A Security Configuration Assessment for Android Devices

The wide spreading of mobile devices, such as smartphones and tablets, and their always-advancing capabilities makes them an attractive target for attackers. This, together with the fact that users frequently store critical personal information in such devices and that many organizations currently allow employees to use their personal devices to access the enterprise information infrastructure and applications, makes the assessment of the security of mobile devices a key issue. This paper proposes an approach supported by a tool that allows assessing the security of Android devices based on the user-defined settings, which are known to be a key source of security vulnerabilities. The tool automatically extracts 41 settings from the mobile devices under testing, 14 of which defined and proposed in this work and the remaining adapted from the well-known CIS benchmarks. The paper discusses the settings that are analyzed, describes the overall architecture of the tool, and presents a preliminary evaluation that demonstrates the importance of this type of tools as a foundation towards the assessment of the security of mobile devices.