src/devices/tech/security/overview/index.jd - platform/docs/source.android.com - Git at Google

 page.title=Security overview
 @jd:body
 <!--
     Copyright 2014 The Android Open Source Project

     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
 <div id="qv-wrapper">
   <div id="qv">
     <h2>In this document</h2>
     <ol id="auto-toc"></ol>
   </div>
 </div>

 <h2 id="android-security-program-overview">Security Program Overview</h2>
 <p>Early on in development, the core Android development team recognized that a
   robust security model was required to enable a vigorous ecosystem of
   applications and devices built on and around the Android platform and supported
   by cloud services. As a result, through its entire development lifecycle,
   Android has been subjected to a professional security program. The Android team
   has had the opportunity to observe how other mobile, desktop, and server platforms
   prevented and reacted to security issues and built a security
   program to address weak points observed in other offerings.</p>
 <p>The key components of the Android Security Program include:</p>
 <ul>
   <li><strong>Design Review</strong>: The Android security process begins early in the
     development lifecycle with the creation of a rich and configurable security
     model and design. Each major feature of the platform is reviewed by engineering
     and security resources, with appropriate security controls integrated into the
     architecture of the system.</li>
   <li><strong>Penetration Testing and Code Review</strong>: During the development of the
     platform, Android-created and open-source components are subject to vigorous
     security reviews. These reviews are performed by the Android Security Team,
     Google’s Information Security Engineering team, and independent security
     consultants. The goal of these reviews is to identify weaknesses and possible
     vulnerabilities well before the platform is open-sourced, and to simulate the
     types of analysis that will be performed by external security experts upon
     release.</li>
   <li><strong>Open Source and Community Review</strong>: The Android Open Source Project enables
     broad security review by any interested party. Android also uses open source
     technologies that have undergone significant external security review,
     such as the Linux kernel.  Google Play provides a forum for users and companies
     to provide information about specific applications directly to users.</li>
   <li><strong>Incident Response</strong>: Even with all of these precautions, security issues
     may occur after shipping, which is why the Android project has created a
     comprehensive security response process. A full-time Android security team
     constantly monitors Android-specific and the general security community for
     discussion of potential vulnerabilities. Upon the discovery of legitimate
     issues, the Android team has a response process that enables the rapid
     mitigation of vulnerabilities to ensure that potential risk to all Android
     users is minimized.  These cloud-supported responses can include updating the
     Android platform (over-the-air updates), removing applications from Google
     Play, and removing applications from devices in the field.</li>
 </ul>
 <h2 id="android-platform-security-architecture">Platform Security Architecture</h2>
 <p>Android seeks to be the most secure and usable operating system for mobile
   platforms by re-purposing traditional operating system security controls to:</p>
 <ul>
   <li>Protect user data</li>
   <li>Protect system resources (including the network)</li>
   <li>Provide application isolation</li>
 </ul>
 <p>To achieve these objectives, Android provides these key security features:</p>
 <ul>
   <li>Robust security at the OS level through the Linux kernel</li>
   <li>Mandatory application sandbox for all applications</li>
   <li>Secure interprocess communication</li>
   <li>Application signing</li>
   <li>Application-defined and user-granted permissions</li>
 </ul>
	page.title=Security overview
	@jd:body
	<!--
	Copyright 2014 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<div id="qv-wrapper">
	<div id="qv">
	<h2>In this document</h2>
	<ol id="auto-toc"></ol>
	</div>
	</div>

	<h2 id="android-security-program-overview">Security Program Overview</h2>
	<p>Early on in development, the core Android development team recognized that a
	robust security model was required to enable a vigorous ecosystem of
	applications and devices built on and around the Android platform and supported
	by cloud services. As a result, through its entire development lifecycle,
	Android has been subjected to a professional security program. The Android team
	has had the opportunity to observe how other mobile, desktop, and server platforms
	prevented and reacted to security issues and built a security
	program to address weak points observed in other offerings.</p>
	<p>The key components of the Android Security Program include:</p>
	<ul>
	<li><strong>Design Review</strong>: The Android security process begins early in the
	development lifecycle with the creation of a rich and configurable security
	model and design. Each major feature of the platform is reviewed by engineering
	and security resources, with appropriate security controls integrated into the
	architecture of the system.</li>
	<li><strong>Penetration Testing and Code Review</strong>: During the development of the
	platform, Android-created and open-source components are subject to vigorous
	security reviews. These reviews are performed by the Android Security Team,
	Google’s Information Security Engineering team, and independent security
	consultants. The goal of these reviews is to identify weaknesses and possible
	vulnerabilities well before the platform is open-sourced, and to simulate the
	types of analysis that will be performed by external security experts upon
	release.</li>
	<li><strong>Open Source and Community Review</strong>: The Android Open Source Project enables
	broad security review by any interested party. Android also uses open source
	technologies that have undergone significant external security review,
	such as the Linux kernel. Google Play provides a forum for users and companies
	to provide information about specific applications directly to users.</li>
	<li><strong>Incident Response</strong>: Even with all of these precautions, security issues
	may occur after shipping, which is why the Android project has created a
	comprehensive security response process. A full-time Android security team
	constantly monitors Android-specific and the general security community for
	discussion of potential vulnerabilities. Upon the discovery of legitimate
	issues, the Android team has a response process that enables the rapid
	mitigation of vulnerabilities to ensure that potential risk to all Android
	users is minimized. These cloud-supported responses can include updating the
	Android platform (over-the-air updates), removing applications from Google
	Play, and removing applications from devices in the field.</li>
	</ul>
	<h2 id="android-platform-security-architecture">Platform Security Architecture</h2>
	<p>Android seeks to be the most secure and usable operating system for mobile
	platforms by re-purposing traditional operating system security controls to:</p>
	<ul>
	<li>Protect user data</li>
	<li>Protect system resources (including the network)</li>
	<li>Provide application isolation</li>
	</ul>
	<p>To achieve these objectives, Android provides these key security features:</p>
	<ul>
	<li>Robust security at the OS level through the Linux kernel</li>
	<li>Mandatory application sandbox for all applications</li>
	<li>Secure interprocess communication</li>
	<li>Application signing</li>
	<li>Application-defined and user-granted permissions</li>
	</ul>