How to convince your organization to embrace the droid.
Since its inception, Android has had a reputation in some circles as a cowboy platform call it the Wild Wild West of the mobile space. It was customizable, diverse, fragmented, hack-able, new and novel. A lot of consumers loved these characteristics. Most enterprises did not.
To be fair, neither Google nor Apple cared much for the enterprise in the beginning. Android actually went a long way in protecting the user, as a consumer, from some of the controls that an IT department might want to impose on an enterprise platform. This tune started to change, though, as far back as Android 2.2 with the introduction of the Device Administrator APIs and Google’s focus has continued to shift in recent revisions to better security, extended device admin APIs and cloud-based mobile device management features.
Coinciding with this renewed focus, Android saw a sharp jump in enterprise market share in 2012 and 2013. According to Good Technology’s Mobility Index Report, the platform hit a high of about 30% of overall market share in 2013 (iOS dominates most of the remainder), but has since leveled off. Regardless, Android continues to see net increases quarter over quarter in total number of activations.
As a mobile consultancy, we at BlueFletch have been fortunate to witness Android’s enterprise gains first hand and to participate in that rise at various stages. We have experienced unexpected successes and grating pain points in our projects, but overall have found Android to be a more than capable platform for the enterprise and one that fits into a lot of firms offerings much easier than most would expect.
What follows is an attempt to summarize why we believe Android is ready for the enterprise and ways that you can sell the platform to those in your organization by addressing their concerns and impressing with Android’s feature set and flexibility. This is a broad topic and no two IT departments are exactly the same (despite what those in the trenches may think!) so consider these as talking points when you begin the discussion in earnest.
Let’s start with the easy one. Unless your business owners have been on a different planet for the last five years, they have most definitely been witness to the rise of the smartphone, the tablet and mobile in general.
In my opinion, the most interesting statistic from the aforementioned Good Technologies Mobility Report isn’t the gain in Android market share, but the immense untapped potential that exists in certain industries. Take a look at the following breakdown of activations by industry:
The predominant deployment type here appears to be BYOD at financial and business services firms.Â Penetration into retail, healthcare and the public sector, areas with great potential beyond the standard BYOD arrangement, is negligible. Your business owners have the opportunity to be at the forefront of using Android in novel and innovative ways.
At the very least, know your deployment types and Android’s strengths in each, when speaking to your organization.
Android as a BYOD Platform
BYOD is by far the most common and straightforward use of Android in the enterprise.Â Most of your options here are defined by your organization’s mobile device management platform. At a high level, and with respect to the concerns of business owners, Android can do the following for your BYOD users:
- Support a custom enterprise “Application Store”
- Deployment of in-house, internally-facing applications.
- Support VPN connections to your corporate network.
- Support corporate e-mail.
- Deploy corporate WIFI configurations.
Android as a Rugged or Embedded Device Platform
This is where Android really shines in comparison to iOS and Microsoft and is probably the most untapped and interesting use of the platform in the enterprise. The open and flexible nature of the operating system and its potential for customization make it a prime candidate for the unique and non-standard requirements of embedded systems. Microsoft also has an embedded solution in the form of Windows 8 Embedded Handheld, but you’re constrained on the software side by what Microsoft chooses to offer in each release. With Android, for example, you have the option of working with one of many device manufacturers on OS customizations and new API’s.
Windows Phone Embedded?
|Custom Hardware Form Factor (example: ruggedized)||
Limited, 3rd party cases
|Hardware Extensions (example: barcode scanner)||
Limited, 3rd party extensions
|OS Restricted API Access||
Android as the next platform for your consumer-facing apps
This should be an easy sell Android is all the rage in the consumer world, and even the most cautious business owners have surely considered a port of their product.Â If you need some ammunition, here are over a billion reasons to create an Android version of your consumer app.
The Security Gurus
Much of the concern with Android in the enterprise is in the security arena, and rightfully so. There was this little hiccup with key signing in 2013 that exposed 99% of Android devices to a serious vulnerability.
And then the barrage of recent reports on the rise of Android malware, though less than 1% of all devices in the wild is actually infected.
I’m not trying to scare you – all platforms have had security issues, with even Apple recently caught off-guard by an SSL vulnerability that’s been present in both iOS and MacOS for several years. The important thing here is to understand both the risks and strengths associated with Android security. Your security team will be the hardest sell and they will surely bring these topics to the table.
OS Security Improvements
The good news is that Google has been actively improving security with each OS revision, with notable improvements in each of the 4.x releases. Security at the kernel, OS, and application layers has been tightened up in these versions, and is generally trusted by the security community. If you have some control over what version of the OS runs on your devices, regardless of deployment type, definitely aim for the latest version possible and, at the very least, 4.0.
Here are the top security improvements in each of the Android 4.x releases use this list as a confidence-booster with your security team.
Android 4.0 Ice Cream Sandwich
- Keychain API for secure storage of app- and user-credentials.
- Address Space Layout Randomization (ASLR) for added memory security.
- Built-in VPN client and VPN Client API.
Android 4.1 Jelly Bean
- App encryption to ensure secure transmission of apps from the Play Store.
Â Android 4.2 Jelly Bean
- Application Verification to combat malware.
- Always-On VPN Configuration to prevent apps from using unsecure networks.
- Secure USB Debugging to prevent access from unauthorized computers.
Â Android 4.3 Jelly Bean
- Restricted User Profiles for kiosk and multi-user devices.
- Enhancements to Keychain API and introduction of Android Keystore Provider for hardware encryption/decryption.
- Introduction of SE Linux to augment Androidâ€™s existing UID-based application sandbox.
Android 4.4 Kit Kat
- Support for additional cryptographic algorithms â€“ ECDSA and Scrypt Key Derivation.
- VPN profiles per user in multi-user environments.
Release notes and additional details here:
Device Management and Policy Enforcement
Android has good MDM support from most of the major vendors and, since Android 2.2, allows for remote configuration of password, device encryption, camera and other policies. From there, though, feature sets vary greatly both between vendors and between device types and OS versions. This fragmentation can be seen as a pro or a con based on your deployment type – many manufacturers provide extended APIs to MDM vendors that enrich their offerings beyond what you get with vanilla Android.
- If you already have an MDM platform in place at your organization, be sure to look carefully at the feature set it offers in Android with your security group.
- If you have some control over the device model and OS version in your deployment, take a close look at the features available specific to device manufacturer. For example, Samsung has an incredibly rich offering with its KNOX product with plans recently announced at MWC to extend it.
- If you’re looking at a BYOD deployment, consider labeling your systems, resources, and sensitive data by trust level and assigning trust (and policy) based on device type. This white paper from IBM provides a great model.
- Review our BYOD MDM breakdown here.
Application signing is just as important in the enterprise as it is in the consumer world. Here’s why your security group cares about it:
- Your organization’s signature, or private key, establishes trust with the OS during application updates. If it falls into the wrong hands, someone could replace your app with their own.
- Applications signed with the same key share a common trust and can open up communication channels that are closed to other apps on the device.
- Your signature is an easy way to identify whether a given piece of software out in the wild was built by you or is a phony.
The last thing your security team wants is the private key floating around on a developer’s workstation. You’ve got some options, though. Symantec and Thales both provide secure application signing solutions that protect your private key and integrate with your organization’s build system. These can be expensive, though, and often require additional infrastructure.
As an alternative, assuming your organization has a formal build system, consider managing your signing key in a protected location on the build server and only referencing it during release builds.
This is another easy sell if you’re a Java shop, as most of the build systems, Continuous Integration products and code analysis platforms that are popular in the J2EE world also play nicely with Android. If you’re not a Java shop, consider these anyway they’re all open source and easy to get set up.
Ant, Maven and Gradle are all supported in the Android world. If any of those ring a bell, you’re in good shape. We’re particularly partial to Gradle, as it is currently the focus of the Android tooling team, and has a substantial amount of momentum behind in the community.
On the CI front, Android integrates well with Hudson, Jenkins, and Travis CI, so that’s another easy win if you’re already using one of those platforms. Adopting a completely new technology stack and immediately integrating it into your existing processes will impress both your colleagues in IT and your business owners.
Staffing: do I need new staff?
Maybe, but you definitely don’t need a completely new team of Android engineers. Use the strengths of your current staff to drive your development approach. Having a good mobile architect is important, as is someone with an eye for mobile design, but the transition to Android is usually straightforward for those with web or enterprise development backgrounds. My colleague, Blake Byrnes, put together a great breakdown of several popular mobile development frameworks. Use this in conjunction with your staff’s strengths and long-term product goals to pick the right development strategy.
|If you’re staff does:||Consider:|
|Java||Native AndroidHybrid HTML5|
The Android Community
Android’s presence in the developer community is huge. If technical managers on your project team are still worried about supporting the platform, point them to immense resources available at Google’s Android Developer portal or Stack Overflow’s Android page. In fact (acknowledging that this is a very crude metric), Android currently leads the other big mobile platforms in terms of total volume on Stack Overflow.
The other great benefit of a large community is the presence of life-saving open source libraries.Â Check out Square’s portfolio, for starters. On top of that, many of the popular Java open source libraries “think web service clients, unit test and mocking frameworks, etc.” either work on Android or have Android-specific versions.
Take These With You
- Don’t get left behind. Android is big, getting bigger and still in its infancy as an enterprise platform. Your customers are familiar with it, your associates will enjoy using it, and your IT staff will appreciate the chance to learn it. Applications of the technology in the retail, healthcare and manufacturing industries are largely non-existent, yet hold immense potential for innovation and efficiency gains.
- The platform is mature. It’s only natural for folks in your organization to be nervous about a platform change, particularly those in risk-wary departments like Security. But Android has matured in a number of ways over the past two years. Google is serious about security, has continued to improve and introduce new tooling and has extended the platform in enterprise-friendly ways.
- Don’t buy the same thing twice. You likely already have the infrastructure and personnel in place to support large enterprise Android projects, particularly if you’re a Java shop. Tailor your overall approach to your team’s and organization’s strengths.
Not Without Caveats
If Android still doesn’t seem like a good fit for your organization, you should by no means force it. The key here is to analyze the individual pieces of your organization and to determine how “and if ” they can play nicely with the platform’s strengths and weaknesses. The variations of mobile in the enterprise world are broad; there are certainly lots cases where Android is not the right choice.
Security is also still a concern, particularly in BYOD environments where there isn’t a whole lot of control over device type or Android version. The Android 4.x revisions have brought a wave of security improvements and new enterprise features to the platform. If you can guarantee that your users will use devices with the latest versions of the Android OS or even better, from manufacturers with lots of security extensions like Samsung with KNOX you’e in good shape. If you need to support a smorgasbord of device types, though, your options are more limited in the device management arena.
I Need More!
At BlueFletch, we’ve successfully implemented solutions for many of the topics discussed here. Over the next several months, look out for a series of follow-up posts with further detail on tooling, automated build strategies, key-signing implementations and more.
By Matt Mehalso