1 page.title= Security updates and resources 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"></ol> 23 </div> 24 </div> 25 26 <h2 id=android_security_bug_lifecycle>Android security bug lifecycle</h2> 27 28 <p>The Android security team is responsible for managing security vulnerabilities 29 discovered in the Android platform and many of the core Android apps bundled 30 with Android devices.</p> 31 32 <p>The Android security team finds security vulnerabilities through internal 33 research and also responds to bugs reported by third parties. Sources of 34 external bugs include issues reported through the <a 35 href="https://code.google.com/p/android/issues/list">Android Open Source 36 Project (AOSP) bug tracker</a>, published and pre-published academic research, 37 upstream open source project maintainers, notifications from our device 38 manufacturer partners, and publicly disclosed issues posted on blogs or social 39 media.</p> 40 41 <h2 id=report-issues>Reporting security issues</h2> 42 43 <p>Any developer, Android user, or security researcher can notify the Android 44 security team of potential security issues through the AOSP bug tracker <a 45 href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security 46 bug report</a> template.</p> 47 48 <p>Bugs marked as security issues are not externally visible, but they may 49 eventually be made visible after the issue is evaluated or resolved. If you 50 plan to submit a patch or Compatibility Test Suite (CTS) test to resolve a 51 security issue, please attach it to the bug report and wait for a response 52 before uploading the code to AOSP.</p> 53 54 <p>If you need to reach the Android security team for a purpose other than 55 reporting a vulnerability, please contact <a 56 href="mailto:security (a] android.com">security (a] android.com</a>. The Android 57 security team has a <a 58 href="https://developer.android.com/security_at_android_dot_com.txt">PGP 59 key</a> if you need to encrypt your message.</p> 60 61 <h2 id=triaging_bugs>Triaging bugs</h2> 62 63 <p>The first task in handling a security vulnerability is to identify the severity 64 of the bug and which component of Android is affected. The severity determines 65 how the issue is prioritized, and the component determines who fixes the bug, 66 who is notified, and how the fix gets deployed to users.</p> 67 68 <h3 id=severity>Severity</h3> 69 70 <p>The severity of a bug generally reflects the potential harm that could occur if 71 a bug was successfully exploited. Use the following criteria to determine the 72 severity:</p> 73 <p class="table-caption" id="severity-criteria"> 74 <strong>Table 1.</strong> Severity ratings and associated consequences</p> 75 <table> 76 <tr> 77 <th>Rating</th> 78 <th>Consequence of successful exploitation</th> 79 </tr> 80 <tr> 81 <td><strong>Critical</strong></td> 82 <td> 83 <ul> 84 <li>Remote privileged code execution (execution at a privilege level that 85 third-party apps cannot obtain) 86 <li>Local permanent device compromise (device cannot be repaired without 87 re-flashing the entire operating system, such as a verified boot or Trusted 88 Execution Environment/TEE compromise) 89 <li>Remote permanent denial of service (inoperability, either completely permanent 90 or requiring re-flashing the device) 91 </ul> 92 </td> 93 </tr> 94 <tr> 95 <td><strong>High</strong></td> 96 <td> 97 <ul> 98 <li>Remote unprivileged code execution (execution at a privilege level that 99 third-party apps can obtain through installation) 100 <li>Local access to system/signature-level permission data or capabilities without 101 permission 102 <li>Local permanent denial-of-service (inoperability, either completely permanent 103 or requiring re-flashing the device) 104 <li>Remote temporary denial-of-service (remote hang or reboot) 105 </ul> 106 </td> 107 </tr> 108 <tr> 109 <td><strong>Moderate</strong></td> 110 <td> 111 <ul> 112 <li>Access to "<a 113 href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">dangerous</a>" 114 level permission data or capabilities without permission with an app installed 115 on the device 116 <li>Local temporary denial-of-service (can be resolved only through a factory 117 reset) 118 </ul> 119 </td> 120 </tr> 121 <tr> 122 <td><strong>Low</strong></td> 123 <td> 124 <ul> 125 <li>Access to "<a 126 href="http://developer.android.com/guide/topics/manifest/permission-element.html#plevel">normal</a>" 127 level permission capabilities without permission with an app installed on the 128 device 129 <li>Local temporary denial-of-service (can be resolved by booting the device into 130 Safe Mode and removing the problem application) 131 </ul> 132 </td> 133 </tr> 134 </table> 135 136 <p>Though there are many types of software bugs outside of the security 137 vulnerabilities detailed above, bugs reported are evaluated on a 138 case-by-base basis to determine what security impact they have.</p> 139 140 <p>The Android security team may also adjust the severity of a vulnerability if it 141 is determined the risk to users is higher or lower than the guidelines suggest. 142 For example, if a certain piece of data is available only to apps with "system" 143 level access but the data itself is not sensitive, the Android security 144 team may consider it only a low-severity vulnerability.</p> 145 146 <h4 id=local_vs_remote>Local vs. remote</h4> 147 148 <p>A remote attack vector indicates the bug could be exploited without installing 149 an app or without physical access to the device. This includes bugs that could 150 be triggered by browsing to a web page, reading an email, receiving an SMS 151 message, or connecting to a hostile network. For the purpose of our severity 152 ratings, the Android security team also considers "proximal" attack vectors as 153 remote. These include bugs that can be exploited only by an attacker who is 154 physically near the target device, for example a bug that requires sending 155 malformed Wi-Fi or Bluetooth packets.</p> 156 157 <p>Local attacks require the victim to install an app. For the purpose of severity 158 ratings, the Android security team also considers physical attack vectors as 159 local. These include bugs that can be exploited only by an attacker who has 160 physical access to the device, for example a bug in a lock screen or one that 161 requires plugging in a USB cable. The Android security team also considers 162 NFC-based attacks as local.</p> 163 164 <h4 id=high_privilege_levels>Severity of vulnerabilities that affect high privilege levels</h4> 165 166 <p>The Android security team will usually drop the severity rating for a bug that 167 already requires executing code at a high privilege level. For example, a bug 168 in a kernel driver accessible only from a privileged service that 169 requires first compromising the service. In this case, the Android security 170 team may drop the severity from "high" to "moderate."</p> 171 172 <h4 id=severity_of_kernel_compromises>Severity of kernel compromises</h4> 173 174 <p>Whether a vulnerability that compromises the kernel is considered "high" or 175 "critical" depends on the device and the version of Android. On devices with a 176 TEE (or TrustZone) and <a 177 href="http://source.android.com/devices/tech/security/verifiedboot/index.html">verified 178 boot</a>, a kernel compromise is considered "high" because exploiting it won't 179 allow permanently affecting the operation of the device unless a vulnerability is 180 discovered in the TEE or verified boot implementation. In general, if the 181 result of a compromise can be remediated with a factory reset, it's "high" or 182 lower.</p> 183 184 <p>However, on older devices without verified boot, a kernel compromise can result 185 in permanent device compromise if SELinux is disabled and the system partition 186 is modified. On that device, a kernel compromise is considered "critical" 187 because remediation requires re-flashing the device's firmware image.</p> 188 189 <h3 id=affected_component>Affected component</h3> 190 191 <p>The development team responsible for fixing the bug depends on which component 192 the bug is in. It could be a core component of the Android platform, a kernel 193 driver supplied by an original equipment manufacturer (OEM), or one of the 194 pre-loaded apps on Nexus devices.</p> 195 196 <p>Bugs in AOSP code are fixed by the Android engineering team. Low-severity bugs, 197 bugs in certain components, or bugs that are already publicly known may be 198 fixed directly in the publicly available AOSP master branch; otherwise they're 199 fixed in our internal repositories first.</p> 200 201 <p>The component is also a factor in how users get updates. A bug in the framework 202 or kernel will require an over-the-air (OTA) firmware update that each OEM will 203 need to push. A bug in an app or library published in Google Play (e.g., Gmail, 204 Google Play Services, WebView in Lollipop and later versions) can be sent to 205 Android users as an update from Google Play. </p> 206 207 <h2 id=notifying_partners>Notifying partners</h2> 208 209 <p>When a moderate or higher severity security vulnerability in AOSP is fixed, 210 we'll notify <a href="http://www.openhandsetalliance.com/">Open Handset 211 Alliance</a> members with the details of the issue and provide patches for the 212 most recent three Android releases. The Android security team currently 213 provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), and 5.1 214 (Lollipop MR1). This list of backport-supported versions changes with each new 215 Android release.</p> 216 217 <h2 id=releasing_code_to_aosp>Releasing code to AOSP</h2> 218 219 <p>If the security bug is in an AOSP component, the fix will be pushed out to AOSP 220 after the OTA is released to users. Fixes for low-severity issues may be 221 submitted directly to the AOSP master branch before a fix is available.</p> 222 223 <h2 id=android_updates>Receiving Android updates</h2> 224 225 <p>Updates to the Android system are generally delivered to devices through 226 OTA update packages. These updates may come from the OEM who 227 produced the device or the carrier who provides service to the device. Google 228 Nexus device updates come from the Google Nexus team after going through a 229 carrier technical acceptance (TA) testing procedure. Google also publishes <a 230 href="https://developers.google.com/android/nexus/images">Nexus factory 231 images</a> that can be side-loaded to devices.</p> 232 233 <h2 id=updating_google_services>Updating Google services</h2> 234 235 <p>In addition to providing patches for security bugs, the Android security team 236 also review security bugs to determine if there are other ways to protect 237 users. For example, Google Play scans all applications and will remove any 238 application that attempts to exploit a security bug. For applications installed 239 from outside of Google Play, devices with Google Play Services may also use the 240 <a href="https://support.google.com/accounts/answer/2812853">Verify Apps</a> 241 feature to warn users about applications that may be potentially harmful.</p> 242 243 <h2 id=other_resources>Other resources</h2> 244 245 <p>Information for Android application developers: <a 246 href="https://developer.android.com">https://developer.android.com</a></p> 247 248 <p>The Android security team can be reached at <a 249 href="mailto:security (a] android.com">security (a] android.com</a>. Our PGP key: <a 250 href="https://developer.android.com/security_at_android_dot_com.txt">https://developer.android.com/security_at_android_dot_com.txt</a></p> 251 252 <p>Security information exists throughout the Android Open Source and Developer 253 sites. Good places to start:<br> 254 <a href="http://source.android.com/devices/tech/security/index.html">http://source.android.com/devices/tech/security/index.html</a><br> 255 <a href="https://developer.android.com/guide/topics/security/security.html">https://developer.android.com/guide/topics/security/security.html</a></p> 256 257 <p>Security best practices for developers: <a 258 href="https://developer.android.com/guide/practices/security.html">https://developer.android.com/guide/practices/security.html</a>.</p> 259 260 <p>Community resource for discussion about Android security: <a 261 href="https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss">https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss</a></p> 262