougher still to determine how to mitigate it.There are now simply so many moving parts, so many competing requirements, so many new technologies, and so many emerging threats that staying on top of it all can be overwhelming.

Many of the key issues are interrelated, including:

1. BYOD While corporate-owned devices are still popular in organizations of all kinds, 74% of organizations report that they’re currently adopting or planning to adopt BYOD to some extent. Many are struggling with how to manage these devices and the apps they contain, and liberal BYOD policies (where IT has insufficient control) are surprisingly widespread.

2. Device, OS and app proliferationTied to BYOD is the reality that IT is under pressure to say yes to more device types than ever before. By 2020, the number of unique devices owned by the average mobile worker will have increased to 4.3. More devices mean more operating system versions to contend with, which makes it harder to ensure that timely updates and security patches are in place. Harder still? Managing the increasing number of apps these devices are running, which analysts predict is set to explode this year.

The Growing Complexity of Mobile Security

White Paper

3. Pressure to mobilize all processesBusinesses are under more pressure than ever to develop their own mobile apps, with many adopting “mobile first” and “mobile-only” business strategies in an effort to lower costs and increase agility. And organizations across the spectrum are adopting a wide range of new mobility initiatives, ranging from payments to collaboration to business analytics. Sales firms are driving efficiency by enabling reps to close and input deals on the spot. Banks are boosting customer satisfaction (and warding off competitors) with full-service mobile banking apps. Emergency response teams are using mobile collaboration apps across borders to resolve crises faster than ever before.

4. Multiple mobility management solutionsToday, most enterprises have several point solutions patched together to manage devices, apps, identity and authentication, VPNs and more. This complexity, often spanning multiple vendors, contracts and interfaces, creates cost inefficiencies and unique vulnerabilities.

Recognizing the challenges and opportunities that enterprises and IT organizations are facing, BlackBerry and Google worked together to enhance and simplify secure mobile productivity. Let’s start with a look at how Google has made Android safer through improved encryption, containerization, scanning and more.

What IT Needs to Know About the New Android

Google’s Android security model is, and always has been, multi-tiered, with application sandboxing, as well as security through Google Play™ services. The following recent updates add additional layers of protection:

• Requiring full-disk, block-level encryption for all capable Marshmallow and above devices• Starting in Nougat, Android supports file-based encryption as well• Providing device integrity using Verified Boot which is required on Marshmallow and above capable devices, and will be in strict enforcing mode on Nougat devices• Expanding the use of hardware-backed cryptography and removing older, export cipher suites • Enforcing mandatory access control (MAC) over all processes using SELinux, which enhances security by confining privileged processes• Implementing vulnerability exploit mitigation with ASLR (Address Space Layout Randomization) and Fortify Sources. Additionally hardening the mediaserver and increasing ASLR randomness in Nougat• Introducing seamless updates with Android Nougat, so that new Android devices built on Nougat can install system updates in the background, enabling these devices to automatically and seamlessly switch into the new updated system image• Incorporating attestation services for application developers

White Paper

In addition to the recent enhancements made to Android, Google provides a number of security services as a baseline:

• “Verify Apps” is a service that checks all the applications that are installed on the device – even installations from unknown sources – to ensure users are protected against Potentially Harmful Applications (PHAs) prior to install. All previously installed apps are regularly re-checked. Verify Apps performs over 400 million security scans per day.• ‘SafetyNet’ is a service that validates that the device is operating as expected according to the Android security model, and detects and protects against network-level attacks. SafetyNet analyzes about 600 million network connections per day.• The Safe Browsing API, used by Google Chrome™ on Android and available to other browsers, protects against browser-based exploitation and websites attempting to deliver PHAs.• Webview updates are now provided via Google Play as needed to ensure users have the latest Webview security updates and other bug fixes.• Google Play services provides a way to automatically update the device’s Security provider to protect against known exploits.• Google Play scanning engines now employ machine learning and upwards of 10,000 CPUs.• Google is now also delivering monthly security updates for Android to address vulnerabilities and ensure enterprise customers get timely Android OS patching.

Google works continuously to reduce the existence of Potentially Harmful Applications in the Android ecosystem by vetting applications offered via Google Play and expanding the set of security services for applications that run on the Android platform. All applications on Google Play are subjected to an in-depth security analysis before being made available to the public. This analysis includes static analysis, dynamic analysis, heuristic analysis, third-party review, and when needed, a manual review to identify and classify any potential threats. Applications are also re-reviewed on an ongoing basis.

A major portion of detected PHAs originate from Russia and China, where there is a large market for non-Google Play app stores. In 2015, Verify Apps reduced the number of PHA installations outside of Google Play by 80%. This is significant – according to Google’s own analysis (detailed in the Android Security 2015 Year in Review report), PHAs continued at low levels throughout 2015, and less than 0.15% of devices that downloaded only from the Google Play Store had PHAs installed.

Devices that were infected typically used side-loaded applications or applications from unknown sources, outside of Google Play. Only those applications thoroughly vetted and available on Google Play provide additional protection levels.

As a result of these enhancements in the Android OS and Google’s continuous, in-depth review process, its holistic security ecosystem now protects over 1.4 billion devices.

Google’s Baseline Security: 400 Million Scans a Day

White Paper

How BlackBerry extends the Picture

White Paper

With Google making powerful enhancements to the Android OS and working hard to eliminate harmful apps, why does it matter what mobility management platform you’re using?

The truth is, there’s a lot more to the secure mobile productivity story. More opportunities to capitalize on, and more challenges to address.

The combination of Blackberry and Google brings the industry leader in mobile security together with the world’s most popular mobility platform. The collaboration delivers the most comprehensive Android security offering on the market, and the best possible approach to cross-platform EMM, providing enterprises with the following value-added benefits:

1. Multiple Android deployment options – all managed through a single pane of glass

BlackBerry supports multiple deployment modes for Android, including Android for Work, Samsung KNOX™ and Good for Work (and combinations of the three). Regardless of how you deploy, your administrators can manage Android devices from the same console, alongside all the other devices, enterprise apps and value-added solutions (such as WatchDox®) that drive your mobile productivity. BlackBerry’s solutions also integrate seamlessly with Google Play for Work, and any app in the Play catalogue is available for immediate deployment and business use. For end users, the experience is both seamless and familiar.

2. Trusted BlackBerry Secure ConnectivityWith BlackBerry Secure Connect Plus (available whether you deploy on-premise or via the cloud), employees get secure connectivity to their corporate network no matter where they’re working. They have easy access to apps and data behind the firewall, and an enhanced experience for data and video streaming. On the administrative side, this eliminates the need for expensive mobile VPNs, and makes it a very attractive option for regulated industries. Administrators can also set compliance requirements for access granted to managed devices, including checking for security patch levels.

3. Secured access to corporate-developed and commercial applications

Now, secure Good Dynamics apps can live within Android for Work and Samsung KNOX work profiles. This gives customers the best of both worlds: access to broad Google Play catalogue (as whitelisted by IT) plus Good Dynamics secured applications, all managed by IT.

What is the Good Dynamics Platform? The Good Dynamics Platform uses next-gen containerization to protect all corporate data. With FIPS-validated crypto and years of usage in the most demanding environments, it enables organizations to:

• Protect corporate applications from leaking enterprise data outside of IT control, through policy-based app controls • Secure enterprise data in use, at rest and in motion between backend servers and apps • Maintain the security of documents and data shared between apps, via encrypted app-to-app tunneling technology • Preserve end user privacy without the need for intrusive geo-location or whole device wipe techniques

White Paper

4. Hardware that’s extra hardBlackBerry has applied its world-renowned security model to BlackBerry PRIV ®, its first-ever Android smartphone. With zero-day updates, regular security patching, and protective measures against tampering, PRIV is one of the most secure Android devices on the market today. Bolstering the app scanning and verifying technology Google delivers, BlackBerry PRIV includes DTEK™, a tool that monitors the information that apps are using and how they’re using it. This data is analyzed alongside other security measures, such as password strength and encryption, to assign a security score – and provide feedback to users on how they can better protect themselves.

5. A comprehensive suite of security solutionsWatchDox, BBM™ Protected, AtHoc™, and SecuSuite® form a comprehensive portfolio of enterprise software addressing secure messaging; crisis communications; secure voice, texting and video calls; and secure enterprise file sync and share (EFSS). These applications are available within select Secure EMM Suites, which address the needs of organizations at every level of mobile maturity.

6. Support that’s multi-OS, across all ownership modelsBlackBerry’s solutions portfolio is platform-neutral, and allows organizations to deploy and manage devices across all ownership models, including bring your own device (BYOD); corporate-owned, personal enabled (COPE); corporate-owned, business only (COBO); or a combination of the three.

7. Flexible enough for any use caseNo matter your requirements, the BlackBerry enterprise software portfolio can address your organization’s needs. This is true even of organizations subject to stringent regulatory requirements, or those that work frequently with contractors and business partners. Support for the following is guaranteed: • All Android devices, including wearables• All user classes• Differing app, security, and usage requirements• Device-agnostic Identity & Access Management (IAM)

8. No licensing hasslesLeveraging the benefits of the Google-BlackBerry partnership is as easy as choosing a Secure EMM Suite. There’s one suited to every organization, no matter your size or industry, or how far along you are on the path to mobile maturity.

Security-conscious organizations, including those in regulated industries, such as healthcare, finance and government, have long trusted BlackBerry to safeguard their data and protect their mobile communications. Now, as Android-based devices become increasingly attractive for productivity, enterprise IT administrators can rest assured that Google is continuously enhancing security measures to address threats of all kinds. And the great news is that IT can use trusted BlackBerry mobility management and collaboration solutions to further enhance the security of their Android deployments.

White Paper

That means you can focus on what’s truly important – unlocking the potential of mobility, and using it to transform your organization.

To find the Secure EMM Suite that’s right for your organization and start your free trial now, go to BlackBerry.com/suites

The suites can provide you with all of the following mobility essentials:

• Mobile Application Management (MAM) Mobilize your critical business apps, workflows and business processes, including business-class productivity and collaboration apps, as well as third-party and custom-built apps.• Mobile Content Management (MCM) Access your business files from SharePoint, OneDrive, Box and more, with native document-editing capabilities.• Identity & Access Management (IAM) Protect against intruders with advanced authentication technologies that simplify access to services, including mobile, internal and cloud applications, without hassle for users.• Mobile Security & Containerization Segregate business apps and data into containers, walling them off from personal apps and data, and keeping them under complete corporate control.

Secure and effective teamwork and productivity tools from BlackBerry help you get even greater security value from your investment. Here are just a few to consider.

• WatchDox by BlackBerry is the leading secure enterprise file sync and share (EFSS) solution, enabling users to share, edit and control their files on every device. WatchDox embeds digital rights management (DRM) protection in your files so your content stays secure everywhere it goes, even after files are downloaded and shared with third parties.

The BlackBerry Secure EMM Suites offer the security credentials, accreditations, and technologies that will allow you to mobilize your business tools – from your Microsoft applications to your custom-built apps. All this with consistent security on mobile devices and other endpoints, across different operating systems and ownership models.

About BlackBerry

BlackBerry is securing a connected world, delivering innovative solutions across the entire mobile ecosystem and beyond. We secure the world’s most sensitive data across all end points – from cars to smartphones – making the mobile-first enterprise vision a reality.

Founded in 1984 and based in Waterloo, Ontario, BlackBerry operates offices in North America, Europe, Middle East and Africa, Asia Pacific and Latin America. The Company trades under the ticker symbols “BB” on the Toronto Stock Exchange and “BBRY” on the NASDAQ. For more information, visit www.BlackBerry.com.

1 Forrester ranks BlackBerry among the highest in the following criteria: Containerization, Data Management & Security, Secure Productivity Apps, Network Security, App Security (Forrester Wave EMM 2015)

© 2015 Google Inc. All rights reserved. Google and the Google Logo are registered trademarks of Google Inc. Android and Google Play are trademarks of Google Inc.

• SecuSUITE encrypts voice calls and text messages, enabling iOS, Android and BlackBerry 10 users to protect their communications against intruders and eavesdroppers, across phone networks and around the world.

• BBM Protected adds an extra layer of encryption to instant messaging and video calling, protecting BBM communications in transit and at rest.

White Paper

WatchDox was recognized by in the2015 report “Critical Capabilities for Enterprise File Synchronization and Sharing”. WatchDox received the highest product score for High Security and second highest score for the Extranet and Mobile Workforce use cases.

©2016 BlackBerry®. All rights reserved. BlackBerry®, BBM™ and related trademarks, names and logos are the property of BlackBerry® Limited (“BlackBerry®”) and are registered and/or used in the U.S. and countries around the world. All other trademarks are property of their respective owners. Content: 12/15 | Rev. 22JAN2016

Global Headquarters+1 408 212 7500 (main)+1 866 7 BE GOOD (sales)

EMEA Headquarters+44 (0) 20 7845 5300

Asia / Pacific Headquarters+1 300 BE GOOD

White Paper

White Paper

White Paper

White Paper