1 page.title=Android Security FAQ 2 excludeFromSuggestions=true 3 @jd:body 4 5 <ul> 6 <li><a href="#secure">Is Android Secure?</a></li> 7 <li><a href="#issue">I think I found a security flaw. How do I report 8 it?</a></li> 9 <li><a href="#informed">How can I stay informed about Android security?</a></li> 10 <li><a href="#use">How do I securely use my Android phone?</a></li> 11 <li><a href="#malware">I think I found malicious software being distributed 12 for Android. How can I help?</a></li> 13 <li><a href="#fixes">How will Android-powered devices receive security fixes?</a> 14 </li> 15 <li><a href="#directfix">Can I get a fix directly from the Android Platform 16 Project?</a></li> 17 </ul> 18 19 20 <a name="secure" id="secure"></a><h2>Is Android secure?</h2> 21 22 <p>The security and privacy of our users' data is of primary importance to the 23 Android Open Source Project. We are dedicated to building and maintaining one 24 of the most secure mobile platforms available while still fulfilling our goal 25 of opening the mobile device space to innovation and competition.</p> 26 27 <p> A comprehensive overview of the <a 28 href="http://source.android.com/tech/security/index.html">Android 29 security model and Android security processes</a> is provided in the Android 30 Open Source Project Website.</p> 31 32 <p>Application developers play an important part in the security of Android. 33 The Android Platform provides developers with a rich <a 34 href="http://code.google.com/android/devel/security.html">security model</a> 35 that to request the capabilities, or access, needed by their 36 application and to define new capabilities that other applications can request. 37 The Android user can choose to grant or deny an application's request for 38 certain capabilities on the handset.</p> 39 40 <p>We have made great efforts to secure the Android platform, but it is 41 inevitable that security bugs will be found in any system of this complexity. 42 Therefore, the Android team works hard to find new bugs internally and responds 43 quickly and professionally to vulnerability reports from external researchers. 44 </p> 45 46 47 <a name="issue" id="issue"></a><h2>I think I found a security flaw. How do I 48 report it?</h2> 49 50 <p>You can reach the Android security team at security (a] android.com. If you like, you 51 can protect your message using our <a 52 href="http://code.google.com/android/security_at_android_dot_com.txt">PGP 53 key</a>.</p> 54 55 <p>We appreciate researchers practicing responsible disclosure by emailing us 56 with a detailed summary of the issue and keeping the issue confidential while 57 users are at risk. In return, we will make sure to keep the researcher informed 58 of our progress in issuing a fix. </p> 59 60 <p>Vulnerabilities specific to Android OEMs should be reported to the relevant 61 vendor. An incomplete list of Android vendor security contacts can be found below. 62 To be added to this list, please contact security (a] android.com.</p> 63 64 <ul> 65 <li><a href="http://www.htc.com/www/terms/product-security/">HTC</a></li> 66 <li><a href="http://www.motorolasolutions.com/US-EN/About/Security%20Vulnerability">Motorola</a></li> 67 <li><a href="http://developer.samsung.com/notice/How-to-Use-the-Forum">Samsung</a> - m.security (a] samsung.com</li> 68 </ul> 69 70 <a name="informed" id="informed"></a><h2>How can I stay informed about Android security?</h2> 71 72 <p>For general discussion of Android platform security, or how to use 73 security features in your Android application, please subscribe to <a 74 href="http://groups.google.com/group/android-security-discuss">android-security-discuss</a>. 75 </p> 76 77 78 <a name="use" id="use"></a><h2>How do I securely use my Android phone?</h2> 79 80 <p>Android was designed so that you can safely use your phone without making 81 any changes to the device or installing any special software. Android applications 82 run in an Application Sandbox that limits access to sensitive information or data 83 with the users permission.</p> 84 85 <p>To fully benefit from the security protections in Android, it is important that 86 users only download and install software from known sources.</p> 87 88 <p>As an open platform, Android allows users to visit any website and load 89 software from any developer onto a device. As with a home PC, the user must be 90 aware of who is providing the software they are downloading and must decide 91 whether they want to grant the application the capabilities it requests. 92 This decision can be informed by the user's judgment of the software 93 developer's trustworthiness, and where the software came from.</p> 94 95 96 <a name="malware" id="malware"></a><h2>I think I found malicious software being 97 distributed for Android. How can I help?</h2> 98 99 <p>Like any other platform, it will be possible for unethical developers 100 to create malicious software, known as <a 101 href="http://en.wikipedia.org/wiki/Malware">malware</a>, for Android. If you 102 think somebody is trying to spread malware, please let us know at 103 security (a] android.com. Please include as 104 much detail about the application as possible, with the location it is 105 being distributed from and why you suspect it of being malicious software.</p> 106 107 <p>The term <i>malicious software</i> is subjective, and we cannot make an 108 exhaustive definition. Some examples of what the Android Security Team believes 109 to be malicious software is any application that: 110 <ul> 111 <li>uses a bug or security vulnerability to gain permissions that have not 112 been granted by the user</li> 113 <li>shows the user unsolicited messages (especially messages urging the 114 user to buy something);</li> 115 <li>resists (or attempts to resist) the user's effort to uninstall it;</li> 116 <li>attempts to automatically spread itself to other devices;</li> 117 <li>hides its files and/or processes;</li> 118 <li>discloses the user's private information to a third party, without the 119 user's knowledge and consent;</li> 120 <li>destroys the user's data (or the device itself) without the user's 121 knowledge and consent;</li> 122 <li>impersonates the user (such as by sending email or buying things from a 123 web store) without the user's knowledge and consent; or</li> 124 <li>otherwise degrades the user's experience with the device.</li> 125 </ul> 126 </p> 127 128 129 <a name="fixes" id="fixes"></a><h2>How do Android-powered devices receive security 130 fixes?</h2> 131 132 <p>The manufacturer of each device is responsible for distributing software 133 upgrades for it, including security fixes. Many devices will update themselves 134 automatically with software downloaded "over the air", while some devices 135 require the user to upgrade them manually.</p> 136 137 <p>Google provides software updates for a number of Android devices, including 138 the <a href="http://www.google.com/nexus">Nexus</a> 139 series of devices, using an "over the air" (OTA) update. These updates may include 140 security fixes as well as new features.</p> 141 142 <a name="directfix" id="directfix"></a><h2>Can I get a fix directly from the 143 Android Platform Project?</h2> 144 145 <p>Android is a mobile platform that is released as open source and 146 available for free use by anybody. This means that there are many 147 Android-based products available to consumers, and most of them are created 148 without the knowledge or participation of the Android Open Source Project. Like 149 the maintainers of other open source projects, we cannot build and release 150 patches for the entire ecosystem of products using Android. Instead, we will 151 work diligently to find and fix flaws as quickly as possible and to distribute 152 those fixes to the manufacturers of the products through the open source project.</p> 153 154 <p>If you are making an Android-powered device and would like to know how you can 155 properly support your customers by keeping abreast of software updates, please 156 contact us at <a 157 href="mailto:info (a] openhandsetalliance.com">info (a] openhandsetalliance.com</a>.</p> 158
