Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 1 | page.title=Android Security Overview |
| 2 | @jd:body |
| 3 | |
| 4 | <!-- |
Clay Murphy | 768b82a | 2013-11-12 11:32:41 -0800 | [diff] [blame^] | 5 | Copyright 2013 The Android Open Source Project |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 6 | |
| 7 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | you may not use this file except in compliance with the License. |
| 9 | You may obtain a copy of the License at |
| 10 | |
| 11 | http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | Unless required by applicable law or agreed to in writing, software |
| 14 | distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | See the License for the specific language governing permissions and |
| 17 | limitations under the License. |
| 18 | --> |
Clay Murphy | 882fa88 | 2013-10-18 16:43:40 -0700 | [diff] [blame] | 19 | <div id="qv-wrapper"> |
| 20 | <div id="qv"> |
| 21 | <h2>In this document</h2> |
| 22 | <ol id="auto-toc"> |
| 23 | </ol> |
| 24 | </div> |
| 25 | </div> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 26 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 27 | <h2 id="introduction">Introduction</h2> |
| 28 | <p>Android is a modern mobile platform that was designed to be truly open. Android |
| 29 | applications make use of advanced hardware and software, as well as local and |
| 30 | served data, exposed through the platform to bring innovation and value to |
| 31 | consumers. To protect that value, the platform must offer an application |
| 32 | environment that ensures the security of users, data, applications, the device, |
| 33 | and the network.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 34 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 35 | <p>Securing an open platform requires a robust security architecture and rigorous |
| 36 | security programs. Android was designed with multi-layered security that |
| 37 | provides the flexibility required for an open platform, while providing |
| 38 | protection for all users of the platform.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 39 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 40 | <p>Android was designed with developers in mind. Security controls were designed |
| 41 | to reduce the burden on developers. Security-savvy developers can easily work |
| 42 | with and rely on flexible security controls. Developers less familiar with |
| 43 | security will be protected by safe defaults.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 44 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 45 | <p>Android was designed with device users in mind. Users are provided visibility |
| 46 | into how applications work, and control over those applications. This design |
| 47 | includes the expectation that attackers would attempt to perform common |
| 48 | attacks, such as social engineering attacks to convince device users to install |
| 49 | malware, and attacks on third-party applications on Android. Android was |
| 50 | designed to both reduce the probability of these attacks and greatly limit the |
| 51 | impact of the attack in the event it was successful.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 52 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 53 | <p>This document outlines the goals of the Android security program, describes the |
| 54 | fundamentals of the Android security architecture, and answers the most |
| 55 | pertinent questions for system architects and security analysts. This document |
| 56 | focuses on the security features of Android's core platform and does not |
| 57 | discuss security issues that are unique to specific applications, such as those |
| 58 | related to the browser or SMS application. Recommended best practices for |
| 59 | building Android devices, deploying Android devices, or developing applications |
| 60 | for Android are not the goal of this document and are provided elsewhere.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 61 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 62 | <h1 id="background">Background</h1> |
| 63 | <p>Android provides an open source platform and application environment for mobile |
| 64 | devices.</p> |
| 65 | <p>The main Android platform building blocks are:</p> |
| 66 | <ul> |
| 67 | <li> |
| 68 | <p><strong>Device Hardware</strong>: Android runs on a wide range of hardware configurations |
| 69 | including smart phones, tablets, and set-top-boxes. Android is |
| 70 | processor-agnostic, but it does take advantage of some hardware-specific |
| 71 | security capabilities such as ARM v6 eXecute-Never.</p> |
| 72 | </li> |
| 73 | <li> |
| 74 | <p><strong>Android Operating System</strong>: The core operating system is built on top of |
| 75 | the Linux kernel. All device resources, like camera functions, GPS data, |
| 76 | Bluetooth functions, telephony functions, network connections, etc. are |
| 77 | accessed through the operating system.</p> |
| 78 | </li> |
| 79 | <li> |
| 80 | <p><strong>Android Application Runtime</strong>: Android applications are most often written |
| 81 | in the Java programming language and run in the Dalvik virtual machine. |
| 82 | However, many applications, including core Android services and applications |
| 83 | are native applications or include native libraries. Both Dalvik and native |
| 84 | applications run within the same security environment, contained within the |
| 85 | Application Sandbox. Applications get a dedicated part of the filesystem in |
| 86 | which they can write private data, including databases and raw files.</p> |
| 87 | </li> |
| 88 | </ul> |
| 89 | <p>Android applications extend the core Android operating system. There are two |
| 90 | primary sources for applications:</p> |
| 91 | <ul> |
| 92 | <li> |
| 93 | <p><strong>Pre-Installed Applications</strong>: Android includes a set of pre-installed |
| 94 | applications including phone, email, calendar, web browser, and contacts. These |
| 95 | function both as user applications and to provide key device capabilities that |
| 96 | can be accessed by other applications. Pre-installed applications may be part |
| 97 | of the open source Android platform, or they may be developed by an OEM for a |
| 98 | specific device.</p> |
| 99 | </li> |
| 100 | <li> |
| 101 | <p><strong>User-Installed Applications</strong>: Android provides an open development |
| 102 | environment supporting any third-party application. Google Play offers |
| 103 | users hundreds of thousands of applications.</p> |
| 104 | </li> |
| 105 | </ul> |
| 106 | <p>Google provides a set of cloud-based services that are available to any |
| 107 | compatible Android device. The primary services are:</p> |
| 108 | <ul> |
| 109 | <li> |
| 110 | <p><strong>Google Play</strong>: Google Play is a collection of services that |
| 111 | allow users to discover, install, and purchase applications from their Android |
| 112 | device or the web. Google Play makes it easy for developers to reach Android |
| 113 | users and potential customers. Google Play also provides community review, |
| 114 | application <a href="https://developer.android.com/guide/publishing/licensing.html">license |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 115 | verification</a>, application security scanning, and other security services.</p> |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 116 | </li> |
| 117 | <li> |
| 118 | <p><strong>Android Updates</strong>: The Android update service delivers new capabilities and |
| 119 | security updates to Android devices, including updates through the web or over |
| 120 | the air (OTA).</p> |
| 121 | </li> |
| 122 | <li> |
| 123 | <p><strong>Application Services</strong>: Frameworks that allow Android applications to use |
| 124 | cloud capabilities such as (<a href="https://developer.android.com/guide/topics/data/backup.html">backing |
| 125 | up</a>) application |
| 126 | data and settings and cloud-to-device messaging |
| 127 | (<a href="https://code.google.com/android/c2dm/index.html">C2DM</a>) |
| 128 | for push messaging.</p> |
| 129 | </li> |
| 130 | </ul> |
| 131 | <p>These services are not part of the Android Open Source Project and are out |
| 132 | of scope for this document. But they are relevant to the security of most |
| 133 | Android devices, so a related security document titled “Google Services for |
| 134 | Android: Security Overview” is available.</p> |
| 135 | <h2 id="android-security-program-overview">Android Security Program Overview</h2> |
| 136 | <p>Early on in development, the core Android development team recognized that a |
| 137 | robust security model was required to enable a vigorous ecosystem of |
| 138 | applications and devices built on and around the Android platform and supported |
| 139 | by cloud services. As a result, through its entire development lifecycle, |
| 140 | Android has been subjected to a professional security program. The Android team |
| 141 | has had the opportunity to observe how other mobile, desktop, and server platforms |
| 142 | prevented and reacted to security issues and built a security |
| 143 | program to address weak points observed in other offerings.</p> |
| 144 | <p>The key components of the Android Security Program include:</p> |
| 145 | <ul> |
| 146 | <li><strong>Design Review</strong>: The Android security process begins early in the |
| 147 | development lifecycle with the creation of a rich and configurable security |
| 148 | model and design. Each major feature of the platform is reviewed by engineering |
| 149 | and security resources, with appropriate security controls integrated into the |
| 150 | architecture of the system.</li> |
| 151 | <li><strong>Penetration Testing and Code Review</strong>: During the development of the |
| 152 | platform, Android-created and open-source components are subject to vigorous |
| 153 | security reviews. These reviews are performed by the Android Security Team, |
| 154 | Google’s Information Security Engineering team, and independent security |
| 155 | consultants. The goal of these reviews is to identify weaknesses and possible |
| 156 | vulnerabilities well before the platform is open-sourced, and to simulate the |
| 157 | types of analysis that will be performed by external security experts upon |
| 158 | release.</li> |
| 159 | <li><strong>Open Source and Community Review</strong>: The Android Open Source Project enables |
| 160 | broad security review by any interested party. Android also uses open source |
| 161 | technologies that have undergone significant external security review, |
| 162 | such as the Linux kernel. Google Play provides a forum for users and companies |
| 163 | to provide information about specific applications directly to users.</li> |
| 164 | <li><strong>Incident Response</strong>: Even with all of these precautions, security issues |
| 165 | may occur after shipping, which is why the Android project has created a |
| 166 | comprehensive security response process. A full-time Android security team |
| 167 | constantly monitors Android-specific and the general security community for |
| 168 | discussion of potential vulnerabilities. Upon the discovery of legitimate |
| 169 | issues, the Android team has a response process that enables the rapid |
| 170 | mitigation of vulnerabilities to ensure that potential risk to all Android |
| 171 | users is minimized. These cloud-supported responses can include updating the |
| 172 | Android platform (over-the-air updates), removing applications from Google |
| 173 | Play, and removing applications from devices in the field.</li> |
| 174 | </ul> |
| 175 | <h2 id="android-platform-security-architecture">Android Platform Security Architecture</h2> |
| 176 | <p>Android seeks to be the most secure and usable operating system for mobile |
| 177 | platforms by re-purposing traditional operating system security controls to:</p> |
| 178 | <ul> |
| 179 | <li>Protect user data</li> |
| 180 | <li>Protect system resources (including the network)</li> |
| 181 | <li>Provide application isolation</li> |
| 182 | </ul> |
| 183 | <p>To achieve these objectives, Android provides these key security features:</p> |
| 184 | <ul> |
| 185 | <li>Robust security at the OS level through the Linux kernel</li> |
| 186 | <li>Mandatory application sandbox for all applications</li> |
| 187 | <li>Secure interprocess communication</li> |
| 188 | <li>Application signing</li> |
| 189 | <li>Application-defined and user-granted permissions</li> |
| 190 | </ul> |
| 191 | <p>The sections below describe these and other security features of the Android |
| 192 | platform. <em>Figure 1</em> summarizes the security components and considerations of |
| 193 | the various levels of the Android software stack. Each component assumes that |
| 194 | the components below are properly secured. With the exception of a small amount |
| 195 | of Android OS code running as root, all code above the Linux Kernel is |
| 196 | restricted by the Application Sandbox.</p> |
| 197 | <p><img alt="Figure 1: Android software stack" src="images/image00.png" /></p> |
| 198 | <p><em>Figure 1: Android software stack.</em></p> |
| 199 | <h1 id="system-and-kernel-level-security">System and Kernel Level Security</h1> |
| 200 | <p>At the operating system level, the Android platform provides the security of |
| 201 | the Linux kernel, as well as a secure inter-process communication (IPC) |
| 202 | facility to enable secure communication between applications running in |
| 203 | different processes. These security features at the OS level ensure that even |
| 204 | native code is constrained by the Application Sandbox. Whether that code is |
| 205 | the result of included application behavior or a exploitation of an application |
| 206 | vulnerability, the system would prevent the rogue application from harming |
| 207 | other applications, the Android system, or the device itself.</p> |
| 208 | <h2 id="linux-security">Linux Security</h2> |
| 209 | <p>The foundation of the Android platform is the Linux kernel. The Linux kernel |
| 210 | itself has been in widespread use for years, and is used in millions of |
| 211 | security-sensitive environments. Through its history of constantly being |
| 212 | researched, attacked, and fixed by thousands of developers, Linux has become a |
| 213 | stable and secure kernel trusted by many corporations and security |
| 214 | professionals.</p> |
| 215 | <p>As the base for a mobile computing environment, the Linux kernel provides |
| 216 | Android with several key security features, including:</p> |
| 217 | <ul> |
| 218 | <li>A user-based permissions model</li> |
| 219 | <li>Process isolation</li> |
| 220 | <li>Extensible mechanism for secure IPC</li> |
| 221 | <li>The ability to remove unnecessary and potentially insecure parts of the kernel</li> |
| 222 | </ul> |
| 223 | <p>As a multiuser operating system, a fundamental security objective of the Linux |
| 224 | kernel is to isolate user resources from one another. The Linux security |
| 225 | philosophy is to protect user resources from one another. Thus, Linux:</p> |
| 226 | <ul> |
| 227 | <li>Prevents user A from reading user B's files</li> |
| 228 | <li>Ensures that user A does not exhaust user B's memory</li> |
| 229 | <li>Ensures that user A does not exhaust user B's CPU resources</li> |
| 230 | <li>Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS, |
| 231 | bluetooth)</li> |
| 232 | </ul> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 233 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 234 | <h2 id="the-application-sandbox">The Application Sandbox</h2> |
| 235 | <p>The Android platform takes advantage of the Linux user-based protection as a |
| 236 | means of identifying and isolating application resources. The Android system |
| 237 | assigns a unique user ID (UID) to each Android application and runs it as that user |
| 238 | in a separate process. This approach is different from other operating systems |
| 239 | (including the traditional Linux configuration), where multiple applications |
| 240 | run with the same user permissions.</p> |
| 241 | <p>This sets up a kernel-level Application Sandbox. The kernel enforces security |
| 242 | between applications and the system at the process level through standard Linux |
| 243 | facilities, such as user and group IDs that are assigned to applications. By |
| 244 | default, applications cannot interact with each other and applications have |
| 245 | limited access to the operating system. If application A tries to do something |
| 246 | malicious like read application B's data or dial the phone without permission |
| 247 | (which is a separate application), then the operating system protects against |
| 248 | this because application A does not have the appropriate user privileges. The |
| 249 | sandbox is simple, auditable, and based on decades-old UNIX-style user |
| 250 | separation of processes and file permissions.</p> |
| 251 | <p>Since the Application Sandbox is in the kernel, this security model extends to |
| 252 | native code and to operating system applications. All of the software above the |
| 253 | kernel in <em>Figure 1</em>, including operating system libraries, application |
| 254 | framework, application runtime, and all applications run within the Application |
| 255 | Sandbox. On some platforms, developers are constrained to a specific |
| 256 | development framework, set of APIs, or language in order to enforce security. |
| 257 | On Android, there are no restrictions on how an application can be written that |
| 258 | are required to enforce security; in this respect, native code is just as |
| 259 | secure as interpreted code.</p> |
| 260 | <p>In some operating systems, memory corruption errors generally lead to |
| 261 | completely compromising the security of the device. This is not the case in |
| 262 | Android due to all applications and their resources being sandboxed at the OS |
| 263 | level. A memory corruption error will only allow arbitrary code execution in |
| 264 | the context of that particular application, with the permissions established by |
| 265 | the operating system.</p> |
| 266 | <p>Like all security features, the Application Sandbox is not unbreakable. |
| 267 | However, to break out of the Application Sandbox in a properly configured |
| 268 | device, one must compromise the security of the the Linux kernel.</p> |
| 269 | <h2 id="system-partition-and-safe-mode">System Partition and Safe Mode</h2> |
| 270 | <p>The system partition contains Android's kernel as well as the operating system |
| 271 | libraries, application runtime, application framework, and applications. This |
| 272 | partition is set to read-only. When a user boots the device into Safe Mode, |
| 273 | only core Android applications are available. This ensures that the user can |
| 274 | boot their phone into an environment that is free of third-party software.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 275 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 276 | <h2 id="filesystem-permissions">Filesystem Permissions</h2> |
| 277 | <p>In a UNIX-style environment, filesystem permissions ensure that one user cannot |
| 278 | alter or read another user's files. In the case of Android, each application |
| 279 | runs as its own user. Unless the developer explicitly exposes files to other |
| 280 | applications, files created by one application cannot be read or altered by |
| 281 | another application.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 282 | |
Clay Murphy | 882fa88 | 2013-10-18 16:43:40 -0700 | [diff] [blame] | 283 | <h2 id="se-linux">Security-Enhanced Linux</h2> |
| 284 | |
| 285 | <p>Android uses Security-Enhanced |
| 286 | Linux (SELinux) to apply access control policies and establish an environment of |
| 287 | mandatory access control (mac). See <a |
| 288 | href="{@docRoot}devices/tech/security/se-linux.html">Validating |
| 289 | Security-Enhanced Linux in |
| 290 | Android</a> for details.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 291 | |
| 292 | <h2 id="crypto">Cryptography</h2> |
| 293 | |
| 294 | <p> |
| 295 | Android provides a set of cryptographic APIs for use by applications. These |
| 296 | include implementations of standard and commonly used cryptographic primitives |
| 297 | such as AES, RSA, DSA, and SHA. Additionally, APIs are provided for higher level |
| 298 | protocols such as SSL and HTTPS. |
| 299 | </p> |
| 300 | |
| 301 | <p> |
| 302 | Android 4.0 introduced the |
| 303 | <a href="http://developer.android.com/reference/android/security/KeyChain.html">KeyChain</a> |
| 304 | class to allow applications to use the system credential storage for private |
| 305 | keys and certificate chains. |
| 306 | </p> |
| 307 | |
| 308 | <h2>Memory Management Security Enhancements</h2> |
| 309 | |
| 310 | Android includes many features that make common security issues harder to |
| 311 | exploit. The Android SDK, compilers, and OS use tools to make common memory |
| 312 | corruption issues significantly harder to exploit, including: |
| 313 | |
| 314 | <dl> |
| 315 | <dt><strong>Android 1.5</strong></dt> |
| 316 | <dd><ul> |
| 317 | <li>ProPolice to prevent stack buffer overruns (-fstack-protector)</li> |
| 318 | <li>safe_iop to reduce integer overflows</li> |
| 319 | <li>Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and |
| 320 | to prevent chunk consolidation attacks. Chunk consolidation attacks are a |
| 321 | common way to exploit heap corruption.</li> |
| 322 | <li>OpenBSD calloc to prevent integer overflows during memory allocation</li> |
| 323 | </ul> |
| 324 | </dd> |
| 325 | |
| 326 | <dt><strong>Android 2.3</strong></dt> |
| 327 | <dd><ul> |
| 328 | <li>Format string vulnerability protections (-Wformat-security -Werror=format-security)</li> |
| 329 | <li>Hardware-based No eXecute (NX) to prevent code execution on the stack and heap</li> |
| 330 | <li>Linux mmap_min_addr to mitigate null pointer dereference privilege |
| 331 | escalation (further enhanced in Android 4.1)</li> |
| 332 | </ul> |
| 333 | </dd> |
| 334 | |
| 335 | <dt><strong>Android 4.0</strong></dt> |
| 336 | <dd>Address Space Layout Randomization (ASLR) to randomize key locations in memory |
| 337 | </dd> |
| 338 | |
| 339 | <dt><strong>Android 4.1</strong></dt> |
| 340 | <dd><ul> |
| 341 | <li>PIE (Position Independent Executable) support</li> |
| 342 | <li>Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)</li> |
| 343 | <li>dmesg_restrict enabled (avoid leaking kernel addresses)</li> |
| 344 | <li>kptr_restrict enabled (avoid leaking kernel addresses)</li> |
| 345 | </ul> |
| 346 | </dd> |
| 347 | |
| 348 | <dt><strong>Android 4.2</strong></dt> |
| 349 | <dd><code>FORTIFY_SOURCE</code> for system code</dd> |
| 350 | |
| 351 | </dl> |
| 352 | |
| 353 | <h2>Rooting of Devices</h2> |
| 354 | <p> |
| 355 | By default, on Android only the kernel and a small subset of the core |
| 356 | applications run with root permissions. Android does not prevent a user or |
| 357 | application with root permissions from modifying the operating system, kernel, |
| 358 | and any other application. In general, root has full access to all |
| 359 | applications and all application data. Users that change the permissions on an |
| 360 | Android device to grant root access to applications increase the security |
| 361 | exposure to malicious applications and potential application flaws. |
| 362 | </p> |
| 363 | <p> |
| 364 | The ability to modify an Android device they own is important to developers |
| 365 | working with the Android platform. On many Android devices users have the |
| 366 | ability to unlock the bootloader in order to allow installation of an alternate |
| 367 | operating system. These alternate operating systems may allow an owner to gain |
| 368 | root access for purposes of debugging applications and system components or to |
| 369 | access features not presented to applications by Android APIs. |
| 370 | </p> |
| 371 | <p> |
| 372 | On some devices, a person with physical control of a device and a USB cable is |
| 373 | able to install a new operating system that provides root privileges to the |
| 374 | user. To protect any existing user data from compromise the bootloader unlock |
| 375 | mechanism requires that the bootloader erase any existing user data as part of |
| 376 | the unlock step. Root access gained via exploiting a kernel bug or security |
| 377 | hole can bypass this protection. |
| 378 | </p> |
| 379 | <p> |
| 380 | Encrypting data with a key stored on-device does not protect the application |
| 381 | data from root users. Applications can add a layer of data protection using |
| 382 | encryption with a key stored off-device, such as on a server or a user |
| 383 | password. This approach can provide temporary protection while the key is not |
| 384 | present, but at some point the key must be provided to the application and it |
| 385 | then becomes accessible to root users. |
| 386 | </p> |
| 387 | <p> |
| 388 | A more robust approach to protecting data from root users is through the use of |
| 389 | hardware solutions. OEMs may choose to implement hardware solutions that limit |
| 390 | access to specific types of content such as DRM for video playback, or the |
| 391 | NFC-related trusted storage for Google wallet. |
| 392 | </p> |
| 393 | <p> |
| 394 | In the case of a lost or stolen device, full filesystem encryption on Android |
| 395 | devices uses the device password to protect the encryption key, so modifying |
| 396 | the bootloader or operating system is not sufficient to access user data |
| 397 | without the user’s device password. |
| 398 | </p> |
| 399 | <h2>User Security Features</h2> |
| 400 | |
| 401 | <h3 id="filesystem-encryption">Filesystem Encryption</h3> |
| 402 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 403 | <p>Android 3.0 and later provides full filesystem encryption, so all user data can |
| 404 | be encrypted in the kernel using the dmcrypt implementation of AES128 with CBC |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 405 | and ESSIV:SHA256. The encryption key is protected by AES128 using a key |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 406 | derived from the user password, preventing unauthorized access to stored data |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 407 | without the user device password. To provide resistance against systematic |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 408 | password guessing attacks (e.g. “rainbow tables” or brute force), the |
| 409 | password is combined with a random salt and hashed repeatedly with SHA1 using |
| 410 | the standard PBKDF2 algorithm prior to being used to decrypt the filesystem |
| 411 | key. To provide resistance against dictionary password guessing attacks, |
| 412 | Android provides password complexity rules that can be set by the device |
| 413 | administrator and enforced by the operating system. Filesystem encryption |
| 414 | requires the use of a user password, pattern-based screen lock is not supported.</p> |
| 415 | <p>More details on implementation of filesystem encryption are available at |
Clay Murphy | 72bdea0 | 2013-06-18 16:44:01 -0700 | [diff] [blame] | 416 | <a href="/devices/tech/encryption/android_crypto_implementation.html">https://source.android.com/devices/tech/encryption/android_crypto_implementation.html</a></p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 417 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 418 | <h2 id="password-protection">Password Protection</h2> |
| 419 | <p>Android can be configured to verify a user-supplied password prior to providing |
| 420 | access to a device. In addition to preventing unauthorized use of the device, |
| 421 | this password protects the cryptographic key for full filesystem encryption.</p> |
| 422 | <p>Use of a password and/or password complexity rules can be required by a device |
| 423 | administrator.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 424 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 425 | <h2 id="device-administration">Device Administration</h2> |
| 426 | <p>Android 2.2 and later provide the Android Device Administration API, which |
| 427 | provides device administration features at the system level. For example, the |
| 428 | built-in Android Email application uses the APIs to improve Exchange support. |
| 429 | Through the Email application, Exchange administrators can enforce password |
| 430 | policies — including alphanumeric passwords or numeric PINs — across |
| 431 | devices. Administrators can also remotely wipe (that is, restore factory |
| 432 | defaults on) lost or stolen handsets.</p> |
| 433 | <p>In addition to use in applications included with the Android system, these APIs |
| 434 | are available to third-party providers of Device Management solutions. Details |
| 435 | on the API are provided here: |
| 436 | <a href="https://devel |
| 437 | oper.android.com/guide/topics/admin/device-admin.html">https://developer.android.com/guide/topics/admin/device-admin.html</a>.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 438 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 439 | <h1 id="android-application-security">Android Application Security</h1> |
| 440 | <h2 id="elements-of-applications">Elements of Applications</h2> |
| 441 | <p>Android provides an open source platform and application environment for mobile |
| 442 | devices. The core operating system is based on the Linux kernel. Android |
| 443 | applications are most often written in the Java programming language and run in |
| 444 | the Dalvik virtual machine. However, applications can also be written in native |
| 445 | code. Applications are installed from a single file with the .apk file |
| 446 | extension.</p> |
| 447 | <p>The main Android application building blocks are:</p> |
| 448 | <ul> |
| 449 | <li> |
| 450 | <p><strong>AndroidManifest.xml</strong>: The |
| 451 | <a href="https://developer.android.com/guide/topics/manifest/manifes |
| 452 | t-intro.html">AndroidManifest.xml</a> file is the control file that tells the system what to do with |
| 453 | all the top-level components (specifically activities, services, broadcast |
| 454 | receivers, and content providers described below) in an application. This also |
| 455 | specifies which permissions are required.</p> |
| 456 | </li> |
| 457 | <li> |
| 458 | <p><strong>Activities</strong>: An |
| 459 | <a href="https://developer.android.com/guide/topics/fundamentals/activities.htm |
| 460 | l">Activity</a> is, generally, the code for a single, user-focused task. It usually |
| 461 | includes displaying a UI to the user, but it does not have to -- some |
| 462 | Activities never display UIs. Typically, one of the application's Activities |
| 463 | is the entry point to an application.</p> |
| 464 | </li> |
| 465 | <li> |
| 466 | <p><strong>Services</strong>: A |
| 467 | <a href="https://developer.android.com/guide/topics/fundamentals/services.html">Service</a> |
| 468 | is a body of code that runs in the background. It can run in its own process, |
| 469 | or in the context of another application's process. Other components "bind" to |
| 470 | a Service and invoke methods on it via remote procedure calls. An example of a |
| 471 | Service is a media player: even when the user quits the media-selection UI, the |
| 472 | user probably still intends for music to keep playing. A Service keeps the |
| 473 | music going even when the UI has completed.</p> |
| 474 | </li> |
| 475 | <li> |
| 476 | <p><strong>Broadcast Receiver</strong>: A |
| 477 | <a href="https://developer.android.com/reference/android/content/Broad |
| 478 | castReceiver.html">BroadcastReceiver</a> is an object that is instantiated when an IPC mechanism |
| 479 | known as an |
| 480 | <a href="https://developer.android.com/reference/android/content/Intent.html">Intent</a> |
| 481 | is issued by the operating system or another application. An application may |
| 482 | register a receiver for the low battery message, for example, and change its |
| 483 | behavior based on that information.</p> |
| 484 | </li> |
| 485 | </ul> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 486 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 487 | <h2 id="the-android-permission-model-accessing-protected-apis">The Android Permission Model: Accessing Protected APIs</h2> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 488 | <p>All applications on Android run in an Application Sandbox, described earlier in this document. |
| 489 | By default, an Android application can only access a limited range of system |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 490 | resources. The system manages Android application access to resources that, if |
| 491 | used incorrectly or maliciously, could adversely impact the user experience, |
| 492 | the network, or data on the device.</p> |
| 493 | <p>These restrictions are implemented in a variety of different forms. Some |
| 494 | capabilities are restricted by an intentional lack of APIs to the sensitive |
| 495 | functionality (e.g. there is no Android API for directly manipulating the SIM |
| 496 | card). In some instances, separation of roles provides a security measure, as |
| 497 | with the per-application isolation of storage. In other instances, the |
| 498 | sensitive APIs are intended for use by trusted applications and protected |
| 499 | through a security mechanism known as Permissions.</p> |
| 500 | <p>These protected APIs include:</p> |
| 501 | <ul> |
| 502 | <li>Camera functions</li> |
| 503 | <li>Location data (GPS)</li> |
| 504 | <li>Bluetooth functions</li> |
| 505 | <li>Telephony functions</li> |
| 506 | <li>SMS/MMS functions</li> |
| 507 | <li>Network/data connections</li> |
| 508 | </ul> |
| 509 | <p>These resources are only accessible through the operating system. To make use |
| 510 | of the protected APIs on the device, an application must define the |
| 511 | capabilities it needs in its manifest. When preparing to install an |
| 512 | application, the system displays a dialog to the user that indicates the |
| 513 | permissions requested and asks whether to continue the installation. If the |
| 514 | user continues with the installation, the system accepts that the user has |
| 515 | granted all of the requested permissions. The user can not grant or deny |
| 516 | individual permissions -- the user must grant or deny all of the requested |
| 517 | permissions as a block.</p> |
| 518 | <p>Once granted, the permissions are applied to the application as long as it is |
| 519 | installed. To avoid user confusion, the system does not notify the user again |
| 520 | of the permissions granted to the application, and applications that are |
| 521 | included in the core operating system or bundled by an OEM do not request |
| 522 | permissions from the user. Permissions are removed if an application is |
| 523 | uninstalled, so a subsequent re-installation will again result in display of |
| 524 | permissions.</p> |
| 525 | <p>Within the device settings, users are able to view permissions for applications |
| 526 | they have previously installed. Users can also turn off some functionality |
| 527 | globally when they choose, such as disabling GPS, radio, or wi-fi.</p> |
| 528 | <p>In the event that an application attempts to use a protected feature which has |
| 529 | not been declared in the application's manifest, the permission failure will |
| 530 | typically result in a security exception being thrown back to the application. |
| 531 | Protected API permission checks are enforced at the lowest possible level to |
| 532 | prevent circumvention. An example of the user messaging when an application is |
| 533 | installed while requesting access to protected APIs is shown in <em>Figure 2</em>.</p> |
| 534 | <p>The system default permissions are described at |
| 535 | <a href="https://developer.android.com/reference/android/Manifest.permission.html">https://developer.android.com/reference/android/Manifest.permission.html</a>. |
| 536 | Applications may declare their own permissions for other applications to use. |
| 537 | Such permissions are not listed in the above location.</p> |
| 538 | <p>When defining a permission a protectionLevel attribute tells the system how the |
| 539 | user is to be informed of applications requiring the permission, or who is |
| 540 | allowed to hold a permission. Details on creating and using application |
| 541 | specific permissions are described at |
| 542 | <a href="https://develo |
| 543 | per.android.com/guide/topics/security/security.html">https://developer.android.com/guide/topics/security/security.html</a>.</p> |
| 544 | <p>There are some device capabilities, such as the ability to send SMS broadcast |
| 545 | intents, that are not available to third-party applications, but that may be |
| 546 | used by applications pre-installed by the OEM. These permissions use the |
| 547 | signatureOrSystem permission.</p> |
| 548 | <h2 id="how-users-understand-third-party-applications">How Users Understand Third-Party Applications</h2> |
| 549 | <p>Android strives to make it clear to users when they are interacting with |
| 550 | third-party applications and inform the user of the capabilities those |
| 551 | applications have. Prior to installation of any application, the user is shown |
| 552 | a clear message about the different permissions the application is requesting. |
| 553 | After install, the user is not prompted again to confirm any permissions.</p> |
| 554 | <p>There are many reasons to show permissions immediately prior to installation |
| 555 | time. This is when user is actively reviewing information about the |
| 556 | application, developer, and functionality to determine whether it matches their |
| 557 | needs and expectations. It is also important that they have not yet |
| 558 | established a mental or financial commitment to the app, and can easily compare |
| 559 | the application to other alternative applications.</p> |
| 560 | <p>Some other platforms use a different approach to user notification, requesting |
| 561 | permission at the start of each session or while applications are in use. The |
| 562 | vision of Android is to have users switching seamlessly between applications at |
| 563 | will. Providing confirmations each time would slow down the user and prevent |
| 564 | Android from delivering a great user experience. Having the user review |
| 565 | permissions at install time gives the user the option to not install the |
| 566 | application if they feel uncomfortable.</p> |
| 567 | <p>Also, many user interface studies have shown that over-prompting the user |
| 568 | causes the user to start saying "OK" to any dialog that is shown. One of |
| 569 | Android's security goals is to effectively convey important security |
| 570 | information to the user, which cannot be done using dialogs that the user will |
| 571 | be trained to ignore. By presenting the important information once, and only |
| 572 | when it is important, the user is more likely to think about what they are |
| 573 | agreeing to.</p> |
| 574 | <p>Some platforms choose not to show any information at all about application |
| 575 | functionality. That approach prevents users from easily understanding and |
| 576 | discussing application capabilities. While it is not possible for all users to |
| 577 | always make fully informed decisions, the Android permissions model makes |
| 578 | information about applications easily accessible to a wide range of users. For |
| 579 | example, unexpected permissions requests can prompt more sophisticated users to |
| 580 | ask critical questions about application functionality and share their concerns |
| 581 | in places such as <a href="htts://play.google.com">Google Play</a> where they |
| 582 | are visible to all users.</p> |
| 583 | <table> |
| 584 | <tr> |
| 585 | <td><strong>Permissions at Application Install -- Google Maps</strong></td> |
| 586 | <td><strong>Permissions of an Installed Application -- gMail</strong></td> |
| 587 | </tr> |
| 588 | <tr> |
| 589 | <td> |
| 590 | <img alt="Permissions at Application Install -- Google Maps" width=250 |
| 591 | src="images/image_install.png"/> |
| 592 | </td> |
| 593 | <td> |
| 594 | <img alt="Permissions of an Installed Application -- gMail" width=250 |
| 595 | src="images/image_gmail_installed.png"/> |
| 596 | </td> |
| 597 | </tr> |
| 598 | </table> |
| 599 | |
| 600 | <p><em>Figure 2: Display of permissions for applications</em></p> |
| 601 | <h2 id="interprocess-communication">Interprocess Communication</h2> |
| 602 | <p>Processes can communicate using any of the traditional UNIX-type mechanisms. |
| 603 | Examples include the filesystem, local sockets, or signals. However, the Linux |
| 604 | permissions still apply.</p> |
| 605 | <p>Android also provides new IPC mechanisms:</p> |
| 606 | <ul> |
| 607 | <li> |
| 608 | <p><strong>Binder</strong>: A lightweight capability-based remote procedure call mechanism |
| 609 | designed for high performance when performing in-process and cross-process |
| 610 | calls. Binder is implemented using a custom Linux driver. See |
| 611 | <a href="https://developer |
| 612 | .android.com/reference/android/os/Binder.html">https://developer.android.com/reference/android/os/Binder.html</a>.</p> |
| 613 | </li> |
| 614 | <li> |
| 615 | <p><strong>Services</strong>: Services (discussed above) can provide interfaces directly |
| 616 | accessible using binder.</p> |
| 617 | </li> |
| 618 | <li> |
| 619 | <p><strong>Intents</strong>: An Intent is a simple message object that represents an |
| 620 | "intention" to do something. For example, if your application wants to display |
| 621 | a web page, it expresses its "Intent" to view the URL by creating an Intent |
| 622 | instance and handing it off to the system. The system locates some other piece |
| 623 | of code (in this case, the Browser) that knows how to handle that Intent, and |
| 624 | runs it. Intents can also be used to broadcast interesting events (such as a |
| 625 | notification) system-wide. See |
| 626 | [https://developer.android.com/reference/android/content/Intent.html](https://developer.android.com/reference/android/content/Intent.html.</p> |
| 627 | </li> |
| 628 | <li> |
| 629 | <p><strong>ContentProviders</strong>: A ContentProvider is a data storehouse that provides |
| 630 | access to data on the device; the classic example is the ContentProvider that |
| 631 | is used to access the user's list of contacts. An application can access data |
| 632 | that other applications have exposed via a ContentProvider, and an application |
| 633 | can also define its own ContentProviders to expose data of its own. See |
| 634 | <a href="https://developer.android.com/reference/android/content/ContentProvider.html">https://developer.android.com/reference/android/content/ContentProvider.html</a>.</p> |
| 635 | </li> |
| 636 | </ul> |
| 637 | <p>While it is possible to implement IPC using other mechanisms such as network |
| 638 | sockets or world-writable files, these are the recommended Android IPC |
| 639 | frameworks. Android developers will be encouraged to use best practices around |
| 640 | securing users' data and avoiding the introduction of security vulnerabilities.</p> |
| 641 | <h2 id="cost-sensitive-apis">Cost-Sensitive APIs</h2> |
| 642 | <p>A cost sensitive API is any function that might generate a cost for the user or |
| 643 | the network. The Android platform has placed cost sensitive APIs in the list of |
| 644 | protected APIs controlled by the OS. The user will have to grant explicit |
| 645 | permission to third-party applications requesting use of cost sensitive APIs. |
| 646 | These APIs include:</p> |
| 647 | <ul> |
| 648 | <li>Telephony</li> |
| 649 | <li>SMS/MMS</li> |
| 650 | <li>Network/Data</li> |
| 651 | <li>In-App Billing</li> |
| 652 | <li>NFC Access</li> |
| 653 | </ul> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 654 | |
| 655 | <p> Android 4.2 adds further control on the use of SMS. Android will provide a |
| 656 | notification if an application attempts to send SMS to a short code that uses |
| 657 | premium services which might cause additional charges. The user can choose |
| 658 | whether to allow the application to send the message or block it. |
| 659 | </p> |
| 660 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 661 | <h2 id="sim-card-access">SIM Card Access</h2> |
| 662 | <p>Low level access to the SIM card is not available to third-party apps. The OS |
| 663 | handles all communications with the SIM card including access to personal |
| 664 | information (contacts) on the SIM card memory. Applications also cannot access |
| 665 | AT commands, as these are managed exclusively by the Radio Interface Layer |
| 666 | (RIL). The RIL provides no high level APIs for these commands.</p> |
| 667 | <h2 id="personal-information">Personal Information</h2> |
| 668 | <p>Android has placed APIs that provide access to user data into the set of |
| 669 | protected APIs. With normal usage, Android devices will also accumulate user |
| 670 | data within third-party applications installed by users. Applications that |
| 671 | choose to share this information can use Android OS permission checks to |
| 672 | protect the data from third-party applications.</p> |
| 673 | <p><img alt="Figure 3: Access to sensitive user data is only available through protected |
| 674 | APIs" src="images/image03.png" /></p> |
| 675 | <p><em>Figure 3: Access to sensitive user data is only available through protected |
| 676 | APIs</em></p> |
| 677 | <p>System content providers that are likely to contain personal or personally |
| 678 | identifiable information such as contacts and calendar have been created with |
| 679 | clearly identified permissions. This granularity provides the user with clear |
| 680 | indication of the types of information that may be provided to the application. |
| 681 | During installation, a third-party application may request permission to |
| 682 | access these resources. If permission is granted, the application can be |
| 683 | installed and will have access to the data requested at any time when it is |
| 684 | installed.</p> |
| 685 | <p>Any applications which collect personal information will, by default, have that |
| 686 | data restricted only to the specific application. If an application chooses to |
| 687 | make the data available to other applications though IPC, the application |
| 688 | granting access can apply permissions to the IPC mechanism that are enforced by |
| 689 | the operating system.</p> |
| 690 | <h2 id="sensitive-data-input-devices">Sensitive Data Input Devices</h2> |
| 691 | <p>Android devices frequently provide sensitive data input devices that allow |
| 692 | applications to interact with the surrounding environment, such as camera, |
| 693 | microphone or GPS. For a third-party application to access these devices, it |
| 694 | must first be explicitly provided access by the user through the use of Android |
| 695 | OS Permissions. Upon installation, the installer will prompt the user |
| 696 | requesting permission to the sensor by name.</p> |
| 697 | <p>If an application wants to know the user's location, the application requires a |
| 698 | permission to access the user's location. Upon installation, the installer will |
| 699 | prompt the user asking if the application can access the user's location. At |
| 700 | any time, if the user does not want any application to access their location, |
| 701 | then the user can run the "Settings" application, go to "Location & Security", |
| 702 | and uncheck the "Use wireless networks" and "Enable GPS satellites". This will |
| 703 | disable location based services for all applications on the user's device.</p> |
| 704 | <h2 id="device-metadata">Device Metadata</h2> |
| 705 | <p>Android also strives to restrict access to data that is not intrinsically |
| 706 | sensitive, but may indirectly reveal characteristics about the user, user |
| 707 | preferences, and the manner in which they use a device.</p> |
| 708 | <p>By default applications do not have access to operating system logs, |
| 709 | browser history, phone number, or hardware / network identification |
| 710 | information. If an application requests access to this information at install |
| 711 | time, the installer will prompt the user asking if the application can access |
| 712 | the information. If the user does not grant access, the application will not be |
| 713 | installed.</p> |
| 714 | <h2 id="application-signing">Application Signing</h2> |
| 715 | <p>Code signing allows developers to identify the author of the application and to |
| 716 | update their application without creating complicated interfaces and |
| 717 | permissions. Every application that is run on the Android platform must be |
| 718 | signed by the developer. Applications that attempt to install without being |
| 719 | signed will rejected by either Google Play or the package installer on |
| 720 | the Android device.</p> |
| 721 | <p>On Google Play, application signing bridges the trust Google has with the |
| 722 | developer and the trust the developer has with their application. Developers |
| 723 | know their application is provided, unmodified to the Android device; and |
| 724 | developers can be held accountable for behavior of their application.</p> |
| 725 | <p>On Android, application signing is the first step to placing an application in |
| 726 | its Application Sandbox. The signed application certificate defines which user |
| 727 | id is associated with which application; different applications run under |
| 728 | different user IDs. Application signing ensures that one application cannot |
| 729 | access any other application except through well-defined IPC.</p> |
| 730 | <p>When an application (APK file) is installed onto an Android device, the Package |
| 731 | Manager verifies that the APK has been properly signed with the certificate |
| 732 | included in that APK. If the certificate (or, more accurately, the public key |
| 733 | in the certificate) matches the key used to sign any other APK on the device, |
| 734 | the new APK has the option to specify in the manifest that it will share a UID |
| 735 | with the other similarly-signed APKs.</p> |
| 736 | <p>Applications can be signed by a third-party (OEM, operator, alternative market) |
| 737 | or self-signed. Android provides code signing using self-signed certificates |
| 738 | that developers can generate without external assistance or permission. |
| 739 | Applications do not have to be signed by a central authority. Android currently |
| 740 | does not perform CA verification for application certificates.</p> |
| 741 | <p>Applications are also able to declare security permissions at the Signature |
| 742 | protection level, restricting access only to applications signed with the same |
| 743 | key while maintaining distinct UIDs and Application Sandboxes. A closer |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 744 | relationship with a shared Application Sandbox is allowed via the |
| 745 | <a href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared UID |
| 746 | feature</a> where two or more applications signed with same developer key can |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 747 | declare a shared UID in their manifest.</p> |
Robert Ly | 9ca4369 | 2013-04-16 13:10:20 -0700 | [diff] [blame] | 748 | |
| 749 | <h2 id="app-verification">Application Verification</h2> |
| 750 | <p> |
| 751 | Android 4.2 and later support application verification. Users can choose to |
| 752 | enable “Verify Apps" and have applications evaluated by an application verifier |
| 753 | prior to installation. App verification can alert the user if they try to |
| 754 | install an app that might be harmful; if an application is especially bad, it |
| 755 | can block installation. |
| 756 | </p> |
| 757 | |
Robert Ly | 35f2fda | 2013-01-29 16:27:05 -0800 | [diff] [blame] | 758 | <h2 id="digital-rights-management">Digital Rights Management</h2> |
| 759 | <p>The Android platform provides an extensible DRM framework that lets |
| 760 | applications manage rights-protected content according to the license |
| 761 | constraints that are associated with the content. The DRM framework supports |
| 762 | many DRM schemes; which DRM schemes a device supports is left to the device |
| 763 | manufacturer.</p> |
| 764 | <p>The <a href="https://developer.android.com/reference/android/drm/package-summary.html">Android DRM |
| 765 | framework</a> |
| 766 | is implemented in two architectural layers (see figure below):</p> |
| 767 | <ul> |
| 768 | <li> |
| 769 | <p>A DRM framework API, which is exposed to applications through the Android |
| 770 | application framework and runs through the Dalvik VM for standard applications.</p> |
| 771 | </li> |
| 772 | <li> |
| 773 | <p>A native code DRM manager, which implements the DRM framework and exposes an |
| 774 | interface for DRM plug-ins (agents) to handle rights management and decryption |
| 775 | for various DRM schemes</p> |
| 776 | </li> |
| 777 | </ul> |
| 778 | <p><img alt="Figure 4: Architecture of Digital Rights Management on Android |
| 779 | platform" src="images/image02.png" /></p> |
| 780 | <p><em>Figure 4: Architecture of Digital Rights Management on Android platform</em></p> |
| 781 | <h1 id="android-updates">Android Updates</h1> |
| 782 | <p>Android provides system updates for both security and feature related purposes.</p> |
| 783 | <p>There are two ways to update the code on most Android devices: over-the-air |
| 784 | (OTA updates) or side-loaded updates. OTA updates can be rolled out over a |
| 785 | defined time period or be pushed to all devices at once, depending on how the |
| 786 | OEM and/or carrier would like to push the updates. Side-loaded updates can be |
| 787 | provided from a central location for users to download as a zip file to their |
| 788 | local desktop machine or directly to their handset. Once the update is copied |
| 789 | or downloaded to the SD card on the device, Android will recognize the update, |
| 790 | verify its integrity and authenticity, and automatically update the device.</p> |
| 791 | <p>If a dangerous vulnerability is discovered internally or responsibly reported |
| 792 | to Google or the Android Open Source Project, the Android security team will |
| 793 | start the following process.</p> |
| 794 | <ol> |
| 795 | <li>The Android team will notify companies who have signed NDAs regarding the |
| 796 | problem and begin discussing the solution.</li> |
| 797 | <li>The owners of code will begin the fix.</li> |
| 798 | <li>The Android team will fix Android-related security issues.</li> |
| 799 | <li>When a patch is available, the fix is provided to the NDA companies.</li> |
| 800 | <li>The Android team will publish the patch in the Android Open Source Project</li> |
| 801 | <li>OEM/carrier will push an update to customers.</li> |
| 802 | </ol> |
| 803 | <p>The NDA is required to ensure that the security issue does not become public |
| 804 | prior to availabilty of a fix and put users at risk. Many OHA members run their |
| 805 | own code on Android devices such as the bootloader, wifi drivers, and the |
| 806 | radio. Once the Android Security team is notified of a security issue in this |
| 807 | partner code, they will consult with OHA partners to quickly find a fix for the |
| 808 | problem at hand and similar problems. However, the OHA member who wrote the |
| 809 | faulty code is ultimately responsible for fixing the problem.</p> |
| 810 | <p>If a dangerous vulnerability is not responsibly disclosed (e.g., if it is |
| 811 | posted to a public forum without warning), then Google and/or the Android Open |
| 812 | Source Project will work as quickly as possible to create a patch. The patch |
| 813 | will released to the public (and any partners) when the patch is tested and |
| 814 | ready for use.</p> |
| 815 | <p>At Google I/O 2011, many of the largest OHA partners committed to providing |
| 816 | updates to devices for 18 months after initial shipment. This will provide |
| 817 | users with access to the most recent Android features, as well as security |
| 818 | updates.</p> |
| 819 | <p>Any developer, Android user, or security researcher can notify the Android |
| 820 | security team of potential security issues by sending email to |
| 821 | security@android.com. If desired, communication can be encrypted using the |
| 822 | Android security team PGP key available here: |
| 823 | <a href="https://developer.android.com/security_at_android_dot_com.txt">https://developer.android.com/security_at_android_dot_com.txt</a>.</p> |
| 824 | <h1 id="other-resources">Other Resources</h1> |
| 825 | <p>Information about the Android Open Source Project is available at |
| 826 | <a href="https://source.android.com">https://source.android.com</a>.</p> |
| 827 | <p>Information for Android application developers is here: |
| 828 | <a href="https://developer.android.com">https://developer.android.com</a>.</p> |
| 829 | <p>The Android Security team can be reached at |
| 830 | <a href="mailto:security@android.com">security@android.com</a>.</p> |
| 831 | <p>Security information exists throughout the Android Open Source and Developer |
| 832 | Sites. A good place to start is here: |
| 833 | <a href="https://developer.android.com/guide/topics/security/security.html">https://developer.android.com/guide/topics/security/security.html</a>.</p> |
| 834 | <p>A Security FAQ for developers is located here: |
| 835 | <a href="https://developer.android.com/resources/faq/security.html">https://developer.android.com/resources/faq/security.html</a>.</p> |
| 836 | <p>Security Best Practices for developers is located here: |
| 837 | <a href="https://developer.android.com/guide/practices/security.html">https://developer.android.com/guide/practices/security.html</a>.</p> |
| 838 | <p>A community resource for discussion about Android security exists here: |
| 839 | <a href="https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss">https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss</a>.</p> |