blob: 8c8d047638722bfa9d2474abc50cdfbf03562af4 [file] [log] [blame]
Clay Murphy8aa3ad22014-11-26 16:59:21 -08001page.title= Security updates and resources
2@jd:body
3
4<!--
Clay Murphy3322b062015-06-09 15:43:38 -07005 Copyright 2015 The Android Open Source Project
Clay Murphy8aa3ad22014-11-26 16:59:21 -08006
7 Licensed under the Apache License, Version 2.0 (the "License");
8 you may not use this file except in compliance with the License.
9 You may obtain a copy of the License at
10
11 http://www.apache.org/licenses/LICENSE-2.0
12
13 Unless required by applicable law or agreed to in writing, software
14 distributed under the License is distributed on an "AS IS" BASIS,
15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 See the License for the specific language governing permissions and
17 limitations under the License.
18-->
19<div id="qv-wrapper">
20 <div id="qv">
Clay Murphy06fe0992014-12-04 14:13:56 -080021 <h2>In this document</h2>
22 <ol id="auto-toc"></ol>
Clay Murphy8aa3ad22014-11-26 16:59:21 -080023 </div>
24</div>
Clay Murphy06fe0992014-12-04 14:13:56 -080025
Clay Murphy3322b062015-06-09 15:43:38 -070026<h2 id=android_security_bug_lifecycle>Android security bug lifecycle</h2>
Bert McMeen9cb839d2015-04-20 14:10:47 -070027
Clay Murphy3322b062015-06-09 15:43:38 -070028<p>The Android security team is responsible for managing security vulnerabilities
29discovered in the Android platform and many of the core Android apps bundled
30with Android devices.</p>
31
32<p>The Android security team finds security vulnerabilities through internal
33research and also responds to bugs reported by third parties. Sources of
34external bugs include issues reported through the <a
35href="https://code.google.com/p/android/issues/list">Android Open Source
36Project (AOSP) bug tracker</a>, published and pre-published academic research,
37upstream open source project maintainers, notifications from our device
38manufacturer partners, and publicly disclosed issues posted on blogs or social
39media.</p>
40
41<h2 id=report-issues>Reporting security issues</h2>
42
Clay Murphy8aa3ad22014-11-26 16:59:21 -080043<p>Any developer, Android user, or security researcher can notify the Android
Clay Murphy3322b062015-06-09 15:43:38 -070044security team of potential security issues through the AOSP bug tracker <a
45href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security
46bug report</a> template.</p>
47
48<p>Bugs marked as security issues are not externally visible, but they may
49eventually be made visible after the issue is evaluated or resolved. If you
50plan to submit a patch or Compatibility Test Suite (CTS) test to resolve a
51security issue, please attach it to the bug report and wait for a response
52before uploading the code to AOSP.</p>
53
54<p>If you need to reach the Android security team for a purpose other than
55reporting a vulnerability, please contact <a
56href="mailto:security@android.com">security@android.com</a>. The Android
57security team has a <a
58href="https://developer.android.com/security_at_android_dot_com.txt">PGP
59key</a> if you need to encrypt your message.</p>
60
61<h2 id=triaging_bugs>Triaging bugs</h2>
62
63<p>The first task in handling a security vulnerability is to identify the severity
64of the bug and which component of Android is affected. The severity determines
65how the issue is prioritized, and the component determines who fixes the bug,
66who is notified, and how the fix gets deployed to users.</p>
67
68<h3 id=severity>Severity</h3>
69
70<p>The severity of a bug generally reflects the potential harm that could occur if
71a bug was successfully exploited. Use the following criteria to determine the
72severity:</p>
73<p class="table-caption" id="severity-criteria">
74 <strong>Table 1.</strong> Severity ratings and associated consequences</p>
75<table>
76 <tr>
77 <th>Rating</th>
78 <th>Consequence of successful exploitation</th>
79 </tr>
80 <tr>
81 <td><strong>Critical</strong></td>
82 <td>
83<ul>
84<li>Remote privileged code execution (execution at a privilege level that
85third-party apps cannot obtain)
86<li>Local permanent device compromise (device cannot be repaired without
87re-flashing the entire operating system, such as a verified boot or Trusted
88Execution Environment/TEE compromise)
89<li>Remote permanent denial of service (inoperability, either completely permanent
90or requiring re-flashing the device)
91</ul>
92</td>
93 </tr>
94 <tr>
95 <td><strong>High</strong></td>
96 <td>
97<ul>
98<li>Remote unprivileged code execution (execution at a privilege level that
99third-party apps can obtain through installation)
100<li>Local access to system/signature-level permission data or capabilities without
101permission
102<li>Local permanent denial-of-service (inoperability, either completely permanent
103or requiring re-flashing the device)
104<li>Remote temporary denial-of-service (remote hang or reboot)
105</ul>
106</td>
107 </tr>
108 <tr>
109 <td><strong>Moderate</strong></td>
110 <td>
111<ul>
112<li>Access to "<a
113href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>"
114level permission data or capabilities without permission with an app installed
115on the device
116<li>Local temporary denial-of-service (can be resolved only through a factory
117reset)
118</ul>
119</td>
120 </tr>
121 <tr>
122 <td><strong>Low</strong></td>
123 <td>
124<ul>
125<li>Access to "<a
126href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>"
127level permission capabilities without permission with an app installed on the
128device
129<li>Local temporary denial-of-service (can be resolved by booting the device into
130Safe Mode and removing the problem application)
131</ul>
132</td>
133 </tr>
134</table>
135
136<p>Though there are many types of software bugs outside of the security
137vulnerabilities detailed above, bugs reported are evaluated on a
138case-by-base basis to determine what security impact they have.</p>
139
140<p>The Android security team may also adjust the severity of a vulnerability if it
141is determined the risk to users is higher or lower than the guidelines suggest.
142For example, if a certain piece of data is available only to apps with "system"
143level access but the data itself is not sensitive, the Android security
144team may consider it only a low-severity vulnerability.</p>
145
146<h4 id=local_vs_remote>Local vs. remote</h4>
147
148<p>A remote attack vector indicates the bug could be exploited without installing
149an app or without physical access to the device. This includes bugs that could
150be triggered by browsing to a web page, reading an email, receiving an SMS
151message, or connecting to a hostile network. For the purpose of our severity
152ratings, the Android security team also considers "proximal" attack vectors as
153remote. These include bugs that can be exploited only by an attacker who is
154physically near the target device, for example a bug that requires sending
155malformed Wi-Fi or Bluetooth packets.</p>
156
157<p>Local attacks require the victim to install an app. For the purpose of severity
158ratings, the Android security team also considers physical attack vectors as
159local. These include bugs that can be exploited only by an attacker who has
160physical access to the device, for example a bug in a lock screen or one that
161requires plugging in a USB cable. The Android security team also considers
162NFC-based attacks as local.</p>
163
164<h4 id=high_privilege_levels>Severity of vulnerabilities that affect high privilege levels</h4>
165
166<p>The Android security team will usually drop the severity rating for a bug that
167already requires executing code at a high privilege level. For example, a bug
168in a kernel driver accessible only from a privileged service that
169requires first compromising the service. In this case, the Android security
170team may drop the severity from "high" to "moderate."</p>
171
172<h4 id=severity_of_kernel_compromises>Severity of kernel compromises</h4>
173
174<p>Whether a vulnerability that compromises the kernel is considered "high" or
175"critical" depends on the device and the version of Android. On devices with a
176TEE (or TrustZone) and <a
Clay Murphyaf377572015-10-29 15:38:46 -0700177href="{@docRoot}security/verifiedboot/index.html">verified
Clay Murphy3322b062015-06-09 15:43:38 -0700178boot</a>, a kernel compromise is considered "high" because exploiting it won't
179allow permanently affecting the operation of the device unless a vulnerability is
180discovered in the TEE or verified boot implementation. In general, if the
181result of a compromise can be remediated with a factory reset, it's "high" or
182lower.</p>
183
184<p>However, on older devices without verified boot, a kernel compromise can result
185in permanent device compromise if SELinux is disabled and the system partition
186is modified. On that device, a kernel compromise is considered "critical"
187because remediation requires re-flashing the device's firmware image.</p>
188
189<h3 id=affected_component>Affected component</h3>
190
191<p>The development team responsible for fixing the bug depends on which component
192the bug is in. It could be a core component of the Android platform, a kernel
193driver supplied by an original equipment manufacturer (OEM), or one of the
194pre-loaded apps on Nexus devices.</p>
195
196<p>Bugs in AOSP code are fixed by the Android engineering team. Low-severity bugs,
197bugs in certain components, or bugs that are already publicly known may be
198fixed directly in the publicly available AOSP master branch; otherwise they're
199fixed in our internal repositories first.</p>
200
201<p>The component is also a factor in how users get updates. A bug in the framework
202or kernel will require an over-the-air (OTA) firmware update that each OEM will
203need to push. A bug in an app or library published in Google Play (e.g., Gmail,
204Google Play Services, WebView in Lollipop and later versions) can be sent to
205Android users as an update from Google Play. </p>
206
207<h2 id=notifying_partners>Notifying partners</h2>
208
209<p>When a moderate or higher severity security vulnerability in AOSP is fixed,
210we'll notify <a href="http://www.openhandsetalliance.com/">Open Handset
211Alliance</a> members with the details of the issue and provide patches for the
212most recent three Android releases. The Android security team currently
213provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), and 5.1
214(Lollipop MR1). This list of backport-supported versions changes with each new
215Android release.</p>
216
217<h2 id=releasing_code_to_aosp>Releasing code to AOSP</h2>
218
219<p>If the security bug is in an AOSP component, the fix will be pushed out to AOSP
220after the OTA is released to users. Fixes for low-severity issues may be
221submitted directly to the AOSP master branch before a fix is available.</p>
222
223<h2 id=android_updates>Receiving Android updates</h2>
224
225<p>Updates to the Android system are generally delivered to devices through
226OTA update packages. These updates may come from the OEM who
227produced the device or the carrier who provides service to the device. Google
228Nexus device updates come from the Google Nexus team after going through a
229carrier technical acceptance (TA) testing procedure. Google also publishes <a
230href="https://developers.google.com/android/nexus/images">Nexus factory
231images</a> that can be side-loaded to devices.</p>
232
233<h2 id=updating_google_services>Updating Google services</h2>
234
235<p>In addition to providing patches for security bugs, the Android security team
236also review security bugs to determine if there are other ways to protect
237users. For example, Google Play scans all applications and will remove any
238application that attempts to exploit a security bug. For applications installed
239from outside of Google Play, devices with Google Play Services may also use the
240<a href="https://support.google.com/accounts/answer/2812853">Verify Apps</a>
241feature to warn users about applications that may be potentially harmful.</p>
242
243<h2 id=other_resources>Other resources</h2>
244
245<p>Information for Android application developers: <a
246href="https://developer.android.com">https://developer.android.com</a></p>
247
248<p>The Android security team can be reached at <a
249href="mailto:security@android.com">security@android.com</a>. Our PGP key: <a
250href="https://developer.android.com/security_at_android_dot_com.txt">https://developer.android.com/security_at_android_dot_com.txt</a></p>
251
Clay Murphy8aa3ad22014-11-26 16:59:21 -0800252<p>Security information exists throughout the Android Open Source and Developer
Clay Murphy3322b062015-06-09 15:43:38 -0700253sites. Good places to start:<br>
Clay Murphyaf377572015-10-29 15:38:46 -0700254<a href="http://source.android.com/security/index.html">{@docRoot}security/index.html</a><br>
Clay Murphy89fc0f62015-06-12 15:03:26 -0700255<a href="https://developer.android.com/training/articles/security-tips.html">https://developer.android.com/training/articles/security-tips.html</a></p>
Clay Murphy3322b062015-06-09 15:43:38 -0700256
257<p>Community resource for discussion about Android security: <a
258href="https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss">https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss</a></p>