Monday, July 22, 2013

From the mail bag: Activating device administrator for an app

Device admin

Apps that can alter the default security policy can be powerful and handy, but you need to know why they are doing it before you say OK.

Carolyn writes,
I purchased the Unlock with WiFi app that Jerry recommended a few weeks ago. I haven't fully installed it to use yet because it asked to "activate device administrator". I wanted to be sure that was OK? What risks does it create to allow this type of access to my phone?
Thanks!
What an excellent question! Security on any smartphone is pretty darn important, and the simple fact is that most of the time when it gets compromised, it's because of something we did. I don't mean something crazy like installing cracked apps from a website you had to use Google Translate to read, though that's always a good way to compromise everything. I'm talking about changing device settings or just not using some functions because we don't fully understand them. The Device Administration API is a great example.
Originally baked into Android with version 2.2, the Device Admin API allows you to alter the remote or local security policy of your Android. We'll use my Unlock with Wifi app as a walkthrough of what that means after the break.
Have a question you need answered? (Preferably about Android, but we're flexible.) Hit up our Contact Page to get in touch!
The default security policy of your Android is that once you've set a secure (as in Pattern, Password or PIN) lock screen option on your device, you need to re-enter those credentials to change it. This keeps someone from grabbing your phone while it's not locked, and changing the setting so they can get in later. In simple terms -- to change from a PIN to the unsecured swipe to unlock, you need to enter the PIN first. 
The Unlock with Wifi app alters this, so that the lock screen option can be changed from a secure method to the swipe method when you've connected to a certain Wifi access point. This requires a change to the local security policy on your Android. Examples that change the remote security policy would be your IT department at work requiring you to have a password of a certain strength to unlock your phone, or allowing the to remotely wipe all the data if you report it as lost or stolen. Things like this are a big part of Exchange email systems.
Device admin
But Carolyn wants to specifically know if it's OK to allow an app to alter the security policy by giving it device administration privileges. That's not quite so cut and dried. You should only allow this for an app if you understand why it needs to be enabled. We talked about Unlock with Wifi, but there are several popular applications that need to affect this policy for things like remote wipe. I use Cerberus on my phones, because if I ever lost one I would need all my data to be wiped away. My bootloader is unlocked, so to the right person with the right tools, my PIN lock means nothing. 
In short, if you install an app that asks to be set as a device administrator, you need to ask yourself why the app might need this, and if you trust the people who wrote it.
This is one of those times when it's good to ask questions. Ask the folks in the Android forums, ask your friends who may be big Android nerds, or do like Carolyn did and email someone who should know the answer. 
Unlock with Wifi
So to answer your question Carolyn, yes it's safe to allow Unlock with Wifi to act as a device administrator. It needs this option to enable and disable the secure lock screen on the fly, and the application has been around a long time and the developer is trustworthy. If you get an update for the app that changes permissions, ask again if you're unsure. We're one big happy Android family, and helping folks with their Androids is what we like best about this job.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Contact Form

Name

Email *

Message *

Twitter Bird Gadget