| page.title=Security |
| @jd:body |
| <!-- |
| Copyright 2015 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <div id="qv-wrapper"> |
| <div id="qv"> |
| <h2>In this document</h2> |
| <ol id="auto-toc"></ol> |
| </div> |
| </div> |
| |
| <p>Android is a modern mobile platform that was designed to be truly open. Android |
| applications make use of advanced hardware and software, as well as local and |
| served data, exposed through the platform to bring innovation and value to |
| consumers. To protect that value, the platform must offer an application |
| environment that ensures the security of users, data, applications, the device, |
| and the network.</p> |
| <p>Securing an open platform requires a robust security architecture and |
| rigorous security programs. Android was designed with multi-layered |
| security that provides the flexibility required for an open platform, while |
| providing protection for all users of the platform. For information about |
| reporting security issues and the update process, |
| see <a href="overview/updates-resources.html">Security Updates and Resources</a>.</p> |
| <p>Android was designed with developers in mind. Security controls were designed |
| to reduce the burden on developers. Security-savvy developers can easily work |
| with and rely on flexible security controls. Developers less familiar with |
| security will be protected by safe defaults.</p> |
| <p>Android was designed with device users in mind. Users are provided visibility |
| into how applications work, and control over those applications. This design |
| includes the expectation that attackers would attempt to perform common |
| attacks, such as social engineering attacks to convince device users to install |
| malware, and attacks on third-party applications on Android. Android was |
| designed to both reduce the probability of these attacks and greatly limit the |
| impact of the attack in the event it was successful.</p> |
| <p>This documentation outlines the goals of the Android security program, describes the |
| fundamentals of the Android security architecture, and answers the most |
| pertinent questions for system architects and security analysts. This document |
| focuses on the security features of Android's core platform and does not |
| discuss security issues that are unique to specific applications, such as those |
| related to the browser or SMS application. Recommended best practices for |
| building Android devices, deploying Android devices, or developing applications |
| for Android are not the goal of this document and are provided elsewhere.</p> |
| |
| <h2 id="background">Background</h2> |
| <p>Android provides an open source platform and application environment for mobile |
| devices.</p> |
| <p>The sections and pages below describe the security features of the Android |
| platform. <em>Figure 1</em> summarizes the security components and considerations of |
| the various levels of the Android software stack. Each component assumes that |
| the components below are properly secured. With the exception of a small amount |
| of Android OS code running as root, all code above the Linux Kernel is |
| restricted by the Application Sandbox.</p> |
| <p><img alt="Figure 1: Android software stack" src="images/android_software_stack.png" /></p> |
| <p><em>Figure 1: Android software stack.</em></p> |
| <p>The main Android platform building blocks are:</p> |
| <ul> |
| <li> |
| <p><strong>Device Hardware</strong>: Android runs on a wide range of hardware configurations |
| including smart phones, tablets, and set-top-boxes. Android is |
| processor-agnostic, but it does take advantage of some hardware-specific |
| security capabilities such as ARM v6 eXecute-Never.</p> |
| </li> |
| <li> |
| <p><strong>Android Operating System</strong>: The core operating system is built on top of |
| the Linux kernel. All device resources, like camera functions, GPS data, |
| Bluetooth functions, telephony functions, network connections, etc. are |
| accessed through the operating system.</p> |
| </li> |
| <li> |
| <p><strong>Android Application Runtime</strong>: Android applications are most often written |
| in the Java programming language and run in the Dalvik virtual machine. |
| However, many applications, including core Android services and applications |
| are native applications or include native libraries. Both Dalvik and native |
| applications run within the same security environment, contained within the |
| Application Sandbox. Applications get a dedicated part of the filesystem in |
| which they can write private data, including databases and raw files.</p> |
| </li> |
| </ul> |
| <p>Android applications extend the core Android operating system. There are two |
| primary sources for applications:</p> |
| <ul> |
| <li> |
| <p><strong>Pre-Installed Applications</strong>: Android includes a set of pre-installed |
| applications including phone, email, calendar, web browser, and contacts. These |
| function both as user applications and to provide key device capabilities that |
| can be accessed by other applications. Pre-installed applications may be part |
| of the open source Android platform, or they may be developed by an OEM for a |
| specific device.</p> |
| </li> |
| <li> |
| <p><strong>User-Installed Applications</strong>: Android provides an open development |
| environment supporting any third-party application. Google Play offers |
| users hundreds of thousands of applications.</p> |
| </li> |
| </ul> |
| <p>Google provides a set of cloud-based services that are available to any |
| compatible Android device. The primary services are:</p> |
| <ul> |
| <li> |
| <p><strong>Google Play</strong>: Google Play is a collection of services that |
| allow users to discover, install, and purchase applications from their Android |
| device or the web. Google Play makes it easy for developers to reach Android |
| users and potential customers. Google Play also provides community review, |
| application <a href="https://developer.android.com/guide/publishing/licensing.html">license |
| verification</a>, application security scanning, and other security services.</p> |
| </li> |
| <li> |
| <p><strong>Android Updates</strong>: The Android update service delivers new capabilities and |
| security updates to Android devices, including updates through the web or over |
| the air (OTA).</p> |
| </li> |
| <li> |
| <p><strong>Application Services</strong>: Frameworks that allow Android applications to use |
| cloud capabilities such as (<a href="https://developer.android.com/guide/topics/data/backup.html">backing |
| up</a>) application |
| data and settings and cloud-to-device messaging |
| (<a href="https://developers.google.com/android/c2dm/">C2DM</a>) |
| for push messaging.</p> |
| </li> |
| </ul> |
| <p>These services are not part of the Android Open Source Project and are out |
| of scope for this document. But they are relevant to the security of most |
| Android devices, so a related security document titled “Google Services for |
| Android: Security Overview” is available.</p> |
| <h2 id="android-security-program-overview">Security Program Overview</h2> |
| <p>Early on in development, the core Android development team recognized that a |
| robust security model was required to enable a vigorous ecosystem of |
| applications and devices built on and around the Android platform and supported |
| by cloud services. As a result, through its entire development lifecycle, |
| Android has been subjected to a professional security program. The Android team |
| has had the opportunity to observe how other mobile, desktop, and server platforms |
| prevented and reacted to security issues and built a security |
| program to address weak points observed in other offerings.</p> |
| <p>The key components of the Android Security Program include:</p> |
| <ul> |
| <li><strong>Design Review</strong>: The Android security process begins early in the |
| development lifecycle with the creation of a rich and configurable security |
| model and design. Each major feature of the platform is reviewed by engineering |
| and security resources, with appropriate security controls integrated into the |
| architecture of the system.</li> |
| <li><strong>Penetration Testing and Code Review</strong>: During the development of the |
| platform, Android-created and open source components are subject to vigorous |
| security reviews. These reviews are performed by the Android Security Team, |
| Google’s Information Security Engineering team, and independent security |
| consultants. The goal of these reviews is to identify weaknesses and possible |
| vulnerabilities well before the platform is open sourced, and to simulate the |
| types of analysis that will be performed by external security experts upon |
| release.</li> |
| <li><strong>Open Source and Community Review</strong>: The Android Open Source Project enables |
| broad security review by any interested party. Android also uses open source |
| technologies that have undergone significant external security review, |
| such as the Linux kernel. Google Play provides a forum for users and companies |
| to provide information about specific applications directly to users.</li> |
| <li><strong>Incident Response</strong>: Even with all of these precautions, security issues |
| may occur after shipping, which is why the Android project has created a |
| comprehensive security response process. A full-time Android security team |
| constantly monitors Android-specific and the general security community for |
| discussion of potential vulnerabilities. Upon the discovery of legitimate |
| issues, the Android team has a response process that enables the rapid |
| mitigation of vulnerabilities to ensure that potential risk to all Android |
| users is minimized. These cloud-supported responses can include updating the |
| Android platform (over-the-air updates), removing applications from Google |
| Play, and removing applications from devices in the field.</li> |
| </ul> |
| <h2 id="android-platform-security-architecture">Platform Security Architecture</h2> |
| <p>Android seeks to be the most secure and usable operating system for mobile |
| platforms by re-purposing traditional operating system security controls to:</p> |
| <ul> |
| <li>Protect user data</li> |
| <li>Protect system resources (including the network)</li> |
| <li>Provide application isolation</li> |
| </ul> |
| <p>To achieve these objectives, Android provides these key security features:</p> |
| <ul> |
| <li>Robust security at the OS level through the Linux kernel</li> |
| <li>Mandatory application sandbox for all applications</li> |
| <li>Secure interprocess communication</li> |
| <li>Application signing</li> |
| <li>Application-defined and user-granted permissions</li> |
| </ul> |
| |
