Android stores the history of the user's choices and manages such history by UsageStatsManager.
Device implementations:
Android stores the system events using the StatsLog
identifiers, and manages such history via the StatsManager
and the IncidentManager
System API.
Device implementations:
DEST_AUTOMATIC
in the incident report created by the System API class IncidentManager
.StatsLog
SDK documents. If additional system events are logged, they MAY use a different atom identifier in the range between 100,000 and 200,000.Device implementations:
[C-0-1] MUST NOT preload or distribute software components out-of-box that send the user‘s private information (e.g. keystrokes, text displayed on the screen, bugreport) off the device without the user’s consent or clear ongoing notifications.
[C-0-2] MUST display and obtain explicit user consent that includes exactly the same message as AOSP whenever screen casting or screen recording is enabled via MediaProjection
or proprietary APIs. MUST NOT provide users an affordance to disable future display of the user consent.
[C-0-3] MUST have an ongoing notification to the user while screen casting or screen recording is enabled. AOSP meets this requirement by showing an ongoing notification icon in the status bar. If device implementations include functionality in the system that either captures the contents displayed on the screen and/or records the audio stream played on the device other than via the System API ContentCaptureService
, or other proprietary means described in Section 9.8.5 Content Capture, they:
[C-1-1] MUST have an ongoing notification to the user whenever this functionality is enabled and actively capturing/recording.
If device implementations include a component enabled out-of-box, capable of recording ambient audio and/or record the audio played on the device to infer useful information about user’s context, they:
If device implementations have a USB port with USB peripheral mode support, they:
Device implementations:
If device traffic is routed through a VPN, device implementations:
If device implementations have a mechanism, enabled out-of-box by default, that routes network data traffic through a proxy server or VPN gateway (for example, preloading a VPN service with android.permission.CONTROL_VPN
granted), they:
DevicePolicyManager.setAlwaysOnVpnPackage()
](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setAlwaysOnVpnPackage%28android.content.ComponentName, java.lang.String, boolean%29) , in which case the user does not need to provide a separate consent, but MUST only be notified.If device implementations implement a user affordance to toggle on the “always-on VPN” function of a 3rd-party VPN app, they:
AndroidManifest.xml
file via setting the SERVICE_META_DATA_SUPPORTS_ALWAYS_ON
attribute to false
.Device implementations:
READ_PRIVILEGED_PHONE_STATE
permission.UICC Carrier Privileges
.READ_PHONE_STATE
permission.Android, through the System API ContentCaptureService
, or by other proprietary means, supports a mechanism for device implementations to capture the following interactions between the applications and the user.
AssistStructure
API.Content Capture
API or a similarly capable, proprietary API.If device implementations capture the data above, they:
RAPPOR
).Account
) on the device, except with explicit user consent each time the data is associated.ContentCaptureService
or the proprietary means collects if the data is stored in any form on the device.If device implementations include a service that implements the System API ContentCaptureService
, or any proprietary service that captures the data as described as above, they:
[C-1-1] MUST NOT allow users to replace the content capture service with a user-installable application or service and MUST only allow the preloaded service to capture such data.
[C-1-2] MUST NOT allow any apps other than the preloaded content capture service mechanism to be able to capture such data.
[C-1-3] MUST provide user affordance to disable the content capture service.
[C-1-4] MUST NOT omit user affordance to manage Android permissions that are held by the content capture service and follow Android permissions model as described in Section 9.1. Permission.
[C-SR] Are STRONGLY RECOMMENDED to keep the content capturing service components separate, for example, not binding the service or sharing process IDs, from other system components except for the following:
Device implementations:
ClipboardManager
API) unless the app is the default IME or is the app that currently has focus.Device implementations:
ACCESS_BACKGROUND_LOCATION
] permission.