mobilesecurity.com [Culver City, CA] So, the Android Device Administration API became available in Android 2.2 and above, ostensibly to support enterprise applications.  As its name suggests, this cheeky little API (Application Programming Interface) provides device administration at the system level. You can’t fault those Android dev guys for the descriptive way they name features! For further clarification, the API allows developers to create apps that can be used by enterprise administrators or IT staff to exercise control and enforce policies across employees’ devices. This isn’t a brand new development – but it’s sometimes interesting to take a look at the features and functions that are available to Android developers that aren’t obvious without a little digging around.

The intention behind the Device Administration API is for it to be used to write device administration applications which enforce specific policies on the device on which they’re installed. With me so far? The policies could either be hard-coded within the app, or these could be retrieved on the fly from a third-party server. 

The application can be installed on the device either from Google Play, from another app market, or it can be distributed via email or delivered through a website.

After launch, the system will prompt the user to enable the device admin application, although that depends on how it is implemented.  Another option is by selecting ‘activate’ instead of enable, which gives permission to use the device admin. 

Once the device admin app is enabled, the user is subject to its policies - but if the user chooses not to enable this feature, it remains in an inactive state. Providing the feature is inactive, the device will not be subject to its policies, and the user will not be able to use the application’s features.

To uninstall the existing device admin application, users first need to go into admin to unregister the application. This option can also be password protected and using an email account and password is used to unregister device admin capabilities.

Device Administration can be located if user goes to Device Settings, under ‘Location and Security’, which is an area of the Device Settings that most Android users are familiar with. At least if they’ve ever set up screen lock or changed their location settings when travelling overseas, they’ll have tweaked a few settings there.

There are plenty of appropriate uses for this feature – we’ve listed a few below – and it’s certainly a very useful tool for concerned parents, IT managers and paranoid Android users who think they’re being followed. 

For example, the built-in Android Email app is an example that uses this API to make support for Exchange servers more effective. Exchange sysadmins can invoke password policies through the Email application — so they might set a password policy that requires a user password to include a minimum number of characters, or to have a specific level of complexity. It also allows administrators to remotely wipe (or restore factory settings) on lost or stolen handsets.

Another perfectly reasonable use for this API is within a security application. It can provide more permissions to improve the phone’s security. If a security app is selected as a device admin, it will prevent any accidental removal or uninstall. If a user then tries to uninstall the app without the appropriate permissions, they'll get an error saying "Uninstall not successful." 

An app developer can also use this to lock a device’s screen, so that if the app is enabled by the user, it can then control how and when the screen locks.  

Last up in this admittedly non-exhaustive list of examples is an app that wipes the device’s data. When the app is enabled by user, the device’s data can be erased without warning, either by factory reset or wiping specific items such as contacts, SD card or browser history. 

Why is this even the remotest bit interesting? The point here is that this is a genuinely useful feature that’s available to app developers and Android users. It has numerous relevant applications in the real world. It’s being used by countless app developers to improve the effectiveness of their products and improve the security of their users. 

It also raises a point that we’re forever harping on about here on mobilesecurity.com. Any app might include this Device Administration API. In most cases it will be a security app, whether it’s offering anti-theft features, remote locking and wiping, password protection or other great features. But equally it could be a screensaver, a puzzle game or a calendar app – where the developer added this permission requirement and posted the app to an app store near you in the hope that naive Android users would install it, breeze past the permissions screen, and open their device up to remote access, locking and wiping... 

In fact, it’s a great feature that provides users with a sense of security. To protect sensitive data if a device is lost or misplaced, and to password protect, lock a screen or wipe data on the device. Just please make sure you check the permissions you’re accepting when you install your next Android app, because when we rely so heavily on our smartphones, it’s no fun when we lose our data.

Additional Resources

-Android developer guide for Device Administration

-Device Policy Administration for Google Apps Administrators

-Sample Code for Device Administrator application