Security on Yealink Android Devices

White Paper

Introduction

This white paper addresses security and privacy information for the Yealink MeetingBar A20 and MeetingBar A30 (A20 and A30). It may be updated periodically, with the most current version available on Yealink's website.

Yealink A20 and A30 products offer video conferencing and content-sharing solutions for small to medium conference rooms, deployed on-premises. Customers are responsible for protecting data residing on these systems within their environment.

Optional Integrations Available:

Yealink CTP18 Touch Panel
Yealink VCH51 Content Sharing adapter

Android Security Practices

All Yealink Android-based video endpoints feature a locked-down Android operating system, with unnecessary features and functions disabled for standard operation.

Devices run a modified and restrictive Android implementation, limiting capabilities compared to common Android phones and tablets.
Yealink prevents side-loading of APKs and access to the Google Play store, with formal testing to ensure these restrictions persist across product releases.
The system adheres to Android's recommended guidelines for signature verification of installed applications.
All device software updates are restricted to Yealink-signed packages.
Devices are tested against known rooting and jailbreaking methods and hardened against architecture modification.
Endpoints are designed for administrator configuration of security posture, including password policy, encryption strength, login response settings, and logging (internal and remote).

Yealink A20 and A30 products are based on the Android operating system. Yealink is committed to providing a secure system environment, ensuring the Android system and related Yealink services are equipped with multiple security solutions.

Yealink Security Solutions

The following security solutions are provided:

Streamlined Android system and timely security patch updates to reduce vulnerabilities.
Security Enhancements for Android (SE Android) to prevent root privilege escalation.
Built-in Application Deployment and Management (ADM) mechanism to strictly control third-party application privileges.
Virtual Private Network (VPN) feature to prevent data leakage.

Security Vulnerability Problem

Problem: The Android system's modular nature can introduce vulnerabilities, making it susceptible to attacks.

Solution: Yealink has streamlined the Android system for Yealink Android Devices, retaining only modules essential for product features, significantly reducing security risks. Security patches released by Google are updated promptly to address known vulnerabilities.

Root Privilege Escalation Problem

Problem: The Linux-based Android system's Discretionary Access Control (DAC) allows users to grant themselves file access. Exploiting vulnerabilities can lead to super administrator privileges and unauthorized data access.

Solution: Yealink Android Devices are protected by SE for Android, built on SELinux technology. SELinux employs Mandatory Access Control (MAC), where user and application privileges are governed by policy files, preventing even the super administrator from modifying them.

SE for Android secures the system by separating it into distinct security domains. Within each domain, applications receive minimal necessary permissions, containing potential damage to one area while leaving others uncompromised.

Diagram Description: The diagram illustrates the difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC). DAC, associated with 'Root User' and 'Virtual User' in a less secure model, allows users to grant themselves access to system resources. MAC, implemented via SE for Android and SELinux, enforces strict policies, assigning minimal permissions to applications within isolated security domains, thus limiting the impact of a compromise.

Malicious Application Problem

Problem: Third-party applications vary in quality, and some may contain malicious code that compromises system security and steals user data.

Solution: A built-in Application Deployment and Management (ADM) mechanism is implemented, restricting users from installing third-party applications by default, thereby providing full control over installed applications.

Diagram Description: The diagram shows the Application Deployment and Management (ADM) mechanism controlling a Yealink Android Phone. ADM manages 'Installation Control', 'Operation Control', and 'Permission Control' for third-party applications.

Through Auto Provisioning, administrators can conveniently deploy and manage applications, including installation, updates, uninstallation, and configuration of user permissions for third-party apps, their startup behavior, background operation, and in-call functionality. For more information, contact support@yealink.com.

Data Leak Problem

Problem: Unencrypted application data sent over the network can be monitored, intercepted, and tampered with.

Solution: Yealink Android Devices support OpenVPN, which encrypts application data during transmission. OpenVPN utilizes OpenSSL for data encryption, enabling secure VPN establishment with various authentication methods (private key, third-party certificate, username/password) and supporting TUN/TAP modes. Compared to native Android VPN, OpenVPN offers richer functionality and secure access to corporate resources via an encrypted tunnel.

Cryptographic Security

Yealink A20 and A30 products use secure communication channels for all connections with content-sharing devices and over data networks. They implement cryptographic libraries to encrypt all transmitted data. Data transfers utilize HTTPS over port 443, employing TLS and RSA unsymmetrical encryption algorithms.

Administrator Authentication

Customer administrators access Yealink A20 and A30 products for management and configuration via the device's web interface, requiring administrator credentials entered through a web browser.

Data Processing

By default, the following information is processed and stored locally on Yealink A20 and A30 devices:

MAC address
Serial number
IPv4/v6 addresses
Admin ID and password
System log files
Directory entries
IP peripheral details

This information is used to provide basic functionality and device pairing operations.

When using Yealink A20 and A30 products with the optional Yealink Device Manager Platform, data is sent to this system for provisioning and management. For details, refer to the Privacy section of the Yealink Device Manager Platform. As these systems are deployed in the customer's environment, the customer is responsible for protecting data processing.

Customer Feedback

Yealink strives to improve documentation quality and welcomes feedback. Email opinions and comments to DocsFeedback@yealink.com.

Technical Support

Visit the Yealink WIKI (http://support.yealink.com/) for the latest firmware, guides, FAQs, and product documents. For enhanced service, use the Yealink Ticketing system (https://ticket.yealink.com/) to submit technical issues.

	Yealink MeetingBar A30: Quick Start and Installation Guide A comprehensive guide to installing, connecting, and pairing the Yealink MeetingBar A30 video conferencing endpoint with the CTP18 touch panel, including setup instructions, box contents, and regulatory information.
	Yealink MeetingBar Quick Setup Guide: Installation and Configuration Comprehensive quick setup guide for Yealink MeetingBar A10, A20, A30, and A40 video conferencing devices. Learn how to install, configure, and log in to your device.
	Yealink CTP18 Collaboration Touch Panel User Guide for MeetingBar A20/A30 A comprehensive user guide for the Yealink CTP18 Collaboration Touch Panel, detailing setup, Microsoft Teams integration, meeting controls, camera settings, device management, and troubleshooting for use with MeetingBar A20/A30.
	Yealink MeetingBar A10/A20/A30 Quick Usage Guide A quick guide detailing the hardware introduction, port descriptions, LED status indicators, and interface familiarization for Yealink MeetingBar A10, A20, and A30 video conferencing systems, along with the CTP18 controller. It also includes common usage scenarios and FAQs.
	Yealink MeetingBar A20 Teams & Zoom Kit Quick Start Guide A quick start guide for the Yealink MeetingBar A20, detailing package contents, setup, connections, pairing, and basic settings for both Microsoft Teams and Zoom environments.
	Yealink CTP25 Touch Console for Meeting Control Discover the Yealink CTP25, a 10.1-inch touch console designed for seamless meeting control. Featuring an immersive HD display, Android 13 support, and versatile connectivity options including USB-C for content sharing and power delivery, the CTP25 enhances collaboration in conference rooms. Learn about its specifications, installation, and compatibility with Yealink endpoints.
	Yealink MeetingEye BYOD Mode Guide Manual: USB VC Endpoint Setup and Usage Comprehensive guide manual for Yealink MeetingEye BYOD Mode, detailing setup, firmware updates, connection procedures, and AI features for seamless video conferencing with platforms like Zoom, Teams, and Yealink Meeting.
	Yealink UVC84 Video Conferencing Camera Quick Start Guide This guide provides essential information for setting up and using the Yealink UVC84 video conferencing camera, covering package contents, installation methods, hardware interfaces, connection diagrams, LED status indicators, and important safety and regulatory information.