7

Is it "safe" to install Android Device Administration applications on my personal device? Can my company read my private data with that application?

My company recently adopted a policy to install an enterprise application on each employee's smartphone. The application should be installed from 3rd party market that is operated by the comapny, and requires Device Administration privilege.

Even though the application does not require 'root' privilege, and Device Administration API is not related to reading data inside the phone, I'm still not sure that my personal data is safe to my company.

FYI, the API includes changing password, wipe out data, disable camera, and so on. (link)

Jav_Rock
  • 22,059
  • 20
  • 123
  • 164
Yoonsuh Ki
  • 71
  • 1
  • 3
  • I doubt that SO is the right place to discuss this. Personally I've banned my companys Lotus client since it too required administrative privileges. – Cdr. Powell Sep 05 '12 at 05:59
  • 1
    From what I understand, an administrator app can't read things like your facebook password or access your personal email data unless it has other permissions too. but it can mess with your ability to use the phone how you want. And the ability to factory reset at any time is bad for your personal data... I assume this is your personal smartphone. Does the administration app allow your phone to have access to company systems it can't otherwise access? if it does, and you want that access on your phone, I suppose it's worth it. If not, I'd recommend you stop taking your phone to work. – Julian Higginson Sep 05 '12 at 06:01
  • This is probably a better question for Workplace SE, and I'd be slightly surprised if it hasn't already been asked there. I certainly would not allow this on my personal phone. – Kevin Krumwiede Oct 02 '21 at 21:06

1 Answers1

0

As you have mentioned yourself Device Administration API does not relate to phone data per se. The permissions given with this permission are as follows:

USES_ENCRYPTED_STORAGE A type of policy that this device admin can use: require encryption of stored data.

USES_POLICY_DISABLE_CAMERA A type of policy that this device admin can use: disables use of all device cameras.

USES_POLICY_EXPIRE_PASSWORD A type of policy that this device admin can use: force the user to change their password after an administrator-defined time limit.

USES_POLICY_FORCE_LOCK A type of policy that this device admin can use: able to force the device to lock vialockNow() or limit the maximum lock timeout for the device via setMaximumTimeToLock(ComponentName, long).

USES_POLICY_LIMIT_PASSWORD A type of policy that this device admin can use: limit the passwords that the user can select, via setPasswordQuality(ComponentName, int) and setPasswordMinimumLength(ComponentName, int).

USES_POLICY_RESET_PASSWORD A type of policy that this device admin can use: able to reset the user's password via resetPassword(String, int).

USES_POLICY_WATCH_LOGIN A type of policy that this device admin can use: able to watch login attempts from the user, via ACTION_PASSWORD_FAILED, ACTION_PASSWORD_SUCCEEDED, and getCurrentFailedPasswordAttempts().

USES_POLICY_WIPE_DATA - A type of policy that this device admin can use: able to factory reset the device, erasing all of the user's data, via wipeData(int).

The one's which would probably relate explicitly to "privacy" would probably be the ability to monitor, how many failed password attempts has been made, when correct password has been entered and minimum safe password. Other than that it does not make it any more privacy worrying than any other app.

That being said, this in no way makes this app "safe" to install. Some permissions you should be checking would be all the READ_ permissions. http://developer.android.com/reference/android/Manifest.permission.html . These will give the app direct access to alot of personal information, such as when calls are made who it is made to, what sms's your receive and send. Also READ_EXTERNAL_STORAGE is another big one. It allows apps to read ANY data on external storage which may often contain personal data, i.e. Downloaded images, Screenshots etc, as well as even App data of poorly coded apps (where there are MANY on the market which just leave credentials in clear text on your SDCard).

The RECEIVE_ permissions likewise are able to intercept incoming messages/calls/mms etc.

USE_CREDENTIALS is obviously a privacy risk as well, as it can use tokens that you possess to request data from external API sources (i.e. your Gmail)

Also there are many permissions which don't even need permissions. For example getPackageManager() allows apps to find out a entire list of app the apps you've got downloaded. So they know that you have angry birds or any other naughty apps installed ;)

What I'm trying to say is, this permission itself isn't a massive red light on privacy. But the fact they are installing an App (unless open sourced and MD5 verified) there are many other ways to access "private" information already. Not installing an app will always provide more protection than installing one. Hope that helps.

Gary
  • 2,186
  • 2
  • 15
  • 11