Best Practices for Email Security on Android

The coronavirus pandemic has caused, among many other things, a massive uptick in the number of companies shifting to a work-from-home model. And with that shift has come a renewed focus on email security, since workers are now conducting their conversations on whatever device they have to hand rather than their (hopefully) encrypted and secure work computers.

This shift also comes on the heels of several high-profile data breaches and ongoing scandals surrounding how companies handle their customer data. Ranging from the 5+ million records stolen from Marriott in March; to smaller, more targeted breaches of healthcare facilities around the world already struggling to contain the pandemic.

When you combine these factors with the spike in COVID-19 related malware and phishing scams, you can see why cybersecurity should be a top priority. And one of the first steps any company should take is to ensure their employees are able to send and receive secure emails from their mobile devices.

Device-Based Security

Adding to the confusion is the fact that there are so many variants of mobile device on the market, it’s hard to know what any given employee may be using. Then add the fact that there are myriad purported security solutions on the market that claim to lock down these devices.

And to top it all off, there’s the fact that many of these so-called solutions use proprietary

underlying encryption, meaning there’s no way to independently verify that there are no backdoors.

A true end-to-end email encryption solution should be able to be installed on the most common devices available, should work frictionlessly to ensure compliance, and should use some form of compatible encryption to capture the widest swath of messages possible. What follows is our list of the top five best practices for securing email communication on any device powered by the Android operating system. The first two are of a general nature, while the remaining 3 will be more specifically tied to your choice of email encryption solution.

1) Use True End-to-End Email Encryption

Jumping straight to the point of today’s article—there is simply no way to guarantee a truly secure email unless it’s encrypted on the device. And the only way to do that is with a true end-to-end encryption solution that uses open-source algorithms to encrypt and decrypt your messages at each endpoint. This way, the contents of your communications are secure for their entire journey from device to device, with no way for any third-parties to read them en route, including any “trusted third parties” who might have access to encryption backdoors.

Several features to watch for will appear later in our list, so for this entry, we’re going to stick with the basics. An end-to-end email encryption solution needs to do one thing—secure your email communications to as many partners as possible. Toward that goal, look for one that is compatible with as many common email encryption tools and protocols as possible, including OpenPGP, S/MIME, etc.

Right now, p≡p for email offers this compatibility with OpenPGP, S/MIME, and others without sacrificing its seamless UI. This combination ensures that your users will actually use p≡p to encrypt their messages while also powering cross-compatibility with conversation partners using any one of the huge number of OpenPGP-based or similar solutions out there.

2) Secure the Device Itself

Before installing any sort of encryption solution, it’s crucial that the Android device itself has security measures in place. Without this step, the email encryption can be rendered useless should the device be hacked or lost.

There have been a number of issues recently around the security of the Android operating system, with malware-infested games and apps being removed from the Google Play store regularly. A heightened state of awareness is recommended when securing these devices, to ensure every possible step is taken. This is also why we recommend taking these precautions before proceeding with the installation of an email encryption tool like p≡p.

  • Use a VPN. Virtual private networks, or VPNs, are perhaps the most common, and yet frequently misunderstood, option. Current versions of Android OS have a good VPN solution pre-installed, enabling this option as a first step. The misunderstandings come into play with users thinking that enabling a VPN automatically secures their data. This is not the case; rather, a VPN simply provides a secure connection to another network, for example, your corporate network back at the office.
  • Block ads and trackers. An increasingly common attack vector for mobile internet users is what’s called “malvertising.” These attacks are basically malicious programs disguised as ads on popular websites. Some VPN solutions have built-in ad blocking, but if not, there are good options available as browser plug-ins.
  • Enable operating system-level security. These options will vary by the specific version of Android in use, but most will have at least some of these features available:
    • Disable apps from installing via outside sources
    • Protect your devices with strong password security
    • Set the phone to lock immediately when not in use
    • Disable cloud backups and storage
    • Disable location tracking

3) Use Peer-to-Peer Encryption Management

Now, one of the places that a lot of encryption deployments get into trouble is when it comes to storing keys on a third-party server. Simply put, this seriously increases your risk of something going wrong. Why? Because it introduces the possibility that something will go wrong on those servers and your security will suddenly be out of your control—or that something will go right on those servers, e.g. someone will purposely use a backdoor to access your information.

A solution that uses decentralized key management, on the other hand, keeps your users’ private keys locked away and secure from prying eyes. p≡p keeps keys out of sight of even the users themselves, after all, a person can’t accidentally expose something they don’t have access to in the first place.

p≡p is peer-to-peer, meaning that the encryption takes place on the sending device, while decryption takes place on the receiving device. At no point is any message going through a centralized server, so even when it traverses your corporate email server, it’s fully encrypted, including metadata and attachments. This extends to identity management as well. To p≡p, a “user” is a person, not an email address.

4) Ensure Compliance with a Frictionless User Experience

Now that the Android device is secure and there’s an email encryption solution in place to ensure messages get where they’re intended without any unauthorized prying eyes seeing their contents—how do you ensure compliance on the part of your users? By giving them as frictionless a user experience as possible.

Encryption is only effective when it’s used. And when key management and identity management require high-level IT training, many users will simply opt-out. And that leaves their emails, and by extension your systems, open to attack.

Not only does p≡p use the decentralized key management discussed above, it also handles identity management and comes with an interface consisting of color-coded indicator lights on each message in the person’s inbox (using their choice of a client):

The “traffic light” system is user-friendly and intuitive

  • No color — Unsecure: the message is either not encrypted or the encryption is sub-standard
  • Yellow — Secure: the message is properly encrypted
  • Green — Secure & Trusted: the message is properly encrypted and from a trusted party
  • Red — Mistrusted: the message is flagged as fake for a number of reasons

5) Universal Access Across Devices

Now that you have your users set up with secure email communication from their Android devices, what are you going to do about the iPad they use on the couch in the evening? Or their personal laptop? What about their personal phone? Once people leave the office (or turn off their work laptops from home), you don’t have to lose control over the security of their email communications.

User training will be critical, of course. After all, if they don’t tell you about a device, there’s not much you can do about securing it, right? But once you know about all of the hardware each person might be using to check their work email, you don’t have to be concerned. p≡p uses “p≡p sync” to verify that encryption is enabled and working, cross-platform.

p≡p sync establishes trust between devices in a “device group” the same way as with a new communication partner, via TOFU (trust on first use). In this handshake process, Trustwords are used to verify that it is indeed the same user signing on to a new device. Once these Trustwords are verified on a device already part of the group, the user can be assured their identities and keys are syncing and all emails will be secure, no matter which device they’re using.

Contact Us for More Insights

Contact Us