1 page.title=Application security 2 @jd:body 3 4 <!-- 5 Copyright 2014 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"></ol> 23 </div> 24 </div> 25 26 <h2 id="elements-of-applications">Elements of Applications</h2> 27 <p>Android provides an open source platform and application environment for mobile 28 devices. The core operating system is based on the Linux kernel. Android 29 applications are most often written in the Java programming language and run in 30 the Dalvik virtual machine. However, applications can also be written in native 31 code. Applications are installed from a single file with the .apk file 32 extension.</p> 33 <p>The main Android application building blocks are:</p> 34 <ul> 35 <li> 36 <p><strong>AndroidManifest.xml</strong>: The <a href="https://developer.android.com/guide/topics/manifest/manifes 37 t-intro.html">AndroidManifest.xml</a> file is the control file that tells the system what to do with 38 all the top-level components (specifically activities, services, broadcast 39 receivers, and content providers described below) in an application. This also 40 specifies which permissions are required.</p> 41 </li> 42 <li> 43 <p><strong>Activities</strong>: An <a href="https://developer.android.com/guide/topics/fundamentals/activities.htm 44 l">Activity</a> is, generally, the code for a single, user-focused task. It usually 45 includes displaying a UI to the user, but it does not have to -- some 46 Activities never display UIs. Typically, one of the application's Activities 47 is the entry point to an application.</p> 48 </li> 49 <li> 50 <p><strong>Services</strong>: A <a href="https://developer.android.com/guide/topics/fundamentals/services.html">Service</a> is a body of code that runs in the background. It can run in its own process, 51 or in the context of another application's process. Other components "bind" to 52 a Service and invoke methods on it via remote procedure calls. An example of a 53 Service is a media player: even when the user quits the media-selection UI, the 54 user probably still intends for music to keep playing. A Service keeps the 55 music going even when the UI has completed.</p> 56 </li> 57 <li> 58 <p><strong>Broadcast Receiver</strong>: A <a href="https://developer.android.com/reference/android/content/Broad 59 castReceiver.html">BroadcastReceiver</a> is an object that is instantiated when an IPC mechanism 60 known as an <a href="https://developer.android.com/reference/android/content/Intent.html">Intent</a> is issued by the operating system or another application. An application may 61 register a receiver for the low battery message, for example, and change its 62 behavior based on that information.</p> 63 </li> 64 </ul> 65 <h2 id="the-android-permission-model-accessing-protected-apis">The Android Permission Model: Accessing Protected APIs</h2> 66 <p>All applications on Android run in an Application Sandbox, described earlier in this document. 67 By default, an Android application can only access a limited range of system 68 resources. The system manages Android application access to resources that, if 69 used incorrectly or maliciously, could adversely impact the user experience, 70 the network, or data on the device.</p> 71 <p>These restrictions are implemented in a variety of different forms. Some 72 capabilities are restricted by an intentional lack of APIs to the sensitive 73 functionality (e.g. there is no Android API for directly manipulating the SIM 74 card). In some instances, separation of roles provides a security measure, as 75 with the per-application isolation of storage. In other instances, the 76 sensitive APIs are intended for use by trusted applications and protected 77 through a security mechanism known as Permissions.</p> 78 <p>These protected APIs include:</p> 79 <ul> 80 <li>Camera functions</li> 81 <li>Location data (GPS)</li> 82 <li>Bluetooth functions</li> 83 <li>Telephony functions</li> 84 <li>SMS/MMS functions</li> 85 <li>Network/data connections</li> 86 </ul> 87 <p>These resources are only accessible through the operating system. To make use 88 of the protected APIs on the device, an application must define the 89 capabilities it needs in its manifest. When preparing to install an 90 application, the system displays a dialog to the user that indicates the 91 permissions requested and asks whether to continue the installation. If the 92 user continues with the installation, the system accepts that the user has 93 granted all of the requested permissions. The user can not grant or deny 94 individual permissions -- the user must grant or deny all of the requested 95 permissions as a block.</p> 96 <p>Once granted, the permissions are applied to the application as long as it is 97 installed. To avoid user confusion, the system does not notify the user again 98 of the permissions granted to the application, and applications that are 99 included in the core operating system or bundled by an OEM do not request 100 permissions from the user. Permissions are removed if an application is 101 uninstalled, so a subsequent re-installation will again result in display of 102 permissions.</p> 103 <p>Within the device settings, users are able to view permissions for applications 104 they have previously installed. Users can also turn off some functionality 105 globally when they choose, such as disabling GPS, radio, or wi-fi.</p> 106 <p>In the event that an application attempts to use a protected feature which has 107 not been declared in the application's manifest, the permission failure will 108 typically result in a security exception being thrown back to the application. 109 Protected API permission checks are enforced at the lowest possible level to 110 prevent circumvention. An example of the user messaging when an application is 111 installed while requesting access to protected APIs is shown in <em>Figure 2</em>.</p> 112 <p>The system default permissions are described at <a href="https://developer.android.com/reference/android/Manifest.permission.html">https://developer.android.com/reference/android/Manifest.permission.html</a>. 113 Applications may declare their own permissions for other applications to use. 114 Such permissions are not listed in the above location.</p> 115 <p>When defining a permission a protectionLevel attribute tells the system how the 116 user is to be informed of applications requiring the permission, or who is 117 allowed to hold a permission. Details on creating and using application 118 specific permissions are described at <a href="https://develo 119 per.android.com/guide/topics/security/security.html">https://developer.android.com/guide/topics/security/security.html</a>.</p> 120 <p>There are some device capabilities, such as the ability to send SMS broadcast 121 intents, that are not available to third-party applications, but that may be 122 used by applications pre-installed by the OEM. These permissions use the 123 signatureOrSystem permission.</p> 124 <h2 id="how-users-understand-third-party-applications">How Users Understand Third-Party Applications</h2> 125 <p>Android strives to make it clear to users when they are interacting with 126 third-party applications and inform the user of the capabilities those 127 applications have. Prior to installation of any application, the user is shown 128 a clear message about the different permissions the application is requesting. 129 After install, the user is not prompted again to confirm any permissions.</p> 130 <p>There are many reasons to show permissions immediately prior to installation 131 time. This is when user is actively reviewing information about the 132 application, developer, and functionality to determine whether it matches their 133 needs and expectations. It is also important that they have not yet 134 established a mental or financial commitment to the app, and can easily compare 135 the application to other alternative applications.</p> 136 <p>Some other platforms use a different approach to user notification, requesting 137 permission at the start of each session or while applications are in use. The 138 vision of Android is to have users switching seamlessly between applications at 139 will. Providing confirmations each time would slow down the user and prevent 140 Android from delivering a great user experience. Having the user review 141 permissions at install time gives the user the option to not install the 142 application if they feel uncomfortable.</p> 143 <p>Also, many user interface studies have shown that over-prompting the user 144 causes the user to start saying "OK" to any dialog that is shown. One of 145 Android's security goals is to effectively convey important security 146 information to the user, which cannot be done using dialogs that the user will 147 be trained to ignore. By presenting the important information once, and only 148 when it is important, the user is more likely to think about what they are 149 agreeing to.</p> 150 <p>Some platforms choose not to show any information at all about application 151 functionality. That approach prevents users from easily understanding and 152 discussing application capabilities. While it is not possible for all users to 153 always make fully informed decisions, the Android permissions model makes 154 information about applications easily accessible to a wide range of users. For 155 example, unexpected permissions requests can prompt more sophisticated users to 156 ask critical questions about application functionality and share their concerns 157 in places such as <a href="htts://play.google.com">Google Play</a> where they 158 are visible to all users.</p> 159 <table> 160 <tr> 161 <td><strong>Permissions at Application Install -- Google Maps</strong></td> 162 <td><strong>Permissions of an Installed Application -- Gmail</strong></td> 163 </tr> 164 <tr> 165 <td><img alt="Permissions at Application Install -- Google Maps" width=250 166 src="../images/image_install.png" /></td> 167 <td><img alt="Permissions of an Installed Application -- Gmail" width=250 168 src="../images/image_gmail_installed.png" id="figure1" /></td> 169 </tr> 170 </table> 171 <p class="img-caption"> 172 <strong>Figure 1.</strong> Display of permissions for applications 173 </p> 174 <h2 id="interprocess-communication">Interprocess Communication</h2> 175 <p>Processes can communicate using any of the traditional UNIX-type mechanisms. 176 Examples include the filesystem, local sockets, or signals. However, the Linux 177 permissions still apply.</p> 178 <p>Android also provides new IPC mechanisms:</p> 179 <ul> 180 <li> 181 <p><strong>Binder</strong>: A lightweight capability-based remote procedure call mechanism 182 designed for high performance when performing in-process and cross-process 183 calls. Binder is implemented using a custom Linux driver. See <a href="https://developer 184 .android.com/reference/android/os/Binder.html">https://developer.android.com/reference/android/os/Binder.html</a>.</p> 185 </li> 186 <li> 187 <p><strong>Services</strong>: Services (discussed above) can provide interfaces directly 188 accessible using binder.</p> 189 </li> 190 <li> 191 <p><strong>Intents</strong>: An Intent is a simple message object that represents an 192 "intention" to do something. For example, if your application wants to display 193 a web page, it expresses its "Intent" to view the URL by creating an Intent 194 instance and handing it off to the system. The system locates some other piece 195 of code (in this case, the Browser) that knows how to handle that Intent, and 196 runs it. Intents can also be used to broadcast interesting events (such as a 197 notification) system-wide. See 198 [https://developer.android.com/reference/android/content/Intent.html](https://developer.android.com/reference/android/content/Intent.html.</p> 199 </li> 200 <li> 201 <p><strong>ContentProviders</strong>: A ContentProvider is a data storehouse that provides 202 access to data on the device; the classic example is the ContentProvider that 203 is used to access the user's list of contacts. An application can access data 204 that other applications have exposed via a ContentProvider, and an application 205 can also define its own ContentProviders to expose data of its own. See <a href="https://developer.android.com/reference/android/content/ContentProvider.html">https://developer.android.com/reference/android/content/ContentProvider.html</a>.</p> 206 </li> 207 </ul> 208 <p>While it is possible to implement IPC using other mechanisms such as network 209 sockets or world-writable files, these are the recommended Android IPC 210 frameworks. Android developers will be encouraged to use best practices around 211 securing users' data and avoiding the introduction of security vulnerabilities.</p> 212 <h2 id="cost-sensitive-apis">Cost-Sensitive APIs</h2> 213 <p>A cost sensitive API is any function that might generate a cost for the user or 214 the network. The Android platform has placed cost sensitive APIs in the list of 215 protected APIs controlled by the OS. The user will have to grant explicit 216 permission to third-party applications requesting use of cost sensitive APIs. 217 These APIs include:</p> 218 <ul> 219 <li>Telephony</li> 220 <li>SMS/MMS</li> 221 <li>Network/Data</li> 222 <li>In-App Billing</li> 223 <li>NFC Access</li> 224 </ul> 225 <p> Android 4.2 adds further control on the use of SMS. Android will provide a 226 notification if an application attempts to send SMS to a short code that uses 227 premium services which might cause additional charges. The user can choose 228 whether to allow the application to send the message or block it. </p> 229 <h2 id="sim-card-access">SIM Card Access</h2> 230 <p>Low level access to the SIM card is not available to third-party apps. The OS 231 handles all communications with the SIM card including access to personal 232 information (contacts) on the SIM card memory. Applications also cannot access 233 AT commands, as these are managed exclusively by the Radio Interface Layer 234 (RIL). The RIL provides no high level APIs for these commands.</p> 235 <h2 id="personal-information">Personal Information</h2> 236 <p>Android has placed APIs that provide access to user data into the set of 237 protected APIs. With normal usage, Android devices will also accumulate user 238 data within third-party applications installed by users. Applications that 239 choose to share this information can use Android OS permission checks to 240 protect the data from third-party applications.</p> 241 <img alt="Access to sensitive user data available only through protected 242 APIs" src="../images/permissions_check.png" id="figure2" /> 243 <p class="img-caption"> 244 <strong>Figure 2.</strong> Access to sensitive user data is available only through protected APIs 245 </p> 246 <p>System content providers that are likely to contain personal or personally 247 identifiable information such as contacts and calendar have been created with 248 clearly identified permissions. This granularity provides the user with clear 249 indication of the types of information that may be provided to the application. 250 During installation, a third-party application may request permission to 251 access these resources. If permission is granted, the application can be 252 installed and will have access to the data requested at any time when it is 253 installed.</p> 254 <p>Any applications which collect personal information will, by default, have that 255 data restricted only to the specific application. If an application chooses to 256 make the data available to other applications though IPC, the application 257 granting access can apply permissions to the IPC mechanism that are enforced by 258 the operating system.</p> 259 <h2 id="sensitive-data-input-devices">Sensitive Data Input Devices</h2> 260 <p>Android devices frequently provide sensitive data input devices that allow 261 applications to interact with the surrounding environment, such as camera, 262 microphone or GPS. For a third-party application to access these devices, it 263 must first be explicitly provided access by the user through the use of Android 264 OS Permissions. Upon installation, the installer will prompt the user 265 requesting permission to the sensor by name.</p> 266 <p>If an application wants to know the user's location, the application requires a 267 permission to access the user's location. Upon installation, the installer will 268 prompt the user asking if the application can access the user's location. At 269 any time, if the user does not want any application to access their location, 270 then the user can run the "Settings" application, go to "Location & Security", 271 and uncheck the "Use wireless networks" and "Enable GPS satellites". This will 272 disable location based services for all applications on the user's device.</p> 273 <h2 id="device-metadata">Device Metadata</h2> 274 <p>Android also strives to restrict access to data that is not intrinsically 275 sensitive, but may indirectly reveal characteristics about the user, user 276 preferences, and the manner in which they use a device.</p> 277 <p>By default applications do not have access to operating system logs, 278 browser history, phone number, or hardware / network identification 279 information. If an application requests access to this information at install 280 time, the installer will prompt the user asking if the application can access 281 the information. If the user does not grant access, the application will not be 282 installed.</p> 283 <h2 id="application-signing">Application Signing</h2> 284 <p>Code signing allows developers to identify the author of the application and to 285 update their application without creating complicated interfaces and 286 permissions. Every application that is run on the Android platform must be 287 signed by the developer. Applications that attempt to install without being 288 signed will rejected by either Google Play or the package installer on 289 the Android device.</p> 290 <p>On Google Play, application signing bridges the trust Google has with the 291 developer and the trust the developer has with their application. Developers 292 know their application is provided, unmodified to the Android device; and 293 developers can be held accountable for behavior of their application.</p> 294 <p>On Android, application signing is the first step to placing an application in 295 its Application Sandbox. The signed application certificate defines which user 296 id is associated with which application; different applications run under 297 different user IDs. Application signing ensures that one application cannot 298 access any other application except through well-defined IPC.</p> 299 <p>When an application (APK file) is installed onto an Android device, the Package 300 Manager verifies that the APK has been properly signed with the certificate 301 included in that APK. If the certificate (or, more accurately, the public key 302 in the certificate) matches the key used to sign any other APK on the device, 303 the new APK has the option to specify in the manifest that it will share a UID 304 with the other similarly-signed APKs.</p> 305 <p>Applications can be signed by a third-party (OEM, operator, alternative market) 306 or self-signed. Android provides code signing using self-signed certificates 307 that developers can generate without external assistance or permission. 308 Applications do not have to be signed by a central authority. Android currently 309 does not perform CA verification for application certificates.</p> 310 <p>Applications are also able to declare security permissions at the Signature 311 protection level, restricting access only to applications signed with the same 312 key while maintaining distinct UIDs and Application Sandboxes. A closer 313 relationship with a shared Application Sandbox is allowed via the <a href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared UID 314 feature</a> where two or more applications signed with same developer key can 315 declare a shared UID in their manifest.</p> 316 <h2 id="app-verification">Application Verification</h2> 317 <p> Android 4.2 and later support application verification. Users can choose to 318 enable Verify Apps" and have applications evaluated by an application verifier 319 prior to installation. App verification can alert the user if they try to 320 install an app that might be harmful; if an application is especially bad, it 321 can block installation. </p> 322 <h2 id="digital-rights-management">Digital Rights Management</h2> 323 <p>The Android platform provides an extensible DRM framework that lets 324 applications manage rights-protected content according to the license 325 constraints that are associated with the content. The DRM framework supports 326 many DRM schemes; which DRM schemes a device supports is left to the device 327 manufacturer.</p> 328 <p>The <a href="https://developer.android.com/reference/android/drm/package-summary.html">Android DRM 329 framework</a> is implemented in two architectural layers (see figure below):</p> 330 <ul> 331 <li> 332 <p>A DRM framework API, which is exposed to applications through the Android 333 application framework and runs through the Dalvik VM for standard applications.</p> 334 </li> 335 <li> 336 <p>A native code DRM manager, which implements the DRM framework and exposes an 337 interface for DRM plug-ins (agents) to handle rights management and decryption 338 for various DRM schemes</p> 339 </li> 340 </ul> 341 <p><img alt="Architecture of Digital Rights Management on Android 342 platform" src="/devices/images/ape_fwk_drm_2.png" id="figure3" /></p> 343 <p class="img-caption"> 344 <strong>Figure 3.</strong> Architecture of Digital Rights Management on Android platform 345 </p> 346
