Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 1 | page.title=Android Security FAQ |
Scott Main | b8525dd | 2013-05-23 15:43:37 -0700 | [diff] [blame] | 2 | excludeFromSuggestions=true |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 3 | @jd:body |
| 4 | |
| 5 | <ul> |
| 6 | <li><a href="#secure">Is Android Secure?</a></li> |
| 7 | <li><a href="#issue">I think I found a security flaw. How do I report |
| 8 | it?</a></li> |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 9 | <li><a href="#informed">How can I stay informed about Android security?</a></li> |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 10 | <li><a href="#use">How do I securely use my Android phone?</a></li> |
| 11 | <li><a href="#malware">I think I found malicious software being distributed |
| 12 | for Android. How can I help?</a></li> |
| 13 | <li><a href="#fixes">How will Android-powered devices receive security fixes?</a> |
| 14 | </li> |
| 15 | <li><a href="#directfix">Can I get a fix directly from the Android Platform |
| 16 | Project?</a></li> |
| 17 | </ul> |
| 18 | |
| 19 | |
| 20 | <a name="secure" id="secure"></a><h2>Is Android secure?</h2> |
| 21 | |
| 22 | <p>The security and privacy of our users' data is of primary importance to the |
| 23 | Android Open Source Project. We are dedicated to building and maintaining one |
| 24 | of the most secure mobile platforms available while still fulfilling our goal |
| 25 | of opening the mobile device space to innovation and competition.</p> |
| 26 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 27 | <p> A comprehensive overview of the <a |
| 28 | href="http://source.android.com/tech/security/index.html">Android |
| 29 | security model and Android security processes</a> is provided in the Android |
| 30 | Open Source Project Website.</p> |
| 31 | |
| 32 | <p>Application developers play an important part in the security of Android. |
| 33 | The Android Platform provides developers with a rich <a |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 34 | href="http://code.google.com/android/devel/security.html">security model</a> |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 35 | that to request the capabilities, or access, needed by their |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 36 | application and to define new capabilities that other applications can request. |
| 37 | The Android user can choose to grant or deny an application's request for |
| 38 | certain capabilities on the handset.</p> |
| 39 | |
| 40 | <p>We have made great efforts to secure the Android platform, but it is |
| 41 | inevitable that security bugs will be found in any system of this complexity. |
| 42 | Therefore, the Android team works hard to find new bugs internally and responds |
| 43 | quickly and professionally to vulnerability reports from external researchers. |
| 44 | </p> |
| 45 | |
| 46 | |
| 47 | <a name="issue" id="issue"></a><h2>I think I found a security flaw. How do I |
| 48 | report it?</h2> |
| 49 | |
| 50 | <p>You can reach the Android security team at <a |
| 51 | href="mailto:security@android.com">security@android.com</a>. If you like, you |
| 52 | can protect your message using our <a |
| 53 | href="http://code.google.com/android/security_at_android_dot_com.txt">PGP |
| 54 | key</a>.</p> |
| 55 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 56 | <p>We appreciate researchers practicing responsible disclosure by emailing us |
| 57 | with a detailed summary of the issue and keeping the issue confidential while |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 58 | users are at risk. In return, we will make sure to keep the researcher informed |
Nick Kralevich | 5b1c8d3 | 2012-09-17 13:59:58 -0700 | [diff] [blame] | 59 | of our progress in issuing a fix. </p> |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 60 | |
| 61 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 62 | <a name="informed" id="informed"></a><h2>How can I stay informed about Android security?</h2> |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 63 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 64 | <p>For general discussion of Android platform security, or how to use |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 65 | security features in your Android application, please subscribe to <a |
| 66 | href="http://groups.google.com/group/android-security-discuss">android-security-discuss</a>. |
| 67 | </p> |
| 68 | |
| 69 | |
| 70 | <a name="use" id="use"></a><h2>How do I securely use my Android phone?</h2> |
| 71 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 72 | <p>Android was designed so that you can safely use your phone without making |
| 73 | any changes to the device or installing any special software. Android applications |
| 74 | run in an Application Sandbox that limits access to sensitive information or data |
| 75 | with the users permission.</p> |
| 76 | |
| 77 | <p>To fully benefit from the security protections in Android, it is important that |
| 78 | users only download and install software from known sources.</p> |
| 79 | |
| 80 | <p>As an open platform, Android allows users to visit any website and load |
| 81 | software from any developer onto a device. As with a home PC, the user must be |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 82 | aware of who is providing the software they are downloading and must decide |
| 83 | whether they want to grant the application the capabilities it requests. |
| 84 | This decision can be informed by the user's judgment of the software |
| 85 | developer's trustworthiness, and where the software came from.</p> |
| 86 | |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 87 | |
| 88 | <a name="malware" id="malware"></a><h2>I think I found malicious software being |
| 89 | distributed for Android. How can I help?</h2> |
| 90 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 91 | <p>Like any other platform, it will be possible for unethical developers |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 92 | to create malicious software, known as <a |
| 93 | href="http://en.wikipedia.org/wiki/Malware">malware</a>, for Android. If you |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 94 | think somebody is trying to spread malware, please let us know at <a |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 95 | href="mailto:security@android.com">security@android.com</a>. Please include as |
| 96 | much detail about the application as possible, with the location it is |
| 97 | being distributed from and why you suspect it of being malicious software.</p> |
| 98 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 99 | <p>The term <i>malicious software</i> is subjective, and we cannot make an |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 100 | exhaustive definition. Some examples of what the Android Security Team believes |
| 101 | to be malicious software is any application that: |
| 102 | <ul> |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 103 | <li>uses a bug or security vulnerability to gain permissions that have not |
| 104 | been granted by the user</li> |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 105 | <li>shows the user unsolicited messages (especially messages urging the |
| 106 | user to buy something);</li> |
| 107 | <li>resists (or attempts to resist) the user's effort to uninstall it;</li> |
| 108 | <li>attempts to automatically spread itself to other devices;</li> |
| 109 | <li>hides its files and/or processes;</li> |
| 110 | <li>discloses the user's private information to a third party, without the |
| 111 | user's knowledge and consent;</li> |
| 112 | <li>destroys the user's data (or the device itself) without the user's |
| 113 | knowledge and consent;</li> |
| 114 | <li>impersonates the user (such as by sending email or buying things from a |
| 115 | web store) without the user's knowledge and consent; or</li> |
| 116 | <li>otherwise degrades the user's experience with the device.</li> |
| 117 | </ul> |
| 118 | </p> |
| 119 | |
| 120 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 121 | <a name="fixes" id="fixes"></a><h2>How do Android-powered devices receive security |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 122 | fixes?</h2> |
| 123 | |
| 124 | <p>The manufacturer of each device is responsible for distributing software |
| 125 | upgrades for it, including security fixes. Many devices will update themselves |
| 126 | automatically with software downloaded "over the air", while some devices |
| 127 | require the user to upgrade them manually.</p> |
| 128 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 129 | <p>Google provides software updates for a number of Android devices, including |
| 130 | the <a href="http://www.google.com/nexus">Nexus</a> |
| 131 | series of devices, using an "over the air" (OTA) update. These updates may include |
| 132 | security fixes as well as new features.</p> |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 133 | |
| 134 | <a name="directfix" id="directfix"></a><h2>Can I get a fix directly from the |
| 135 | Android Platform Project?</h2> |
| 136 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 137 | <p>Android is a mobile platform that is released as open source and |
| 138 | available for free use by anybody. This means that there are many |
| 139 | Android-based products available to consumers, and most of them are created |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 140 | without the knowledge or participation of the Android Open Source Project. Like |
| 141 | the maintainers of other open source projects, we cannot build and release |
| 142 | patches for the entire ecosystem of products using Android. Instead, we will |
| 143 | work diligently to find and fix flaws as quickly as possible and to distribute |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 144 | those fixes to the manufacturers of the products through the open source project.</p> |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 145 | |
Adrian Ludwig | 4caa0d7 | 2011-09-21 15:38:55 -0700 | [diff] [blame] | 146 | <p>If you are making an Android-powered device and would like to know how you can |
Dirk Dougherty | 22558d0 | 2009-12-10 16:25:06 -0800 | [diff] [blame] | 147 | properly support your customers by keeping abreast of software updates, please |
| 148 | contact us at <a |
| 149 | href="mailto:info@openhandsetalliance.com">info@openhandsetalliance.com</a>.</p> |