As sent to Android Security... I would very much appreciate the comments from people here.....
Background In addition to Phones and Tablets, a new set of mini-PC Android devices have come to market. They are the size of USB sticks and have an HDMI port to connect to your TV. They are normally loaded with Android 4.0 or 4.1 Tablet edition Great idea. We want to use in meeting rooms with wireless keyboard/ mouse to allow user access to Gmail and Drive. Problem Unlike phones and tablets and devices with touchscreens, these sticks do NOT force a lock screen EVEN if the Google Device Policy App is installed and activated. When activating the Policy App, the device asks for a PIN or Password and the device syncs with Google and checks the PIN or Password entered meets the Apps administrators required security level.. However after the Account is added and data is sync'ed, the device never goes to lock screen. And there is no way to force it to go to lock screen. Even after a restart. So Google and Apps administrators thinks the device is secure but it isnt. If the device is lost then the data is entirely open to be read and to be deleted. Urgency If the solution to this was simply not to use this type of device then I could accept the flaw rests solely with the hardware manufacturers However there is nothing a company can do to stop an employee from buying a Stick in good faith and complying with the device policy and then losing the device only to have their entire dataset deleted. The server is saying that the policy is in force. The company is at risk at any time and noone knows who has secure access. We have gone 100% Google Apps and allowed users to buy phones and tablets because we trust that the Device Policy protect us from data theft. If someone with high level access lost their stick and their Drive was deleted, it would be a total disaster for most us and all similar Google Cloud businesses. Conclusion In short - there can be no situation ever where a Device Policy can be circumvented. If the Policy which has been activated and validated requires a PIN or Password, then the device must enforce this. I think the issue is to do with these devices being non-touchscreen. There is nothing to 'swipe to unlock'. Android should not be able to be installed on devices without the ability to enforce lock screen policies. Two devices I have tested are Minix Neo G4 and Rikomagic MK802IIIs Neither of the manufacturers are able to help with this and the retailers suggest putting this on forums. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
