1 <html devsite> 2 <head> 3 <title>Security</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p> 27 Android incorporates industry-leading security features and works with 28 developers and device implementers to keep the Android platform and ecosystem 29 safe. A robust security model is essential to enable a vigorous ecosystem of 30 applications and devices built on and around the Android platform and supported 31 by cloud services. As a result, through its entire development lifecycle, 32 Android has been subject to a rigorous security program. 33 </p> 34 <p> 35 <strong>Android is designed to be open</strong>. Android applications use 36 advanced hardware and software, as well as local and served data, exposed 37 through the platform to bring innovation and value to consumers. To realize that 38 value, the platform offers an application environment that protects the 39 confidentiality, integrity, and availability of users, data, applications, the 40 device, and the network. 41 </p> 42 <p> 43 Securing an open platform requires a strong security architecture and rigorous 44 security programs. Android was designed with multi-layered security that is 45 flexible enough to support an open platform while still protecting all users of 46 the platform. For information about reporting security issues and the update 47 process, see <a href="/security/overview/updates-resources.html">Security 48 Updates and Resources</a>. 49 </p> 50 <p> 51 <strong>Android is designed for developers</strong>. Security controls were 52 designed to reduce the burden on developers. Security-savvy developers can 53 easily work with and rely on flexible security controls. Developers less 54 familiar with security will be protected by safe defaults. 55 </p> 56 <p> 57 In addition to providing a stable platform to build upon, Android gives 58 additional support to developers in a number of ways. The Android security team 59 looks for potential vulnerabilities in apps and suggests ways to fix those 60 issues. For devices with Google Play, Play Services delivers security updates 61 for critical software libraries, such as OpenSSL, which is used to secure 62 application communications. Android security released a tool for testing SSL 63 (<a href="https://github.com/google/nogotofail">nogotofail</a>) that helps 64 developers find potential security issues on whichever platform they are 65 developing. 66 </p> 67 <p> 68 More information for Android app developers can be found on 69 <a href="https://developer.android.com/training/best-security.html">developer.android.com</a>. 70 </p> 71 <p> 72 <strong>Android is designed for users</strong>. Users are provided visibility 73 into permissions requested by each application and control over those 74 permissions. This design includes the expectation that attackers would attempt 75 to perform common attacks, such as social engineering attacks to convince device 76 users to install malware, and attacks on third-party applications on Android. 77 Android was designed to both reduce the probability of these attacks and greatly 78 limit the impact of the attack in the event it was successful. Android security 79 continues to progress once the device is in the user's hands: Android works with 80 <a href="/security/overview/acknowledgements.html">partners and the 81 public</a> to provide patches for any Android device that is continuing to 82 receive security updates. 83 </p> 84 <p> 85 More information for end users can be found in the <a 86 href="https://support.google.com/nexus/answer/6172890">Nexus help center</a>, 87 <a href="https://support.google.com/pixelphone/answer/6172890">Pixel help center</a>, 88 or your device manufacturers help center. 89 </p> 90 <p> 91 This documentation outlines the goals of the Android security program, describes 92 the fundamentals of the Android security architecture, and answers the most 93 pertinent questions for system architects and security analysts. It focuses on 94 the security features of Android's core platform and does not discuss security 95 issues that are unique to specific applications, such as those related to the 96 browser or SMS application. 97 </p> 98 99 <h2 id="background">Background</h2> 100 <p> 101 Android provides an open source platform and application environment for mobile 102 devices. 103 </p> 104 <p> 105 The sections and pages below describe the security features of the Android 106 platform. <em>Figure 1</em> summarizes the security components and 107 considerations of the various levels of the Android software stack. Each 108 component assumes that the components below are properly secured. With the 109 exception of a small amount of Android OS code running as root, all code above 110 the Linux Kernel is restricted by the Application Sandbox. 111 </p> 112 113 <p><img alt="Figure 1: Android software stack" src="images/android_software_stack.png" /></p> 114 <p class="img-caption"> 115 <strong>Figure 1</strong>. Android software stack. 116 </p> 117 <p> 118 The main Android platform building blocks are: 119 </p> 120 <ul> 121 <li><strong>Device hardware</strong>: Android runs on a wide range of hardware 122 configurations including smart phones, tablets, watches, automobiles, smart TVs, 123 OTT gaming boxes, and set-top-boxes. Android is processor-agnostic, but it does 124 take advantage of some hardware-specific security capabilities such as ARM 125 eXecute-Never.</li> 126 <li><strong>Android operating system</strong>: The core operating system is 127 built on top of the Linux kernel. All device resources, like camera functions, 128 GPS data, Bluetooth functions, telephony functions, network connections, etc. 129 are accessed through the operating system.</li> 130 <li><strong>Android Application Runtime</strong>: Android applications are most 131 often written in the Java programming language and run in the Android runtime 132 (ART). However, many applications, including core Android services and 133 applications, are native applications or include native libraries. Both ART and 134 native applications run within the same security environment, contained within 135 the Application Sandbox. Applications get a dedicated part of the filesystem in 136 which they can write private data, including databases and raw files.</li> 137 </ul> 138 <p> 139 Android applications extend the core Android operating system. There are two 140 primary sources for applications: 141 </p> 142 <ul> 143 <li><strong>Pre-installed applications</strong>: Android includes a set of 144 pre-installed applications including phone, email, calendar, web browser, and 145 contacts. These function both as user applications and to provide key device 146 capabilities that can be accessed by other applications. Pre-installed 147 applications may be part of the open source Android platform, or they may be 148 developed by a device manufacturer for a specific device.</li> 149 <li><strong>User-installed applications</strong>: Android provides an open 150 development environment that supports any third-party application. Google Play 151 offers users hundreds of thousands of applications.</li> 152 </ul> 153 154 <h2 id="google-security-services">Google security services</h2> 155 <p> 156 Google provides a set of cloud-based services that are available to compatible 157 Android devices with <a href="https://www.android.com/gms/">Google Mobile 158 Services</a>. While these services are not part of the Android Open Source 159 Project, they are included on many Android devices. For more information on 160 some of these services, see Android Securitys 161 <a href="/security/reports/Google_Android_Security_2015_Report_Final.pdf">2015 162 Year in Review</a>. 163 </p> 164 <p> 165 The primary Google security services are: 166 </p> 167 <ul> 168 <li><strong>Google Play</strong>: Google Play is a collection of services that 169 allow users to discover, install, and purchase applications from their Android 170 device or the web. Google Play makes it easy for developers to reach Android 171 users and potential customers. Google Play also provides community review, 172 application 173 <a href="https://developer.android.com/guide/publishing/licensing.html">license 174 verification</a>, application security scanning, and other security services.</li> 175 <li><strong>Android updates</strong>: The Android update service delivers new 176 capabilities and security updates to selected Android devices, including updates 177 through the web or over the air (OTA).</li> 178 <li><strong>Application services</strong>: Frameworks that allow Android 179 applications to use cloud capabilities such as (<a 180 href="https://developer.android.com/guide/topics/data/backup.html">backing 181 up</a>) application data and settings and cloud-to-device messaging 182 (<a href="https://developers.google.com/cloud-messaging/">C2DM</a>) for push 183 messaging.</li> 184 <li><strong>Verify Apps</strong>: Warn or automatically block the installation 185 of harmful applications, and continually scan applications on the device, 186 warning about or removing 187 <a href="https://support.google.com/accounts/answer/2812853">harmful apps</a>. 188 </li> 189 <li><strong>SafetyNet</strong>: A privacy preserving intrusion detection system 190 to assist Google tracking and mitigating known security threats in addition to 191 identifying new security threats.</li> 192 <li><strong>SafetyNet Attestation</strong>: Third-party API to determine 193 whether the device is CTS compatible. <a 194 href="http://developer.android.com/training/safetynet/index.html">Attestation</a> 195 can also assist identify the Android app communicating with the app server.</li> 196 <li><strong>Android Device Manager</strong>: A 197 <a href="https://www.google.com/android/devicemanager">web app</a> and 198 <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.adm">Android 199 app</a> to locate lost or stolen device.</li> 200 </ul> 201 202 <h2 id="security-program-overview">Security program overview</h2> 203 <p> 204 The key components of the Android Security Program include: 205 </p> 206 <ul> 207 <li><strong>Design review</strong>: The Android security process begins early in 208 the development lifecycle with the creation of a rich and configurable security 209 model and design. Each major feature of the platform is reviewed by engineering 210 and security resources, with appropriate security controls integrated into the 211 architecture of the system.</li> 212 <li><strong>Penetration testing and code review</strong>: During the development 213 of the platform, Android-created and open source components are subject to 214 vigorous security reviews. These reviews are performed by the Android Security 215 Team, Googles Information Security Engineering team, and independent security 216 consultants. The goal of these reviews is to identify weaknesses and possible 217 vulnerabilities well before major releases, and to simulate the types of 218 analysis that will be performed by external security experts upon release.</li> 219 <li><strong>Open source and community review</strong>: The Android Open Source 220 Project enables broad security review by any interested party. Android also uses 221 open source technologies that have undergone significant external security 222 review, such as the Linux kernel. Google Play provides a forum for users and 223 companies to provide information about specific applications directly to users.</li> 224 <li><strong>Incident Response</strong>: Even with all of these precautions, 225 security issues may occur after shipping, which is why the Android project has 226 created a comprehensive security response process. Full-time Android security 227 team members monitor Android-specific and the general security community for 228 discussion of potential vulnerabilities and review 229 <a href="/security/overview/updates-resources.html#android_security_bug_lifecycle">security 230 bugs</a> filed on the Android bug database. Upon the discovery of legitimate 231 issues, the Android team has a response process that enables the rapid 232 mitigation of vulnerabilities to ensure that potential risk to all Android users 233 is minimized. These cloud-supported responses can include updating the Android 234 platform (over-the-air updates), removing applications from Google Play, and 235 removing applications from devices in the field.</li> 236 <li><strong>Monthly security updates</strong>: The Android security team 237 provides <a href="/security/bulletin/index.html">monthly 238 updates</a> to Google Nexus devices and all of our device manufacturing 239 partners.</li> 240 </ul> 241 242 <h2 id="platform-security-architecture">Platform security architecture</h2> 243 <p> 244 Android seeks to be the most secure and usable operating system for mobile 245 platforms by re-purposing traditional operating system security controls to: 246 </p> 247 <ul> 248 <li>Protect application and user data</li> 249 <li>Protect system resources (including the network)</li> 250 <li>Provide application isolation from the system, other applications, and from 251 the user</li> 252 </ul> 253 <p> 254 To achieve these objectives, Android provides these key security features: 255 </p> 256 <ul> 257 <li>Robust security at the OS level through the Linux kernel</li> 258 <li>Mandatory application sandbox for all applications</li> 259 <li>Secure interprocess communication</li> 260 <li>Application signing</li> 261 <li>Application-defined and user-granted permissions</li> 262 </ul> 263 264 </body> 265 </html> 266
