1 <html devsite> 2 <head> 3 <title>Application security</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <h2 id="elements-of-applications">Elements of Applications</h2> 27 <p>Android provides an open source platform and application environment for mobile 28 devices. The core operating system is based on the Linux kernel. Android 29 applications are most often written in the Java programming language and run in 30 the Dalvik virtual machine. However, applications can also be written in native 31 code. Applications are installed from a single file with the .apk file 32 extension.</p> 33 <p>The main Android application building blocks are:</p> 34 <ul> 35 <li> 36 <p><strong>AndroidManifest.xml</strong>: The <a 37 href="https://developer.android.com/guide/topics/manifest/manifest-intro.html">AndroidManifest.xml</a> 38 file is the control file that tells the system what to do with 39 all the top-level components (specifically activities, services, broadcast 40 receivers, and content providers described below) in an application. This also 41 specifies which permissions are required.</p> 42 </li> 43 <li> 44 <p><strong>Activities</strong>: An <a 45 href="https://developer.android.com/guide/topics/fundamentals/activities.html">Activity</a> 46 is, generally, the code for a single, user-focused task. It usually 47 includes displaying a UI to the user, but it does not have to -- some 48 Activities never display UIs. Typically, one of the application's Activities 49 is the entry point to an application.</p> 50 </li> 51 <li> 52 <p><strong>Services</strong>: A <a 53 href="https://developer.android.com/guide/topics/fundamentals/services.html">Service</a> 54 is a body of code that runs in the background. It can run in its own 55 process, or in the context of another application's process. Other components "bind" to 56 a Service and invoke methods on it via remote procedure calls. An example of a 57 Service is a media player: even when the user quits the media-selection UI, the 58 user probably still intends for music to keep playing. A Service keeps the 59 music going even when the UI has completed.</p> 60 </li> 61 <li> 62 <p><strong>Broadcast Receiver</strong>: A <a 63 href="https://developer.android.com/reference/android/content/BroadcastReceiver.html">BroadcastReceiver</a> 64 is an object that is instantiated when an IPC mechanism 65 known as an <a 66 href="https://developer.android.com/reference/android/content/Intent.html">Intent</a> 67 is issued by the operating system or another application. An application 68 may register a receiver for the low battery message, for example, and 69 change its behavior based on that information.</p> 70 </li> 71 </ul> 72 <h2 id="the-android-permission-model-accessing-protected-apis">The Android Permission Model: Accessing Protected APIs</h2> 73 <p>All applications on Android run in an <a 74 href="/security/overview/kernel-security#the-application-sandbox">Application Sandbox</a>. 75 By default, an Android application can only access a limited range of system 76 resources. The system manages Android application access to resources that, if 77 used incorrectly or maliciously, could adversely impact the user experience, 78 the network, or data on the device.</p> 79 <p>These restrictions are implemented in a variety of different forms. Some 80 capabilities are restricted by an intentional lack of APIs to the sensitive 81 functionality (e.g. there is no Android API for directly manipulating the SIM 82 card). In some instances, separation of roles provides a security measure, as 83 with the per-application isolation of storage. In other instances, the 84 sensitive APIs are intended for use by trusted applications and protected 85 through a security mechanism known as Permissions.</p> 86 <p>These protected APIs include:</p> 87 <ul> 88 <li>Camera functions</li> 89 <li>Location data (GPS)</li> 90 <li>Bluetooth functions</li> 91 <li>Telephony functions</li> 92 <li>SMS/MMS functions</li> 93 <li>Network/data connections</li> 94 </ul> 95 <p>These resources are only accessible through the operating system. To make use 96 of the protected APIs on the device, an application must define the 97 capabilities it needs in its manifest. When preparing to install an 98 application, the system displays a dialog to the user that indicates the 99 permissions requested and asks whether to continue the installation. If the 100 user continues with the installation, the system accepts that the user has 101 granted all of the requested permissions. The user can not grant or deny 102 individual permissions -- the user must grant or deny all of the requested 103 permissions as a block.</p> 104 <p>Once granted, the permissions are applied to the application as long as it is 105 installed. To avoid user confusion, the system does not notify the user again 106 of the permissions granted to the application, and applications that are 107 included in the core operating system or bundled by an OEM do not request 108 permissions from the user. Permissions are removed if an application is 109 uninstalled, so a subsequent re-installation will again result in display of 110 permissions.</p> 111 <p>Within the device settings, users are able to view permissions for applications 112 they have previously installed. Users can also turn off some functionality 113 globally when they choose, such as disabling GPS, radio, or wi-fi.</p> 114 <p>In the event that an application attempts to use a protected feature which has 115 not been declared in the application's manifest, the permission failure will 116 typically result in a security exception being thrown back to the application. 117 Protected API permission checks are enforced at the lowest possible level to 118 prevent circumvention. An example of the user messaging when an application is 119 installed while requesting access to protected APIs is shown in <em>Figure 2</em>.</p> 120 <p>The system default permissions are described at <a href="https://developer.android.com/reference/android/Manifest.permission.html">https://developer.android.com/reference/android/Manifest.permission.html</a>. 121 Applications may declare their own permissions for other applications to use. 122 Such permissions are not listed in the above location.</p> 123 <p>When defining a permission a protectionLevel attribute tells the system how the 124 user is to be informed of applications requiring the permission, or who is 125 allowed to hold a permission. Details on creating and using application 126 specific permissions are described at <a href="https://develo 127 per.android.com/guide/topics/security/security.html">https://developer.android.com/guide/topics/security/security.html</a>.</p> 128 <p>There are some device capabilities, such as the ability to send SMS broadcast 129 intents, that are not available to third-party applications, but that may be 130 used by applications pre-installed by the OEM. These permissions use the 131 signatureOrSystem permission.</p> 132 <h2 id="how-users-understand-third-party-applications">How Users Understand Third-Party Applications</h2> 133 <p>Android strives to make it clear to users when they are interacting with 134 third-party applications and inform the user of the capabilities those 135 applications have. Prior to installation of any application, the user is shown 136 a clear message about the different permissions the application is requesting. 137 After install, the user is not prompted again to confirm any permissions.</p> 138 <p>There are many reasons to show permissions immediately prior to installation 139 time. This is when user is actively reviewing information about the 140 application, developer, and functionality to determine whether it matches their 141 needs and expectations. It is also important that they have not yet 142 established a mental or financial commitment to the app, and can easily compare 143 the application to other alternative applications.</p> 144 <p>Some other platforms use a different approach to user notification, requesting 145 permission at the start of each session or while applications are in use. The 146 vision of Android is to have users switching seamlessly between applications at 147 will. Providing confirmations each time would slow down the user and prevent 148 Android from delivering a great user experience. Having the user review 149 permissions at install time gives the user the option to not install the 150 application if they feel uncomfortable.</p> 151 <p>Also, many user interface studies have shown that over-prompting the user 152 causes the user to start saying "OK" to any dialog that is shown. One of 153 Android's security goals is to effectively convey important security 154 information to the user, which cannot be done using dialogs that the user will 155 be trained to ignore. By presenting the important information once, and only 156 when it is important, the user is more likely to think about what they are 157 agreeing to.</p> 158 <p>Some platforms choose not to show any information at all about application 159 functionality. That approach prevents users from easily understanding and 160 discussing application capabilities. While it is not possible for all users to 161 always make fully informed decisions, the Android permissions model makes 162 information about applications easily accessible to a wide range of users. For 163 example, unexpected permissions requests can prompt more sophisticated users to 164 ask critical questions about application functionality and share their concerns 165 in places such as <a href="htts://play.google.com">Google Play</a> where they 166 are visible to all users.</p> 167 <table> 168 <tr> 169 <td><strong>Permissions at Application Install -- Google Maps</strong></td> 170 <td><strong>Permissions of an Installed Application -- Gmail</strong></td> 171 </tr> 172 <tr> 173 <td><img alt="Permissions at Application Install -- Google Maps" width=250 174 src="../images/image_install.png" /></td> 175 <td><img alt="Permissions of an Installed Application -- Gmail" width=250 176 src="../images/image_gmail_installed.png" id="figure1" /></td> 177 </tr> 178 </table> 179 <p class="img-caption"> 180 <strong>Figure 1.</strong> Display of permissions for applications 181 </p> 182 <h2 id="interprocess-communication">Interprocess Communication</h2> 183 <p>Processes can communicate using any of the traditional UNIX-type mechanisms. 184 Examples include the filesystem, local sockets, or signals. However, the Linux 185 permissions still apply.</p> 186 <p>Android also provides new IPC mechanisms:</p> 187 <ul> 188 <li> 189 <p><strong>Binder</strong>: A lightweight capability-based remote procedure call mechanism 190 designed for high performance when performing in-process and cross-process 191 calls. Binder is implemented using a custom Linux driver. See <a href="https://developer 192 .android.com/reference/android/os/Binder.html">https://developer.android.com/reference/android/os/Binder.html</a>.</p> 193 </li> 194 <li> 195 <p><strong>Services</strong>: Services (discussed above) can provide interfaces directly 196 accessible using binder.</p> 197 </li> 198 <li> 199 <p><strong>Intents</strong>: An Intent is a simple message object that represents an 200 "intention" to do something. For example, if your application wants to display 201 a web page, it expresses its "Intent" to view the URL by creating an Intent 202 instance and handing it off to the system. The system locates some other piece 203 of code (in this case, the Browser) that knows how to handle that Intent, and 204 runs it. Intents can also be used to broadcast interesting events (such as a 205 notification) system-wide. See 206 <a href="https://developer.android.com/reference/android/content/Intent.html">https://developer.android.com/reference/android/content/Intent.html</a>.</p> 207 </li> 208 <li> 209 <p><strong>ContentProviders</strong>: A ContentProvider is a data storehouse that provides 210 access to data on the device; the classic example is the ContentProvider that 211 is used to access the user's list of contacts. An application can access data 212 that other applications have exposed via a ContentProvider, and an application 213 can also define its own ContentProviders to expose data of its own. See <a href="https://developer.android.com/reference/android/content/ContentProvider.html">https://developer.android.com/reference/android/content/ContentProvider.html</a>.</p> 214 </li> 215 </ul> 216 <p>While it is possible to implement IPC using other mechanisms such as network 217 sockets or world-writable files, these are the recommended Android IPC 218 frameworks. Android developers will be encouraged to use best practices around 219 securing users' data and avoiding the introduction of security vulnerabilities.</p> 220 <h2 id="cost-sensitive-apis">Cost-Sensitive APIs</h2> 221 <p>A cost sensitive API is any function that might generate a cost for the user or 222 the network. The Android platform has placed cost sensitive APIs in the list of 223 protected APIs controlled by the OS. The user will have to grant explicit 224 permission to third-party applications requesting use of cost sensitive APIs. 225 These APIs include:</p> 226 <ul> 227 <li>Telephony</li> 228 <li>SMS/MMS</li> 229 <li>Network/Data</li> 230 <li>In-App Billing</li> 231 <li>NFC Access</li> 232 </ul> 233 <p> Android 4.2 adds further control on the use of SMS. Android will provide a 234 notification if an application attempts to send SMS to a short code that uses 235 premium services which might cause additional charges. The user can choose 236 whether to allow the application to send the message or block it. </p> 237 <h2 id="sim-card-access">SIM Card Access</h2> 238 <p>Low level access to the SIM card is not available to third-party apps. The OS 239 handles all communications with the SIM card including access to personal 240 information (contacts) on the SIM card memory. Applications also cannot access 241 AT commands, as these are managed exclusively by the Radio Interface Layer 242 (RIL). The RIL provides no high level APIs for these commands.</p> 243 <h2 id="personal-information">Personal Information</h2> 244 <p>Android has placed APIs that provide access to user data into the set of 245 protected APIs. With normal usage, Android devices will also accumulate user 246 data within third-party applications installed by users. Applications that 247 choose to share this information can use Android OS permission checks to 248 protect the data from third-party applications.</p> 249 <img alt="Access to sensitive user data available only through protected 250 APIs" src="../images/permissions_check.png" id="figure2" /> 251 <p class="img-caption"> 252 <strong>Figure 2.</strong> Access to sensitive user data is available only through protected APIs 253 </p> 254 <p>System content providers that are likely to contain personal or personally 255 identifiable information such as contacts and calendar have been created with 256 clearly identified permissions. This granularity provides the user with clear 257 indication of the types of information that may be provided to the application. 258 During installation, a third-party application may request permission to 259 access these resources. If permission is granted, the application can be 260 installed and will have access to the data requested at any time when it is 261 installed.</p> 262 <p>Any applications which collect personal information will, by default, have that 263 data restricted only to the specific application. If an application chooses to 264 make the data available to other applications though IPC, the application 265 granting access can apply permissions to the IPC mechanism that are enforced by 266 the operating system.</p> 267 <h2 id="sensitive-data-input-devices">Sensitive Data Input Devices</h2> 268 <p>Android devices frequently provide sensitive data input devices that allow 269 applications to interact with the surrounding environment, such as camera, 270 microphone or GPS. For a third-party application to access these devices, it 271 must first be explicitly provided access by the user through the use of Android 272 OS Permissions. Upon installation, the installer will prompt the user 273 requesting permission to the sensor by name.</p> 274 <p>If an application wants to know the user's location, the application requires a 275 permission to access the user's location. Upon installation, the installer will 276 prompt the user asking if the application can access the user's location. At 277 any time, if the user does not want any application to access their location, 278 then the user can run the "Settings" application, go to "Location & Security", 279 and uncheck the "Use wireless networks" and "Enable GPS satellites". This will 280 disable location based services for all applications on the user's device.</p> 281 <h2 id="device-metadata">Device Metadata</h2> 282 <p>Android also strives to restrict access to data that is not intrinsically 283 sensitive, but may indirectly reveal characteristics about the user, user 284 preferences, and the manner in which they use a device.</p> 285 <p>By default applications do not have access to operating system logs, 286 browser history, phone number, or hardware / network identification 287 information. If an application requests access to this information at install 288 time, the installer will prompt the user asking if the application can access 289 the information. If the user does not grant access, the application will not be 290 installed.</p> 291 <h2 id="certificate-authorities">Certificate authorities</h2> 292 <p> 293 Android includes a set of installed system Certificate Authorities, which are 294 trusted system-wide. Prior to Android 7.0, device manufacturers could modify the 295 set of CAs shipped on their devices. However, devices running 7.0 and above will 296 have a uniform set of system CAs as modification by device manufacturers is no 297 longer permitted. 298 </p> 299 <p> 300 To be added as a new public CA to the Android stock set, the CA must complete 301 the <a href="https://wiki.mozilla.org/CA:How_to_apply">Mozilla CA Inclusion 302 Process</a> and then file a feature request against Android (<a 303 href="https://code.google.com/p/android/issues/entry">https://code.google.com/p/android/issues/entry</a>) 304 to have the CA added to the stock Android CA set in the <a 305 href="https://android.googlesource.com/">Android Open Source Project</a> 306 (AOSP). 307 </p> 308 <p> 309 There are still CAs that are device-specific and should not be included in the 310 core set of AOSP CAs, like carriers private CAs that may be needed to securely 311 access components of the carriers infrastructure, such as SMS/MMS gateways. 312 Device manufacturers are encouraged to include the private CAs only in the 313 components/apps that need to trust these CAs. See <a 314 href="https://developer.android.com/preview/features/security-config.html">Network 315 Security Configuration</a> for more details. 316 </p> 317 <h2 id="application-signing">Application Signing</h2> 318 <p><a href="/security/apksigning/index.html">Code signing</a> 319 allows developers to identify the author of the application and to 320 update their application without creating complicated interfaces and 321 permissions. Every application that is run on the Android platform must be 322 signed by the developer. Applications that attempt to install without being 323 signed will rejected by either Google Play or the package installer on 324 the Android device.</p> 325 <p>On Google Play, application signing bridges the trust Google has with the 326 developer and the trust the developer has with their application. Developers 327 know their application is provided, unmodified to the Android device; and 328 developers can be held accountable for behavior of their application.</p> 329 <p>On Android, application signing is the first step to placing an application in 330 its Application Sandbox. The signed application certificate defines which user 331 id is associated with which application; different applications run under 332 different user IDs. Application signing ensures that one application cannot 333 access any other application except through well-defined IPC.</p> 334 <p>When an application (APK file) is installed onto an Android device, the Package 335 Manager verifies that the APK has been properly signed with the certificate 336 included in that APK. If the certificate (or, more accurately, the public key 337 in the certificate) matches the key used to sign any other APK on the device, 338 the new APK has the option to specify in the manifest that it will share a UID 339 with the other similarly-signed APKs.</p> 340 <p>Applications can be signed by a third-party (OEM, operator, alternative market) 341 or self-signed. Android provides code signing using self-signed certificates 342 that developers can generate without external assistance or permission. 343 Applications do not have to be signed by a central authority. Android currently 344 does not perform CA verification for application certificates.</p> 345 <p>Applications are also able to declare security permissions at the Signature 346 protection level, restricting access only to applications signed with the same 347 key while maintaining distinct UIDs and Application Sandboxes. A closer 348 relationship with a shared Application Sandbox is allowed via the <a href="https://developer.android.com/guide/topics/manifest/manifest-element.html#uid">shared UID 349 feature</a> where two or more applications signed with same developer key can 350 declare a shared UID in their manifest.</p> 351 <h2 id="app-verification">Application Verification</h2> 352 <p> Android 4.2 and later support application verification. Users can choose to 353 enable Verify Apps" and have applications evaluated by an application verifier 354 prior to installation. App verification can alert the user if they try to 355 install an app that might be harmful; if an application is especially bad, it 356 can block installation. </p> 357 <h2 id="digital-rights-management">Digital Rights Management</h2> 358 <p>The Android platform provides an extensible DRM framework that lets 359 applications manage rights-protected content according to the license 360 constraints that are associated with the content. The DRM framework supports 361 many DRM schemes; which DRM schemes a device supports is left to the device 362 manufacturer.</p> 363 <p>The <a href="https://developer.android.com/reference/android/drm/package-summary.html">Android DRM 364 framework</a> is implemented in two architectural layers (see figure below):</p> 365 <ul> 366 <li> 367 <p>A DRM framework API, which is exposed to applications through the Android 368 application framework and runs through the Dalvik VM for standard applications.</p> 369 </li> 370 <li> 371 <p>A native code DRM manager, which implements the DRM framework and exposes an 372 interface for DRM plug-ins (agents) to handle rights management and decryption 373 for various DRM schemes</p> 374 </li> 375 </ul> 376 <p><img alt="Architecture of Digital Rights Management on Android 377 platform" src="/devices/images/ape_fwk_drm_2.png" id="figure3" /></p> 378 <p class="img-caption"> 379 <strong>Figure 3.</strong> Architecture of Digital Rights Management on Android platform 380 </p> 381 382 </body> 383 </html> 384
