Go beyond traditional MDM security practices for Android

Esper’s Secure Platform for Android DevOps

Mobile transformation is much bigger than an investment into Android apps or devices. Today’s most innovative brands are disrupting entire industries and business models with Android products for health, fitness, food delivery, and much more. Enterprises need a secure solution to deploy and manage their Android edge devices to compete on customer experience.
‍
Esper is the industry’s first platform for Android DevOps that was designed to help customers compete on speed, scale, and security. Our mature infrastructure for device DevOps helps enterprises achieve a continuous, proactive approach to Android security.

Security Use Cases

Secure Android DevOps - or, DevSecOps - is the practice of building security into every stage of the Android product development lifecycle. With Esper.io, enterprises can “shift left” to include security requirements in provisioning, testing, deployment, and management.
‍
In the past, security considerations were often an afterthought to the development process and provisioning. Security reviews and rework often created a bottleneck for device operations teams. DevSecOps for Android is a natural progression toward better lifecycle collaboration and security by design.

Rapid Delivery

Enterprises use Esper to address security requirements earlier in the product life cycle, so they can deploy secure updates with speed and confidence.

Proactive Security

Esper offers total remote visibility and control over Android edge devices, so customers can adapt quickly to performance data or emerging security requirements.

Observability

Customers unlock end-to-end observability for each device, device group, and fleet via Esper’s cloud platform or APIs to meet even the strictest compliance requirements.

Configuration Management

Esper is the first to simplify control over every component of the Android edge - including hardware, firmware, configurations, application security, and content so enterprises can manage drift and restore compliance.

Simplify Security Updates

Regular operating system (OS) updates are crucial to protect mission-critical devices and data from security threats. Esper’s advanced DevOps pipelines are a robust, repeatable way to perform over-the-air updates without impact on uptime.
.

Rapid Scaling

Esper creates a repeatable process for secure deployment and management for fleets of 1,000+ devices. Customers rely on Esper’s automation tools to rapidly adapt to new use cases in mid-flight.

.

Esper’s Products for Secure Android

Esper Platform for Android DevOps

Powerful Templates for Remote Provisioning
Automated Monitoring & Response Features
Remotely View, Control & Debug Devices
Advanced Reporting & Audit Trails
Comprehensive Developer Tools

Esper Foundation for Android

Customized, Secure Android OS Images
Android OS for Legacy x86 Devices
Managed Android OTA Updates

Android Hardware Support

Foundation Hardware
Validated Android Hardware
Support for Custom Device Builds

Advanced Security Add-Ons

Virtual Private Cloud Hosting
Esper Foundation for Android Updates
Cloud Platform and Experience Engineering

See Esper’s Pricing

A Secure Ecosystem for Android Innovation

Esper’s flexible cloud features are offered as developer tools to give customers even more control over the device lifecycle. Developers gain access to Esper’s Android VIrtual Devices (AVDs), SDKs, APIs, and an Android Studio Plugin for secure, customized implementations across a growing number of use cases.

Esper is partnered with some of the world’s most trusted brands in Android, including device manufacturers (OEM/ODM), chip manufacturers, system integrators, and solution providers. Customers can draw from the expertise of Esper’s trusted partners to transform their approach to secure mobile.

Esper’s Dev Tools Esper’s Partner Ecosystem

Security, Privacy & Compliance at Esper

Esper’s products are built to exceed the world’s strictest security standards and frameworks for cloud security and service providers. Our platform and operations are designed to offer absolute control over the confidentiality, integrity, and availability of our customer’s mission-critical devices.
‍
Mature security controls and systems are one way Esper delivers on our customer promise of operational excellence. Esper’s security, compliance, and privacy practices are validated by external audit to support our mission of being the world’s most secure SaaS solution for Android.

Learn More About Esper’s Security Practice

Esper’s Privacy Practice

Esper is committed to transparency in our data privacy practices and compliant with such privacy legislation as CCPA and the GDPR. As outlined in our privacy policy, we collect minimal personal information and do not sell or share customer data with third parties.

Esper’s Privacy Policy

PCI DSS

The Payment Card Industry Data Security Standard is a set of requirements to ensure the security of payment card information. While Esper does not process, store, or transmit payment data, the organization has completed a PCI DSS SAQ-D audit with an independent qualified security assessor (QSA) firm to prove that our platform is a secure choice for Android mPoS. Esper’s PCI DSS reports are available to customers and prospective customers upon request.

SOC 2

The Service Organization Controls 2 audit is an internationally recognized approach to validating over 60 controls at service provider organizations. Esper has completed a SOC 2, Type 1 report with certified auditors at a nationally recognized licensed CPA and audit firm. Copies of Esper’s annual SOC 2, Type 1 report are available to customers.

ISO 27001

ISO/IEC 27001:2013 is a globally recognized standard for a comprehensive information security management system. Esper has achieved ISO 27001 certification following a multi-stage audit by qualified security assessors at A-Lign. This certification validates the security of Esper’s entire product suite - including our SaaS platform, APIs, and custom Android OS - and our operational facilities in Bellevue, Washington and Bengaluru, India.

Pentest

Esper’s attack surfaces are subject to regular penetration tests and vulnerability scans by independent, qualified pen testing professionals. Continuous testing is crucial, which is why Esper’s created an internal “red team” dedicated to ethical hacking, social engineering, and vulnerability scanning. Esper’s penetration test reports are subject to third-party, expert review during audits.

Esper’s Android pentest experts occasionally offer pentest services as a premium add-on for enterprise customers who wish to test the security of their Android products or deployments. Please start a conversation to learn more.

Other Security Compliance Audits

Esper is committed to creating lasting, trust-based relationships with our customers. We view third-party security and compliance audits as one important form of customer proof that Esper’s operations are secure and resilient. Esper plans to add additional audits beyond SOC 2, PCI DSS, and ISO 27001 in the future.

Esper offers several premium add-on features as an option for enterprise customers - including dedicated private cloud hosting, over-the-air Android OS updates, and compliance agreements. Enterprise customer agreements may include security audit requirements for Esper, such as:

Contractual obligations for successful, annual security audits
An agreement to pass additional security framework audits
Custom-built audits by a qualified third party

For additional information about security audit agreements and other premium add-ons, please contact Esper.

Encryption

Esper encrypts all data in transit and at rest to protect the integrity of communications between the cloud and our customer’s mission-critical Android devices at the edge. All data in transit is encrypted using appropriately strong ciphers and key-lengths (TLS 1.2+). We encrypt all data at rest using at least AES 256.

Esper uses industry-leading Key Management Service (KMS) to generate, store, and protect encryption keys. All employee and customer passwords are salted and hashed during storage to prevent unauthorized password retrieval.

Android OS Security

Esper’s custom Android OS, Esper Foundation for Android, is a more secure approach to the entire Android lifecycle. A purpose-built operating system enables easier provisioning, remote debugging, and over-the-air Android OS updates to patch critical vulnerabilities. Start a conversation to learn more about simplifying security with Foundation over-the-air updates, including self-service and fully-managed OS updates.

Android Hardware

Esper’s Android labs rely on industry-leading best practices to test Android devices from various OEMs for customer and industry use cases. Our rigorous approach to testing ensures that all Esper Foundation and validated Android devices are compatible with our cloud tools for greater customer control over security.
Choosing the correct hardware for your Android use case is vital to customer success and security throughout the customer lifecycle. Esper offers Android hardware consulting services as a premium pricing add-on.

Threat Modeling

Esper uses threat modeling during each stage of the DevOps lifecycle to minimize unintended risks or impacts on our platform and customers. Every technical lead at Esper is responsible for developing an active threat model for their areas of responsibility. Esper’s threat modeling practice is grounded in industry-leading practices such as STRIDE and attack tree diagrams.

Private Cloud

Esper offers virtual private cloud hosting as a premium feature to our enterprise customers. Our cloud team can provision private cloud resources to meet Esper’s customers’ security, recovery, or compliance requirements at large enterprises or in highly regulated industries. To learn more about this feature and other premium add-ons, please contact us.

Testing

Product testing is performed at each stage of Esper’s DevOps lifecycle. Our DevOps team relies on unit testing, integration testing, acceptance testing, SAST, DAST, and ad hoc tests. Engineers from our QA, product development, sales engineering, and customer success functions are all responsible for testing with both automated and manual techniques.

Multi-Factor Authentication

Esper supports customer multi-factor authentication (MFA) to prevent unauthorized access to Esper’s cloud platform (or cloud console). Currently, Esper offers support for Google OAuth, and by extension, multi-factor authentication when enabled by our customer’s Google Workspace administrator.
Esper recommends that our customers utilize Google OAuth with MFA enabled to protect their instance of the cloud console.

Shared Responsibility

Esper and customers share responsibility for security. Esper is responsible for security and compliance within their operations and infrastructure, including the cloud, networking components, software, and hardware used within our Android DevOps platform. We do not collect, process, or store sensitive data from our customer’s Android devices or applications.

Esper’s customers are responsible for using Esper’s DevOps platform in a secure and compliant way. This means that customers are responsible for configuring all of the Esper settings and features they can access, provisioning devices securely, and monitoring their devices. Customers are responsible for the security of their apps, networks, and users.

Esper’s support engineers may sometimes assume additional responsibilities for secure, successful customer deployments when customers purchase additional features or support. For example, Esper offers the option for customers to enlist our support engineer’s help to build a secure provisioning template or on-site onboarding services.

Additional documentation on shared responsibility for security and compliance is available to Esper customers upon request.

Support

Esper is committed to offering the industry’s best support for the entire customer lifecycle. Our sales and customer success engineers are experts in secure Android deployment and management. Esper’s support team members are bound by non-disclosure agreements and have received training to protect our customer’s trade secrets and sensitive data.

Occasionally, there’s a business requirement for a member of Esper’s support team to access a customer tenant for hands-on troubleshooting. Esper prevents unauthorized access or modification by logging all support access internally in audit trails that cannot be modified. Customers can also view all actions taken by Esper’s support team within the Activity Log of their cloud console instance.

Access

Esper operates by the principle of least privilege. Our employees are granted access to sensitive systems and data only after demonstrating business needs, training, and non-disclosure agreements. Access to sensitive systems is strictly controlled, logged, and carefully monitored to prevent abuse of privileges.

Esper does not permit any representatives from third parties to access our sensitive data and system components. Our security team regularly performs reviews of the third-party, user, and privileged access to ensure system owners comply with access policies.

Awareness

Esper’s awareness and training program is built on the belief that security is everyone’s responsibility. We empower employees to protect our customers, our sensitive systems, and data by enrolling new hires in training courses based on their roles. All employees must complete awareness and skills-based security training at least annually. Also, Esper does regular security simulation exercises and has a formal recognition program for employees who champion security.

Our employee security training currently includes:

Security Awareness
Secure Code & OWASP Top 10
Incident Response
HIPAA for Business Associates
Federal Information Security Management Act (FISMA)
FCPA Anti-Corruption and Bribery

Ongoing security and compliance training are part of Esper’s commitment to employee professional development and best-in-class support for our enterprise customers. When appropriate, additional training requirements for our team can be added to agreements with Esper customers.

Change Management

Esper employs a strict process for change management to create better collaboration on secure DevOps across our product, technical pre-sales, and customer success teams. Our change management process includes considerations for risk and security in feature evaluation, design, threat modeling, quality assurance, and releases.

Esper protects our customers by requiring an analysis of security risk and impact before we initiate new feature development. Peer approvals and security reviews are required at each stage of the DevOps lifecycle.

Detection

Esper employs a comprehensive set of systems for real-time monitoring and alerts to detect suspicious activity or policy violations. We’ve engineered a capacity for detection and response at each layer of our architecture. Our detection tools for a security incident and event management include:

Endpoint Protection
File Integrity Monitoring
Intrusion Detection & Prevention Systems (IDS/IPS)
Governance, Risk & Compliance Monitoring
Application and Infrastructure Monitoring
Data Loss Prevention
Asset Inventory
Cloud Monitoring
Behavioral Analytics

Esper maintains a 24/7/365 schedule of on-call staff trained in incident remediation to ensure rapid response and recovery.

‍

Expertise

Esper’s two co-founders collectively have 40 years of experience and 35 patents in Android, embedded systems, and security. Our organization works hard to embed security experts on our DevOps, product, cloud, and customer-facing team. Esper’s security team functions as an independent center of excellence to foster better collaboration around continuous security improvement.

Hiring Practices

Esper works very hard to recruit and retain some of the world’s brightest minds in fields such as secure Android, DevOps, and cloud. All new hires are subject to criminal background checks and verification of employment history, references, education. When appropriate, background checks also consider an applicant’s driving history. All members of the Esper team sign a confidentiality agreement before receiving access to systems or assets.

Security is a foundational concept within Esper’s approach to the employee lifecycle and performance management. Awareness and security education is woven into our approach to employee onboarding, continuing education, performance reviews, and promotions.

Policy

Protection

Esper uses industry-leading controls to protect our sensitive data and system components from unauthorized modification or access. Our information protection processes include regular system maintenance and active vulnerability management for all components.

Esper identifies opportunities for improvement through an active risk assessment process. Internal and external testing, simulations, and audits are all part of Esper’s framework for continuous improvement.

‍

Recovery

Esper has fully automated controls for data backup as part of our larger framework for resilient, secure operations. All of Esper’s critical system components and sensitive data are backed up daily. We test our data backups regularly to ensure our backup procedures are sound.

Response

Esper is committed to resilient operations. Our executive leadership team drives our efforts to maintain and regularly test our playbooks for incident response and business continuity. Esper continuously works to improve our response procedures and incorporate lessons learned during simulations.

Esper’s commitment to resiliency is an essential component of our efforts to protect customer’s mission-critical devices and sensitive information. Our customer promise includes ethical and legal business practices and complete transparency with external stakeholders. If Esper ever experienced a significant security incident, our response playbooks include timely communications with our board of directors, law enforcement, regulators, and customers.

Vendors

A business is only as secure as its supply chain and cloud vendors, which is why Esper.io is committed to a mature process for vendor risk assessment. All of our vendors are subject to a security compliance review annually to minimize the potential impact of supply chain risks.

Esper’s vendor risk processes conform with best practices from the PCI DSS, SOC 2, ISO 27001, and NIST frameworks. Our records of vendor risk assessment are subject to review at least annually by qualified, third-party security assessors as part of our audit certification process.

Security at Esper

Esper’s Secure Platform for Android DevOps

Security Use Cases

Esper’s Products for Secure Android

A Secure Ecosystem for Android Innovation

Security, Privacy & Compliance at Esper

Esper’s Privacy Practice

Products

Custom Software

Enterprise Hardware

Partner

Resources

Company