Clay Murphy | 8aa3ad2 | 2014-11-26 16:59:21 -0800 | [diff] [blame] | 1 | page.title= Security updates and resources |
| 2 | @jd:body |
| 3 | |
| 4 | <!-- |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 5 | Copyright 2015 The Android Open Source Project |
Clay Murphy | 8aa3ad2 | 2014-11-26 16:59:21 -0800 | [diff] [blame] | 6 | |
| 7 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | you may not use this file except in compliance with the License. |
| 9 | You may obtain a copy of the License at |
| 10 | |
| 11 | http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | |
| 13 | Unless required by applicable law or agreed to in writing, software |
| 14 | distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | See the License for the specific language governing permissions and |
| 17 | limitations under the License. |
| 18 | --> |
| 19 | <div id="qv-wrapper"> |
| 20 | <div id="qv"> |
Clay Murphy | 06fe099 | 2014-12-04 14:13:56 -0800 | [diff] [blame] | 21 | <h2>In this document</h2> |
| 22 | <ol id="auto-toc"></ol> |
Clay Murphy | 8aa3ad2 | 2014-11-26 16:59:21 -0800 | [diff] [blame] | 23 | </div> |
| 24 | </div> |
Clay Murphy | 06fe099 | 2014-12-04 14:13:56 -0800 | [diff] [blame] | 25 | |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 26 | <h2 id=android_security_bug_lifecycle>Android security bug lifecycle</h2> |
Bert McMeen | 9cb839d | 2015-04-20 14:10:47 -0700 | [diff] [blame] | 27 | |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 28 | <p>The Android security team is responsible for managing security vulnerabilities |
| 29 | discovered in the Android platform and many of the core Android apps bundled |
| 30 | with Android devices.</p> |
| 31 | |
| 32 | <p>The Android security team finds security vulnerabilities through internal |
| 33 | research and also responds to bugs reported by third parties. Sources of |
| 34 | external bugs include issues reported through the <a |
| 35 | href="https://code.google.com/p/android/issues/list">Android Open Source |
| 36 | Project (AOSP) bug tracker</a>, published and pre-published academic research, |
| 37 | upstream open source project maintainers, notifications from our device |
| 38 | manufacturer partners, and publicly disclosed issues posted on blogs or social |
| 39 | media.</p> |
| 40 | |
| 41 | <h2 id=report-issues>Reporting security issues</h2> |
| 42 | |
Clay Murphy | 8aa3ad2 | 2014-11-26 16:59:21 -0800 | [diff] [blame] | 43 | <p>Any developer, Android user, or security researcher can notify the Android |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 44 | security team of potential security issues through the AOSP bug tracker <a |
| 45 | href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security |
| 46 | bug report</a> template.</p> |
| 47 | |
| 48 | <p>Bugs marked as security issues are not externally visible, but they may |
| 49 | eventually be made visible after the issue is evaluated or resolved. If you |
| 50 | plan to submit a patch or Compatibility Test Suite (CTS) test to resolve a |
| 51 | security issue, please attach it to the bug report and wait for a response |
| 52 | before uploading the code to AOSP.</p> |
| 53 | |
| 54 | <p>If you need to reach the Android security team for a purpose other than |
| 55 | reporting a vulnerability, please contact <a |
| 56 | href="mailto:security@android.com">security@android.com</a>. The Android |
| 57 | security team has a <a |
| 58 | href="https://developer.android.com/security_at_android_dot_com.txt">PGP |
| 59 | key</a> if you need to encrypt your message.</p> |
| 60 | |
| 61 | <h2 id=triaging_bugs>Triaging bugs</h2> |
| 62 | |
| 63 | <p>The first task in handling a security vulnerability is to identify the severity |
| 64 | of the bug and which component of Android is affected. The severity determines |
| 65 | how the issue is prioritized, and the component determines who fixes the bug, |
| 66 | who is notified, and how the fix gets deployed to users.</p> |
| 67 | |
| 68 | <h3 id=severity>Severity</h3> |
| 69 | |
| 70 | <p>The severity of a bug generally reflects the potential harm that could occur if |
| 71 | a bug was successfully exploited. Use the following criteria to determine the |
| 72 | severity:</p> |
| 73 | <p class="table-caption" id="severity-criteria"> |
| 74 | <strong>Table 1.</strong> Severity ratings and associated consequences</p> |
| 75 | <table> |
| 76 | <tr> |
| 77 | <th>Rating</th> |
| 78 | <th>Consequence of successful exploitation</th> |
| 79 | </tr> |
| 80 | <tr> |
| 81 | <td><strong>Critical</strong></td> |
| 82 | <td> |
| 83 | <ul> |
| 84 | <li>Remote privileged code execution (execution at a privilege level that |
| 85 | third-party apps cannot obtain) |
| 86 | <li>Local permanent device compromise (device cannot be repaired without |
| 87 | re-flashing the entire operating system, such as a verified boot or Trusted |
| 88 | Execution Environment/TEE compromise) |
| 89 | <li>Remote permanent denial of service (inoperability, either completely permanent |
| 90 | or requiring re-flashing the device) |
| 91 | </ul> |
| 92 | </td> |
| 93 | </tr> |
| 94 | <tr> |
| 95 | <td><strong>High</strong></td> |
| 96 | <td> |
| 97 | <ul> |
| 98 | <li>Remote unprivileged code execution (execution at a privilege level that |
| 99 | third-party apps can obtain through installation) |
| 100 | <li>Local access to system/signature-level permission data or capabilities without |
| 101 | permission |
| 102 | <li>Local permanent denial-of-service (inoperability, either completely permanent |
| 103 | or requiring re-flashing the device) |
| 104 | <li>Remote temporary denial-of-service (remote hang or reboot) |
| 105 | </ul> |
| 106 | </td> |
| 107 | </tr> |
| 108 | <tr> |
| 109 | <td><strong>Moderate</strong></td> |
| 110 | <td> |
| 111 | <ul> |
| 112 | <li>Access to "<a |
| 113 | href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>" |
| 114 | level permission data or capabilities without permission with an app installed |
| 115 | on the device |
| 116 | <li>Local temporary denial-of-service (can be resolved only through a factory |
| 117 | reset) |
| 118 | </ul> |
| 119 | </td> |
| 120 | </tr> |
| 121 | <tr> |
| 122 | <td><strong>Low</strong></td> |
| 123 | <td> |
| 124 | <ul> |
| 125 | <li>Access to "<a |
| 126 | href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>" |
| 127 | level permission capabilities without permission with an app installed on the |
| 128 | device |
| 129 | <li>Local temporary denial-of-service (can be resolved by booting the device into |
| 130 | Safe Mode and removing the problem application) |
| 131 | </ul> |
| 132 | </td> |
| 133 | </tr> |
| 134 | </table> |
| 135 | |
| 136 | <p>Though there are many types of software bugs outside of the security |
| 137 | vulnerabilities detailed above, bugs reported are evaluated on a |
| 138 | case-by-base basis to determine what security impact they have.</p> |
| 139 | |
| 140 | <p>The Android security team may also adjust the severity of a vulnerability if it |
| 141 | is determined the risk to users is higher or lower than the guidelines suggest. |
| 142 | For example, if a certain piece of data is available only to apps with "system" |
| 143 | level access but the data itself is not sensitive, the Android security |
| 144 | team may consider it only a low-severity vulnerability.</p> |
| 145 | |
| 146 | <h4 id=local_vs_remote>Local vs. remote</h4> |
| 147 | |
| 148 | <p>A remote attack vector indicates the bug could be exploited without installing |
| 149 | an app or without physical access to the device. This includes bugs that could |
| 150 | be triggered by browsing to a web page, reading an email, receiving an SMS |
| 151 | message, or connecting to a hostile network. For the purpose of our severity |
| 152 | ratings, the Android security team also considers "proximal" attack vectors as |
| 153 | remote. These include bugs that can be exploited only by an attacker who is |
| 154 | physically near the target device, for example a bug that requires sending |
| 155 | malformed Wi-Fi or Bluetooth packets.</p> |
| 156 | |
| 157 | <p>Local attacks require the victim to install an app. For the purpose of severity |
| 158 | ratings, the Android security team also considers physical attack vectors as |
| 159 | local. These include bugs that can be exploited only by an attacker who has |
| 160 | physical access to the device, for example a bug in a lock screen or one that |
| 161 | requires plugging in a USB cable. The Android security team also considers |
| 162 | NFC-based attacks as local.</p> |
| 163 | |
| 164 | <h4 id=high_privilege_levels>Severity of vulnerabilities that affect high privilege levels</h4> |
| 165 | |
| 166 | <p>The Android security team will usually drop the severity rating for a bug that |
| 167 | already requires executing code at a high privilege level. For example, a bug |
| 168 | in a kernel driver accessible only from a privileged service that |
| 169 | requires first compromising the service. In this case, the Android security |
| 170 | team may drop the severity from "high" to "moderate."</p> |
| 171 | |
| 172 | <h4 id=severity_of_kernel_compromises>Severity of kernel compromises</h4> |
| 173 | |
| 174 | <p>Whether a vulnerability that compromises the kernel is considered "high" or |
| 175 | "critical" depends on the device and the version of Android. On devices with a |
| 176 | TEE (or TrustZone) and <a |
Clay Murphy | af37757 | 2015-10-29 15:38:46 -0700 | [diff] [blame] | 177 | href="{@docRoot}security/verifiedboot/index.html">verified |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 178 | boot</a>, a kernel compromise is considered "high" because exploiting it won't |
| 179 | allow permanently affecting the operation of the device unless a vulnerability is |
| 180 | discovered in the TEE or verified boot implementation. In general, if the |
| 181 | result of a compromise can be remediated with a factory reset, it's "high" or |
| 182 | lower.</p> |
| 183 | |
| 184 | <p>However, on older devices without verified boot, a kernel compromise can result |
| 185 | in permanent device compromise if SELinux is disabled and the system partition |
| 186 | is modified. On that device, a kernel compromise is considered "critical" |
| 187 | because remediation requires re-flashing the device's firmware image.</p> |
| 188 | |
| 189 | <h3 id=affected_component>Affected component</h3> |
| 190 | |
| 191 | <p>The development team responsible for fixing the bug depends on which component |
| 192 | the bug is in. It could be a core component of the Android platform, a kernel |
| 193 | driver supplied by an original equipment manufacturer (OEM), or one of the |
| 194 | pre-loaded apps on Nexus devices.</p> |
| 195 | |
| 196 | <p>Bugs in AOSP code are fixed by the Android engineering team. Low-severity bugs, |
| 197 | bugs in certain components, or bugs that are already publicly known may be |
| 198 | fixed directly in the publicly available AOSP master branch; otherwise they're |
| 199 | fixed in our internal repositories first.</p> |
| 200 | |
| 201 | <p>The component is also a factor in how users get updates. A bug in the framework |
| 202 | or kernel will require an over-the-air (OTA) firmware update that each OEM will |
| 203 | need to push. A bug in an app or library published in Google Play (e.g., Gmail, |
| 204 | Google Play Services, WebView in Lollipop and later versions) can be sent to |
| 205 | Android users as an update from Google Play. </p> |
| 206 | |
| 207 | <h2 id=notifying_partners>Notifying partners</h2> |
| 208 | |
| 209 | <p>When a moderate or higher severity security vulnerability in AOSP is fixed, |
| 210 | we'll notify <a href="http://www.openhandsetalliance.com/">Open Handset |
| 211 | Alliance</a> members with the details of the issue and provide patches for the |
| 212 | most recent three Android releases. The Android security team currently |
| 213 | provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), and 5.1 |
| 214 | (Lollipop MR1). This list of backport-supported versions changes with each new |
| 215 | Android release.</p> |
| 216 | |
| 217 | <h2 id=releasing_code_to_aosp>Releasing code to AOSP</h2> |
| 218 | |
| 219 | <p>If the security bug is in an AOSP component, the fix will be pushed out to AOSP |
| 220 | after the OTA is released to users. Fixes for low-severity issues may be |
| 221 | submitted directly to the AOSP master branch before a fix is available.</p> |
| 222 | |
| 223 | <h2 id=android_updates>Receiving Android updates</h2> |
| 224 | |
| 225 | <p>Updates to the Android system are generally delivered to devices through |
| 226 | OTA update packages. These updates may come from the OEM who |
| 227 | produced the device or the carrier who provides service to the device. Google |
| 228 | Nexus device updates come from the Google Nexus team after going through a |
| 229 | carrier technical acceptance (TA) testing procedure. Google also publishes <a |
| 230 | href="https://developers.google.com/android/nexus/images">Nexus factory |
| 231 | images</a> that can be side-loaded to devices.</p> |
| 232 | |
| 233 | <h2 id=updating_google_services>Updating Google services</h2> |
| 234 | |
| 235 | <p>In addition to providing patches for security bugs, the Android security team |
| 236 | also review security bugs to determine if there are other ways to protect |
| 237 | users. For example, Google Play scans all applications and will remove any |
| 238 | application that attempts to exploit a security bug. For applications installed |
| 239 | from outside of Google Play, devices with Google Play Services may also use the |
| 240 | <a href="https://support.google.com/accounts/answer/2812853">Verify Apps</a> |
| 241 | feature to warn users about applications that may be potentially harmful.</p> |
| 242 | |
| 243 | <h2 id=other_resources>Other resources</h2> |
| 244 | |
| 245 | <p>Information for Android application developers: <a |
| 246 | href="https://developer.android.com">https://developer.android.com</a></p> |
| 247 | |
| 248 | <p>The Android security team can be reached at <a |
| 249 | href="mailto:security@android.com">security@android.com</a>. Our PGP key: <a |
| 250 | href="https://developer.android.com/security_at_android_dot_com.txt">https://developer.android.com/security_at_android_dot_com.txt</a></p> |
| 251 | |
Clay Murphy | 8aa3ad2 | 2014-11-26 16:59:21 -0800 | [diff] [blame] | 252 | <p>Security information exists throughout the Android Open Source and Developer |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 253 | sites. Good places to start:<br> |
Clay Murphy | af37757 | 2015-10-29 15:38:46 -0700 | [diff] [blame] | 254 | <a href="http://source.android.com/security/index.html">{@docRoot}security/index.html</a><br> |
Clay Murphy | 89fc0f6 | 2015-06-12 15:03:26 -0700 | [diff] [blame] | 255 | <a href="https://developer.android.com/training/articles/security-tips.html">https://developer.android.com/training/articles/security-tips.html</a></p> |
Clay Murphy | 3322b06 | 2015-06-09 15:43:38 -0700 | [diff] [blame] | 256 | |
| 257 | <p>Community resource for discussion about Android security: <a |
| 258 | href="https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss">https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss</a></p> |