Why Android Lollipop Screen Pinning Fails for Enterprises and Schools
Sep 25, 2015 | 42Gears Team
Mobile devices with operating systems like Android and iOS have evolved from personal communication devices to essential business tools. The operating systems are constantly evolving and adapting to demanding environments in businesses and educational institutions to provide optimized functionalities and enhanced security.
In order to cater to the persistent need of securing an iOS device from misuse, Apple launched Guided Access feature in iOS that locks a device to a single application. Google soon realized its importance and came up with its own Screen Pinning feature in Android Lollipop that allows users to fix a specific application in view on the screen.
Businesses and educational institutes need a secure and robust mechanism to reduce the device to Single Application Mode. Once in hands of students or end users, any other app or device setting should not be accessible. However, Android’s Screen Pinning feature fails to deliver on a number of counts when used in an enterprise scenario.
Here are few of them:
1. Proactive Toast Message to Disable Screen Pinning: When user taps on Home or Recent key on pinned application screen, a toast message appears informing the user how to exit screen pinning. If you are locking your device so that users cannot switch to other applications, it’s not a good idea to point them in direction how to hack their way out of this.
2. Lock Screen after Reboot: Rebooting the device, when App Pinning is password protected will direct you to Android lock screen. One has to enter the passcode to start using the pinned application. This practically means every time device reboots, authorized administrator needs to run to device to unlock it and make it ready for end user. Schools giving locked devices to students and businesses setting up unattended kiosks cannot imagine doing this.
3. Access to other applications through pinned app: Android’s screen pinning feature offers to lock device to a single application. But if there are ways of launching other application from within the allowed application, Android doesn’t block that. This means, e.g. if Gallery application is allowed, user can very easily launch and use Camera application from that. Also, they can use the Share button in Gallery application to launch any photo sharing application like Messaging, Skype, WhatsApp, etc.
4. Easy Access to Notification Panel: Lastly, when the pinned application is not at the foreground, users can pull down the notification panel and make changes to device peripheral settings. For unattended public kiosks, someone turning off WiFi or 4G, can render the kiosk unusable for any other user.
Screen Pinning APIs
[For Android Developers]
Google also introduced APIs in Lollipop to invoke Screen Pinning programmatically. This api, startLockTask()/startLockTaskPackages(), enables developers to PIN their application to foreground. While this gives flexibility to developers to automatically PIN their application on launch without asking users to configure it manually, most of the above mentioned limitations still apply to them.
- Unless the calling application is Device Owner, it will still show proactive toast messages and give easy way to exit screen pinning by pressing back and recent apps button. Given that configuring your app as device owner requires you to factory reset your device, this becomes a major issue for enterprises where rapid mass provisioning is of utmost importance.
- Screen pinning automatically exits if device reboots. This happens even if your application is a Device Owner. One can argue that developers can register to get auto launched on device boot and call this API again, but our experience with Android system says that on lots of devices, by the time app boot receivers get called, a device user gets enough time to interact with system and do whatever he wants (like uninstall your app, turn off WiF or 3G).
Considering these shortfalls in Android Lollipop’s screen pinning feature, businesses and educational institutions cannot rely on it completely for converting Android devices into dedicated purpose devices. This still has a long way to go before it catches up with comprehensive, mature and robust lockdown solutions, like SureLock.