1 page.title= Security updates and resources 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"></ol> 23 </div> 24 </div> 25 26 <h2 id=android_security_bug_lifecycle>Android security bug lifecycle</h2> 27 28 <p>The Android security team is responsible for managing security vulnerabilities 29 discovered in the Android platform and many of the core Android apps bundled 30 with Android devices.</p> 31 32 <p>The Android security team finds security vulnerabilities through internal 33 research and also responds to bugs reported by third parties. Sources of 34 external bugs include issues reported through the Android Open Source 35 Project (AOSP) <a 36 href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security 37 bug report</a> template, published and pre-published academic research, 38 upstream open source project maintainers, notifications from our device 39 manufacturer partners, and publicly disclosed issues posted on blogs or social 40 media.</p> 41 42 <h2 id=report-issues>Reporting security issues</h2> 43 44 <p>Any developer, Android user, or security researcher can notify the Android 45 security team of potential security issues through the AOSP bug tracker <a 46 href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security 47 bug report</a> template.</p> 48 49 <p>Bugs marked as security issues are not externally visible, but they may 50 eventually be made visible after the issue is evaluated or resolved. If you 51 plan to submit a patch or Compatibility Test Suite (CTS) test to resolve a 52 security issue, please attach it to the bug report and wait for a response 53 before uploading the code to AOSP.</p> 54 55 <h2 id=triaging_bugs>Triaging bugs</h2> 56 57 <p>The first task in handling a security vulnerability is to identify the severity 58 of the bug and which component of Android is affected. The severity determines 59 how the issue is prioritized, and the component determines who fixes the bug, 60 who is notified, and how the fix gets deployed to users.</p> 61 62 <h3 id=process_types>Process types</h3> 63 <p>This table covers the definitions of process types. The process type can be 64 defined by the type of application or process or the area in which it runs. 65 This table is ordered from least to most privileged.</p> 66 <table> 67 <tr> 68 <th>Process type</th> 69 <th>Type definition</th> 70 </tr> 71 <tr> 72 <td>Constrained process</td> 73 <td>A process that runs in a highly limited SELinux domain.<br /> 74 OR<br /> 75 A process that is significantly more limited than a normal application.</td> 76 </tr> 77 <tr> 78 <td>Unprivileged process</td> 79 <td>A third-party application or process.<br /> 80 OR<br /> 81 An application or process that runs in the SELinux <code>untrusted_app</code> domain.</td> 82 </tr> 83 <tr> 84 <td>Privileged process</td> 85 <td>An application or process with capabilities that are restricted by SELinux 86 <code>untrusted_app</code> domain.<br /> 87 OR<br /> 88 An application or process with important privileges that a third-party 89 application cannot obtain.</td> 90 </tr> 91 <tr> 92 <td>Kernel</td> 93 <td>Functionality that is either part of the kernel or runs in the same CPU context 94 as the kernel (like device drivers).</td> 95 </tr> 96 <tr> 97 <td>Trusted Execution Environment (TEE)</td> 98 <td> A component that is designed to be protected from even a hostile kernel.</td> 99 </tr> 100 </table> 101 102 103 <h3 id=severity>Severity</h3> 104 105 106 <p>The severity of a bug generally reflects the potential harm that could occur if 107 a bug was successfully exploited. Use the following criteria to determine the 108 severity:</p> 109 <table> 110 <tr> 111 <th>Rating</th> 112 <th>Consequence of successful exploitation</th> 113 </tr> 114 <tr> 115 <td><strong>Critical</strong></td> 116 <td> 117 <ul> 118 <li> Remote arbitrary code execution in a privileged process 119 <li> Permanent device compromise (device cannot be repaired without re-flashing the 120 entire operating system) 121 <li> Unauthorized access to data secured by the TEE 122 <li> Remote permanent denial of service (device inoperability: completely permanent 123 or requiring re-flashing the entire operating system) 124 </ul> 125 </td> 126 </tr> 127 <tr> 128 <td><strong>High</strong></td> 129 <td> 130 <ul> 131 <li> Remote arbitrary code execution in an unprivileged process 132 <li> Remote access to protected data (data normally accessible only to locally 133 installed apps that request permission, or that is limited to a privileged 134 process) 135 <li> Remote bypass of user interaction requirements (access to functionality that 136 would normally require either user initiation or user permission) 137 <li> Local arbitrary code execution in a privileged process 138 <li> Local permanent denial of service (device inoperability: completely permanent 139 or requiring re-flashing the entire operating system) 140 <li> A general bypass for a kernel level defense in depth or exploit mitigation 141 technology 142 <li> Remote temporary device denial of service (remote hang or reboot) 143 <li> Local bypass of user interaction requirements for any developer or security 144 settings modifications 145 <li> A general bypass for operating system protections that isolate application data 146 from other applications 147 <li> Lockscreen bypass 148 </ul> 149 </td> 150 </tr> 151 <tr> 152 <td><strong>Moderate</strong></td> 153 <td> 154 <ul> 155 <li> Remote arbitrary code execution in a constrained process 156 <li> Local bypass of user interaction requirements (access to functionality that 157 would normally require either user initiation or user permission) 158 <li> Local temporary denial of service (device requires a factory reset) 159 <li> A general bypass for a user level defense in depth or exploit mitigation 160 technology in a privileged process 161 <li> Remote access to unprotected data (data normally accessible to any locally 162 installed app) 163 <li> Bypass of Device Protection/ Factory Reset Protection 164 </ul> 165 </td> 166 </tr> 167 <tr> 168 <td><strong>Low</strong></td> 169 <td> 170 <ul> 171 <li> A general bypass for a user level defense in depth or exploit mitigation 172 technology in an unprivileged process 173 <li> Local temporary denial of service (can be resolved by booting the device into 174 Safe Mode and removing the problematic application, or by a factory reset if 175 the device does not support Safe Mode) 176 </ul> 177 </td> 178 </tr> 179 </table> 180 181 182 <h4 id=local_vs_remote>Local vs. remote</h4> 183 184 <p>A remote attack vector indicates the bug could be exploited without installing 185 an app or without physical access to the device. This includes bugs that could 186 be triggered by browsing to a web page, reading an email, receiving an SMS 187 message, or connecting to a hostile network. For the purpose of our severity 188 ratings, the Android security team also considers "proximal" attack vectors as 189 remote. These include bugs that can be exploited only by an attacker who is 190 physically near the target device, for example a bug that requires sending 191 malformed Wi-Fi or Bluetooth packets.</p> 192 193 <p>Local attacks require the victim to install an app. For the purpose of severity 194 ratings, the Android security team also considers physical attack vectors as 195 local. These include bugs that can be exploited only by an attacker who has 196 physical access to the device, for example a bug in a lock screen or one that 197 requires plugging in a USB cable. The Android security team also considers 198 NFC-based attacks as local.</p> 199 200 <h3 id=rating_modifiers>Rating modifiers</h3> 201 <p>While the severity of security vulnerabilities is often easy to identify, 202 ratings may change based on circumstances. </p> 203 <table> 204 <tr> 205 <th>Reason</th> 206 <th>Effect</th> 207 </tr> 208 <tr> 209 <td>Requires running as a privileged process to execute the attack</td> 210 <td>-1 Severity</td> 211 </tr> 212 <tr> 213 <td>Vulnerability-specific details limit the impact of the issue </td> 214 <td>-1 Severity</td> 215 </tr> 216 </table> 217 218 219 <h3 id=affected_component>Affected component</h3> 220 221 <p>The development team responsible for fixing the bug depends on which component 222 the bug is in. It could be a core component of the Android platform, a kernel 223 driver supplied by an original equipment manufacturer (OEM), or one of the 224 pre-loaded apps on Nexus devices.</p> 225 226 <p>Bugs in AOSP code are fixed by the Android engineering team. Low-severity bugs, 227 bugs in certain components, or bugs that are already publicly known may be 228 fixed directly in the publicly available AOSP master branch; otherwise they're 229 fixed in our internal repositories first.</p> 230 231 <p>The component is also a factor in how users get updates. A bug in the framework 232 or kernel will require an over-the-air (OTA) firmware update that each OEM will 233 need to push. A bug in an app or library published in Google Play (e.g., Gmail, 234 Google Play Services, WebView in Lollipop and later versions) can be sent to 235 Android users as an update from Google Play. </p> 236 237 <h2 id=notifying_partners>Notifying partners</h2> 238 239 <p>When a moderate or higher severity security vulnerability in AOSP is fixed, 240 we'll notify Android partners of issue details and provide patches for a minimum 241 of the most recent three Android releases. The Android security team currently 242 provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), 5.1 243 (Lollipop MR1), and 6.0 (Marshmallow). This list of backport-supported versions 244 changes with each new Android release.</p> 245 246 <h2 id=releasing_code_to_aosp>Releasing code to AOSP</h2> 247 248 <p>If the security bug is in an AOSP component, the fix will be pushed out to AOSP 249 after the OTA is released to users. Fixes for low-severity issues may be 250 submitted directly to the AOSP master branch before a fix is available.</p> 251 252 <h2 id=android_updates>Receiving Android updates</h2> 253 254 <p>Updates to the Android system are generally delivered to devices through 255 OTA update packages. These updates may come from the OEM who 256 produced the device or the carrier who provides service to the device. Google 257 Nexus device updates come from the Google Nexus team after going through a 258 carrier technical acceptance (TA) testing procedure. Google also publishes <a 259 href="https://developers.google.com/android/nexus/images">Nexus factory 260 images</a> that can be side-loaded to devices.</p> 261 262 <h2 id=updating_google_services>Updating Google services</h2> 263 264 <p>In addition to providing patches for security bugs, the Android security team 265 also review security bugs to determine if there are other ways to protect 266 users. For example, Google Play scans all applications and will remove any 267 application that attempts to exploit a security bug. For applications installed 268 from outside of Google Play, devices with Google Play Services may also use the 269 <a href="https://support.google.com/accounts/answer/2812853">Verify Apps</a> 270 feature to warn users about applications that may be potentially harmful.</p> 271 272 <h2 id=other_resources>Other resources</h2> 273 274 <p>Information for Android application developers: <a 275 href="https://developer.android.com">https://developer.android.com</a></p> 276 277 <p>Security information exists throughout the Android Open Source and Developer 278 sites. Good places to start:<br> 279 <a href="https://source.android.com/security/index.html">https://source.android.com/security/index.html</a><br> 280 <a href="https://developer.android.com/training/articles/security-tips.html">https://developer.android.com/training/articles/security-tips.html</a></p> 281 282 <h3 id=reports>Reports</h3> 283 <p>Sometimes the Android Security team publishes reports or whitepapers. Here are some of the most recent.</p> 284 <ul> 285 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf"> 286 Android Security 2015 Year In Review</a></li> 287 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf"> 288 Android Security 2014 Year In Review</a></li> 289 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android_WhitePaper_Final_02092016.pdf"> 290 Android Security white paper</a></li> 291 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf"> 292 Classifications for Potentially Harmful Applications</a></li> 293 </ul> 294 295 <h3 id=slides>Android Bootcamp 2016 slides</h3> 296 <p>The Android Security team has published their Android Bootcamp 2016 slides that cover new security features.</p> 297 <ul> 298 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-Verified-Boot-and-Encryption.pdf"> 299 Verified boot and encryption</a></li> 300 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-SafetyNet.pdf"> 301 SafetyNet</a></li> 302 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-New-App-Lifecycle-for-Encryption.pdf"> 303 New app life cycle for encryption</a></li> 304 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-Keeping-Google-Play-safe.pdf"> 305 Keeping Google Play safe</a></li> 306 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-Defense-in-depth-efforts.pdf"> 307 Defense in depth efforts</a></li> 308 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-Android-Keystore-Attestation.pdf"> 309 Keystore attestation</a></li> 310 <li><a href="http://static.googleusercontent.com/media/source.android.com/en//security/reports/Android-Bootcamp-2016-Android-Attack-Team.pdf"> 311 Android attack team</a></li> 312 </ul> 313 314
