1 page.title=Security best practices 2 @jd:body 3 4 <!-- 5 Copyright 2014 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <h2 id="introduction">Introduction</h2> 28 29 <p>The Android Security Team regularly receive requests for more information about 30 how to prevent potential security issues on Android devices. We also 31 occasionally perform spot-checks of devices and let OEMs and affected partners 32 know of potential issues.</p> 33 34 <p>This document provides OEMs and other partners with a number of security best 35 practices based upon our own experiences. This is an extension of the 36 <a href="http://developer.android.com/guide/practices/security.html">Designing for 37 Security</a> documentation we've provided for developers, including best 38 practices that are unique to those who are building or installing system-level 39 software on devices.</p> 40 41 <p>Where possible, the Android Security Team will incorporate tests into the 42 <a href="http://source.android.com/compatibility/cts-intro.html">Android Compatibility Test 43 Suite</a> (CTS) and 44 <a href="http://tools.android.com/tips/lint">Android Lint</a> to facilitate adoption of 45 these best practices. We encourage partners to contribute tests that can help 46 other Android users. A partial list of security-related tests can be found at: 47 <code>root/cts/tests/tests/security/src/android/security/cts</code></p> 48 49 <h2 id="dev-process">Development process</h2> 50 51 <h3 id="sec-review">Source code security review</h3> 52 <p> Source code review can detect a broad range of security issues, including those 53 identified in this document. Android strongly encourages both manual and 54 automated source code review.</p> 55 56 <ol> 57 <li><a href="http://tools.android.com/tips/lint">Android Lint</a> 58 <strong>should</strong> be run on all application code using the Android SDK. 59 Issues that are identified should be corrected.</li> 60 <li>Native code <strong>should</strong> be analyzed using an automated tool that 61 can detect memory management issues such as buffer overflows and off-by-one 62 errors.</li> 63 </ol> 64 65 <h3 id="auto-test">Automated testing</h3> 66 <p>Automated testing can detect a broad range of security issues, including many of 67 those identified in this document.</p> 68 69 <ol> 70 <li>CTS is regularly updated with security tests; the most recent version of CTS 71 <strong>must</strong> be run to verify compatibility.</li> 72 <li>CTS <strong>should</strong> be run regularly throughout the development process to detect 73 problems early and reduce time to correction. Android uses CTS as part of 74 continuous integration with our automated build process, which builds 75 multiple times per day.</li> 76 <li>OEMs <strong>should</strong> automate security testing of any interfaces including testing 77 with malformed inputs (fuzz testing).</li> 78 </ol> 79 80 <h3 id="sign-sysimg">Signing system images</h3> 81 <p>The signature of the system image is critical for determining the integrity of 82 the device. Specifically:</p> 83 84 <ol> 85 <li>Devices <strong>must not</strong> be signed with a key that is publicly known.</li> 86 <li>Keys used to sign devices <strong>should</strong> be managed in a manner consistent with 87 industry standard practices for handling sensitive keys, including a hardware 88 security module (HSM) that provides limited, auditable access.</li> 89 </ol> 90 91 <h3 id="sign-apk">Signing applications (APKs)</h3> 92 <p>Application signatures play an important role in device security. They are used 93 for permissions checks as well as software updates. When selecting a key to use 94 for signing applications, it is important to consider whether an application 95 will be available only on a single device or common across multiple devices. 96 Consider:</p> 97 98 <ol> 99 <li>Applications <strong>must not</strong> be signed with a key that is publicly known.</li> 100 <li>Keys used to sign applications <strong>should</strong> be managed in a manner consistent 101 with industry standard practices for handling sensitive keys, including an 102 HSM that provides limited, auditable access.</li> 103 <li>Applications <strong>should not</strong> be signed with the platform key.</li> 104 <li>Applications with the same package name <strong>should not</strong> be signed with 105 different keys. This often occurs when creating an application for different 106 devices, especially when using the platform key. If the application is 107 device-independent, then use the same key across devices. If the application 108 is device-specific, create unique package names per device and key.</li> 109 </ol> 110 111 <h3 id="apps-pub">Apps publishing</h3> 112 <p>Google Play provides OEMs with the ability to update applications without 113 performing a complete system update. This can expedite response to security 114 issues and delivery of new features. This also provides a way to make sure that 115 your application has a unique package name.</p> 116 117 <ol> 118 <li>Apps <strong>should</strong> be uploaded to Google Play to allow automated updates without 119 requiring a full OTA. Applications that are uploaded but "unpublished" are 120 not directly downloadable by users, but the apps are still updated. Users who 121 have ever installed such an app can install it again and again on their other 122 devices as well.</li> 123 <li>To avoid potential confusion, apps <strong>should</strong> be created with a package name 124 clearly associated with your company, such as by using a company trademark.</li> 125 <li>Apps published by OEMs <strong>should</strong> be uploaded on the Google Play store in 126 order to avoid package name impersonation by third-party users.<br/> 127 <br/> 128 If an OEM installs an app on a phone without publishing it on the Play store, 129 another developer could upload that same app, using the same package name,, 130 and change the metadata for the app. When presented to the user, this 131 unrelated metadata could create confusion.</li> 132 </ol> 133 134 <h3 id="incident-response">Incident response</h3> 135 <p>External parties must have the ability to contact OEMs about device-specific 136 security issues. We strongly recommend the creation of a publicly accessible 137 email address for managing security incidents.</p> 138 139 <ol> 140 <li>Create a <em>security (a] your-company.com</em> or similar address and publicize 141 it.</li> 142 <li>If you become aware of a security issue affecting Android OS or Android 143 devices from multiple OEMs, you <strong>should</strong> contact the Android 144 Security Team at <em>security (a] android.com</em>.</li> 145 </ol> 146 147 <h2 id="prod-implement">Product implementation</h2> 148 149 <h3 id="root-processes">Root processes</h3> 150 <p>Root processes are the most frequent target of privilege escalation attacks, so 151 reducing the number of root processes reduces risk of privilege escalation. CTS 152 has been expanded with an informational test that lists root processes.</p> 153 154 <ol> 155 <li>The devices <strong>should</strong> run the minimum necessary code as root. Where 156 possible, use a regular android process rather than a root process. The ICS 157 Galaxy Nexus has only six root processes - vold, inetd, zygote, tf_daemon, 158 ueventd, and init. Please let the Android team know if capabilities are 159 required that are not accessible without root privileges.</li> 160 <li>Where possible, root code <strong>should</strong> be isolated from untrusted data and 161 accessed via IPC. For example, reduce root functionality to a small Service 162 accessible via Binder and expose the Service with signature permission to an 163 an application with low or no privileges to handle network traffic.</li> 164 <li>Root processes <strong>must not</strong> listen on a network socket.</li> 165 <li>Root processes <strong>must not</strong> provide a general-purpose runtime for 166 applications. (e.g. a Java VM)</li> 167 </ol> 168 169 <h3 id="sys-apps">System apps</h3> 170 <p>In general, apps pre-installed by OEMs should not be running with the shared UID 171 of system. Realistically, however, sometimes this is necessary. If an app is 172 using the shared UID of system or another privileged service (i.e., phone), it 173 should not export any services, broadcast receivers, or content providers that 174 can be accessed by third-party apps installed by users.</p> 175 176 <ol> 177 <li>The devices <strong>should</strong> run the minimum necessary code as system. Where 178 possible, use an android process with its own UID rather than reusing the 179 system UID.</li> 180 <li>Where possible, system code <strong>should</strong> be isolated from untrusted data and 181 expose IPC only to other trusted processes.</li> 182 <li>System processes <strong>must not</strong> listen on a network socket.</li> 183 </ol> 184 185 <h3 id="process-isolate">Process isolation</h3> 186 <p>The Android Application Sandbox provides applications with an expectation of 187 isolation from other processes on the system, including root processes and 188 debuggers. Unless debugging is specifically enabled by the application and the 189 user, no application should violate that expectation.</p> 190 191 <ol> 192 <li>Root processes <strong>must not</strong> access data within individual application data 193 folders, unless using a documented Android debugging method.</li> 194 <li>Root processes <strong>must not</strong> access memory of applications, unless using a 195 documented Android debugging method.</li> 196 <li>The device <strong>must not</strong> include any application that accesses data or memory 197 of other applications or processes.</li> 198 </ol> 199 200 <h3 id="suid-files">SUID files</h3> 201 <p>New setuid programs should not be accessible by untrusted programs. Setuid 202 programs have frequently been the location of vulnerabilities that can be used 203 to gain root access, and minimizing the availability of the program to untrusted 204 applications is a security best practice.</p> 205 206 <ol> 207 <li>SUID processes <strong>must not</strong> provide a shell or backdoor that can be used to 208 circumvent the Android security model.</li> 209 <li>SUID programs <strong>must not</strong> be writable by any user.</li> 210 <li>SUID programs <strong>should</strong> not be world readable or executable. Create a 211 group, limit access to the SUID binary to members of that group, and place any 212 applications that should be able to execute the SUID program into that 213 group.</li> 214 <li>SUID programs are a common source of user "rooting" of devices. To reduce 215 this risk, SUID programs <strong>should not</strong> be executable by the shell 216 user.</li> 217 </ol> 218 219 <p>The CTS verifier has been expanded with an informational test that lists SUID 220 files. Certain setuid files are not permitted, per CTS tests.</p> 221 222 <h3 id="listening-sockets">Listening sockets</h3> 223 <p>CTS tests have been expanded to fail when a device is listening on any port, on 224 any interface. In the event of a failure, Google will verify that the following 225 best practices are being used:</p> 226 227 <ol> 228 <li>There <strong>should</strong> be no listening ports on the device.</li> 229 <li>Listening ports <strong>must</strong> be able to be disabled without an OTA. 230 This can be either a server or user-device configuration change.</li> 231 <li>Root processes <strong>must not</strong> listen on any port.</li> 232 <li>Processes owned by the system UID <strong>must not</strong> listen on any 233 port.</li> 234 <li>For local IPC using sockets, applications <strong>must</strong> use a UNIX 235 Domain Socket with access limited to a group. Create a file descriptor for the 236 IPC and make it +RW for a specific UNIX group. Any client applications must be 237 within that UNIX group.</li> 238 <li>Some devices with multiple processors (e.g. a radio/modem separate from the 239 application processor) use network sockets to communicate between processors. 240 In those instances, the network socket used for inter-processor communication 241 <strong>must</strong> use an isolated network interface to prevent access by 242 unauthorized 243 applications on the device. One approach is to use iptables to prevent access by 244 other applications on the device.</li> 245 <li>Daemons that handle listening ports <strong>must</strong> be robust against malformed 246 data. Google may conduct fuzz-testing against the port using an unauthorized 247 client, and, where possible, authorized client. Any crashes will be filed as 248 bugs with an appropriate severity.</li> 249 </ol> 250 251 <h3 id="logging">Logging</h3> 252 <p>Logging of data increases the risk of exposure of that data and reduces system 253 performance. Multiple public security incidents have occurred as the result of 254 logging of sensitive user data by applications installed by default on Android 255 devices.</p> 256 257 <ol> 258 <li>Applications or system services <strong>should not</strong> log data provided from 259 third-party applications that might include sensitive information.</li> 260 <li>Applications <strong>must not</strong> log any Personally Identifiable Information (PII) 261 as part of normal operation.</li> 262 </ol> 263 264 <p>CTS has been expanded with a number of tests that check for the presence of 265 potentially sensitive information in the system logs.</p> 266 267 <h3 id="directories">Directories</h3> 268 <p>World-writable directories can introduce security weaknesses. Writable 269 directories may enable an application to rename other trusted files, 270 substituting their own files or conducting symlink-based attacks. By creating a 271 symlink to a file, the attacker may trick a trusted program into performing 272 actions it shouldn't.</p> 273 274 <p> Writable directories prevent the uninstall of an application from properly 275 cleaning up all files associated with an application. Directories created by the 276 system or root users <strong>should not</strong> be world writable.</p> 277 278 <p>CTS tests help enforce this best practice by testing known directories.</p> 279 280 <h3 id="config-files">Configuration files</h3> 281 <p>Many drivers and services rely on configuration and data files stored in 282 directories like /system/etc and various other directories in /data. If these 283 files are processed by a privileged process and are world writable, then it 284 could be possible for an app to exploit a vulnerability in the process by 285 crafting malicious contents in the world-writable file.</p> 286 287 <ol> 288 <li>Configuration files used by privileged processes <strong>should not</strong> 289 be world readable.</li> 290 <li>Configuration files used by privileged processes <strong>must not</strong> be 291 world writable.</li> 292 </ol> 293 294 <h3 id="native-code">Native code libraries</h3> 295 <p>Any code used by privileged OEM processes must be in /vendor or /system; these 296 filesystems are mounted read-only on boot. Any libraries used by system or other 297 highly-privileged apps installed on the phone should also be in these 298 filesystems. This can prevent a security vulnerability that could allow an 299 attacker to control the code that a privileged process executes.</p> 300 301 <ol> 302 <li>All native code used by privileged OEM processes <strong>must be</strong> in /vendor or 303 /system.</li> 304 </ol> 305 306 <h3 id="device-drivers">Device drivers</h3> 307 <p>Only trusted code should have direct access to drivers. Where possible, the 308 preferred architecture is to provide a single-purpose daemon that proxies calls 309 to the driver and restrict access to the driver to that daemon.</p> 310 311 <p>Driver device nodes <strong>should not</strong> be world readable or 312 writable. CTS tests help enforce this best practice by checking for known 313 instances of exposed drivers.</p> 314 315 <h3 id="adb">ADB</h3> 316 <p>ADB <strong>must be</strong> disabled by default and must require the user to turn it on 317 before accepting connections.</p> 318 319 <h3 id="unlockable-bootloaders">Unlockable bootloaders</h3> 320 <p>Unlockable Android devices must securely erase all user data prior to being 321 unlocked. The failure to properly delete all data on unlocking may allow a 322 physically proximate attacker to gain unauthorized access to confidential 323 Android user data. We've seen numerous instances where device manufacturers 324 improperly implemented unlocking.</p> 325 326 <p>Many Android devices support unlocking. This allows the device owner to modify 327 the system partition and/or install a custom operating system. Common use cases 328 for this include installing a third-party ROM, and/or doing systems-level 329 development on the device.</p> 330 331 <p>For example, on Google Nexus devices, an end user can run <code>fastboot oem 332 unlock</code> to start the unlocking process. When an end user runs this command, 333 the following message is displayed:</p> 334 335 <blockquote> 336 <strong>Unlock bootloader?</strong> 337 338 <p>If you unlock the bootloader, you will be able to install custom operating 339 system software on this phone.</p> 340 341 <p>A custom OS is not subject to the same testing as the original OS, and can 342 cause your phone and installed applications to stop working properly.</p> 343 344 <p>To prevent unauthorized access to your personal data, unlocking the 345 bootloader will also delete all personal data from your phone (a "factory data 346 reset"). 347 348 <p>Press the Volume Up/Down buttons to select Yes or No. Then press the Power 349 button to continue.</p> 350 351 <p><strong>Yes</strong>: Unlock bootloader (may void warranty)</p> 352 353 <p><strong>No</strong>: Do not unlock bootloader and restart phone.</p> 354 </blockquote> 355 356 <p>A device that is unlocked may be subsequently relocked, by issuing the 357 <code>fastboot oem lock</code> command. Locking the bootloader provides the same 358 protection of user data with the new custom OS as was available with the 359 original OEM OS. e.g. user data will be wiped if the device is unlocked again in 360 the future.</p> 361 362 <p>To prevent the disclosure of user data, a device that supports unlocking needs 363 to implement it properly.</p> 364 365 <p>A properly implemented unlocking process will have the following properties:</p> 366 367 <ol> 368 <li>When the unlocking command is confirmed by the user, the device MUST start an 369 immediate data wipe. The "unlocked" flag MUST NOT be set until after the 370 secure deletion is complete.</li> 371 <li>If a secure deletion cannot be completed, the device MUST stay in a locked 372 state.</li> 373 <li>If supported by the underlying block device, 374 <code>ioctl(BLKSECDISCARD)</code> or equivalent SHOULD be used. For eMMC 375 devices, this means using a Secure Erase or Secure Trim command. For eMMC 4.5 376 and later, this means doing a normal Erase or Trim followed by a Sanitize 377 operation.</li> 378 <li>If <code>BLKSECDISCARD</code> is NOT supported by the underlying block 379 device, <code>ioctl(BLKDISCARD)</code> MUST be used instead. On eMMC devices, 380 this is a normal Trim operation.</li> 381 <li>If <code>BLKDISCARD</code> is NOT supported, overwriting the block devices 382 with all zeros is acceptable.</li> 383 <li>An end user MUST have the option to require that user data be wiped prior to 384 flashing a partition. For example, on Nexus devices, this is done via the 385 <code>fastboot oem lock</code> command.</li> 386 <li>A device MAY record, via efuses or similar mechanism, whether a device was 387 unlocked and/or relocked.</li> 388 </ol> 389 390 <p>These requirements ensure that all data is destroyed upon the completion of an 391 unlock operation. Failure to implement these protections is considered a 392 "moderate" level security vulnerability.</p> 393
