1 <html devsite> 2 <head> 3 <title>Implementing Security</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>The Android Security Team regularly receives requests for information about 27 preventing potential security issues on Android devices. We also occasionally 28 spot check devices and let device manufacturers and affected partners know of 29 potential issues.</p> 30 31 <p>This page provides security best practices based on our experiences, 32 extending the 33 <a href="http://developer.android.com/guide/practices/security.html">Designing 34 for Security</a> documentation we've provided for developers and includes 35 details unique to building or installing system-level software on devices.</p> 36 37 <p>To facilitate adoption of these best practices, where possible the Android 38 Security Team incorporates tests into the 39 <a href="/compatibility/cts">Android Compatibility Test Suite</a> (CTS) and 40 <a href="http://tools.android.com/tips/lint">Android Lint</a>. We encourage 41 device implementers to contribute tests that can help other Android users (view 42 security-related tests at 43 <code>root/cts/tests/tests/security/src/android/security/cts</code>).</p> 44 45 <h2 id="dev-process">Development process</h2> 46 <p>Use the following best practices in your development processes and 47 environment.</p> 48 49 <h3 id="sec-review">Reviewing source code</h3> 50 <p> Source code review can detect a broad range of security issues, including 51 those identified in this document. Android strongly encourages both manual and 52 automated source code review. Best practices:</p> 53 54 <ul> 55 <li>Run <a href="http://tools.android.com/tips/lint">Android Lint</a> on all 56 application code using the Android SDK and correct any identified issues.</li> 57 <li>Native code should be analyzed using an automated tool that can detect 58 memory management issues such as buffer overflows and off-by-one errors.</li> 59 <li>The Android build system has support for many of the LLVM sanitizers, 60 such as AddressSanitizer and UndefinedBehaviorSanitizer which can be used 61 for this purpose.</li> 62 </ul> 63 64 <h3 id="auto-test">Using automated testing</h3> 65 <p>Automated testing can detect a broad range of security issues, including 66 several issues discussed below. Best practices:</p> 67 68 <ul> 69 <li>CTS is regularly updated with security tests; run the most recent version of 70 CTS to verify compatibility.</li> 71 <li>Run CTS regularly throughout the development process to detect problems 72 early and reduce time to correction. Android uses CTS as part of continuous 73 integration in our automated build process, which builds multiple times per day. 74 </li> 75 <li>Device manufacturers should automate security testing of interfaces, 76 including testing with malformed inputs (fuzz testing).</li> 77 </ul> 78 79 <h3 id="sign-sysimg">Signing system images</h3> 80 <p>The signature of the system image is critical for determining the integrity 81 of the device. Best practices:</p> 82 83 <ul> 84 <li>Devices must not be signed with a key that is publicly known.</li> 85 <li>Keys used to sign devices should be managed in a manner consistent with 86 industry standard practices for handling sensitive keys, including a hardware 87 security module (HSM) that provides limited, auditable access.</li> 88 </ul> 89 90 <h3 id="sign-apk">Signing applications (APKs)</h3> 91 <p>Application signatures play an important role in device security and are used 92 for permissions checks as well as software updates. When selecting a key to use 93 for signing applications, it is important to consider whether an application 94 will be available only on a single device or common across multiple devices. 95 Best practices:</p> 96 97 <ul> 98 <li>Applications must not be signed with a key that is publicly known.</li> 99 <li>Keys used to sign applications should be managed in a manner consistent with 100 industry standard practices for handling sensitive keys, including an HSM that 101 provides limited, auditable access.</li> 102 <li>Applications should not be signed with the platform key.</li> 103 <li>Applications with the same package name should not be signed with different 104 keys. This often occurs when creating an application for different devices, 105 especially when using the platform key. If the application is 106 device-independent, use the same key across devices. If the application is 107 device-specific, create unique package names per device and key.</li> 108 </ul> 109 110 <h3 id="apps-pub">Publishing applications</h3> 111 <p>Google Play provides device manufacturers the ability to update applications 112 without performing a complete system update. This can expedite response to 113 security issues and delivery of new features, as well as provide a way to ensure 114 your application has a unique package name. Best practices:</p> 115 116 <ul> 117 <li>Upload your applications to Google Play to allow automated updates without 118 requiring a full over-the-air (OTA) update. Applications that are uploaded but 119 unpublished are not directly downloadable by users but the applications are 120 still updated. Users who have previously installed the app can re-install it 121 and/or install on other devices.</li> 122 <li>Create an application package name that is clearly associated with your 123 company, such as by using a company trademark.</li> 124 <li>Applications published by device manufacturers should be uploaded on the 125 Google Play store to avoid package name impersonation by third-party users. If 126 a device manufacturer installs an app on a device without publishing the app on 127 the Play store, another developer could upload the same app, use the same 128 package name, and change the metadata for the app. When the app is presented to 129 the user, this unrelated metadata could create confusion.</li> 130 </ul> 131 132 <h3 id="incident-response">Responding to incidents</h3> 133 <p>External parties must have the ability to contact device manufacturers about 134 device-specific security issues. We recommend creating a publicly accessible 135 email address for managing security incidents. Best practices:</p> 136 137 <ul> 138 <li>Create a <em>security (a] your-company.com</em> or similar address and publicize 139 it.</li> 140 <li>If you become aware of a security issue affecting Android OS or Android 141 devices from multiple device manufacturers, you should contact the Android 142 Security Team by filing a 143 <a href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security 144 bug report</a>.</li> 145 </ul> 146 147 <h2 id="prod-implement">Product implementation</h2> 148 <p>Use the following best practices when implementing a product.</p> 149 150 <h3 id="root-processes">Isolating root processes</h3> 151 <p>Root processes are the most frequent target of privilege escalation attacks, 152 so reducing the number of root processes reduces risk of privilege escalation. 153 CTS includes an informational test that lists root processes. Best practices:</p> 154 155 <ul> 156 <li>Devices should run the minimum necessary code as root. Where possible, use a 157 regular Android process rather than a root process. The ICS Galaxy Nexus has 158 only six root processes: vold, inetd, zygote, tf_daemon, ueventd, and init. If a 159 process must run as root on a device, document the process in an AOSP feature 160 request so it can be publicly reviewed.</li> 161 <li>Where possible, root code should be isolated from untrusted data and 162 accessed via IPC. For example, reduce root functionality to a small Service 163 accessible via Binder and expose the Service with signature permission to an 164 application with low or no privileges to handle network traffic.</li> 165 <li>Root processes must not listen on a network socket.</li> 166 <li>Root processes must not provide a general-purpose runtime for applications 167 (e.g. a Java VM).</li> 168 </ul> 169 170 <h3 id="sys-apps">Isolating system apps</h3> 171 <p>In general, pre-installed apps should not run with the shared system UID. If 172 is it necessary, however, for an app to use the shared UID of system or another 173 privileged service (i.e., phone), the app should not export any services, 174 broadcast receivers, or content providers that can be accessed by third-party 175 apps installed by users. Best practices:</p> 176 177 <ul> 178 <li>Devices should run the minimum necessary code as system. Where possible, use 179 an Android process with its own UID rather than reusing the system UID.</li> 180 <li>Where possible, system code should be isolated from untrusted data and 181 expose IPC only to other trusted processes.</li> 182 <li>System processes must not listen on a network socket.</li> 183 </ul> 184 185 <h3 id="process-isolate">Isolating processes</h3> 186 <p>The Android Application Sandbox provides applications with an expectation of 187 isolation from other processes on the system, including root processes and 188 debuggers. Unless debugging is specifically enabled by the application and the 189 user, no application should violate that expectation. Best practices:</p> 190 191 <ul> 192 <li>Root processes must not access data within individual application data 193 folders, unless using a documented Android debugging method.</li> 194 <li>Root processes must not access memory of applications, unless using a 195 documented Android debugging method.</li> 196 <li>Devices must not include any application that accesses data or memory of 197 other applications or processes.</li> 198 </ul> 199 200 <h3 id="suid-files">Securing SUID files</h3> 201 <p>New setuid programs should not be accessible by untrusted programs. Setuid 202 programs have frequently been the location of vulnerabilities that can be used 203 to gain root access, so strive to minimize the availability of the setuid 204 program to untrusted applications. Best practices:</p> 205 206 <ul> 207 <li>SUID processes must not provide a shell or backdoor that can be used to 208 circumvent the Android security model.</li> 209 <li>SUID programs must not be writable by any user.</li> 210 <li>SUID programs should not be world readable or executable. Create a group, 211 limit access to the SUID binary to members of that group, and place any 212 applications that should be able to execute the SUID program into that group. 213 </li> 214 <li>SUID programs are a common source of user rooting of devices. To reduce 215 this risk, SUID programs should not be executable by the shell user.</li> 216 </ul> 217 218 <p>CTS verifier includes an informational test listing SUID files; some 219 setuid files are not permitted per CTS tests.</p> 220 221 <h3 id="listening-sockets">Securing listening sockets</h3> 222 <p>CTS tests fail when a device is listening on any port, on any interface. In 223 the event of a failure, Android verifies the following best practices are in 224 use:</p> 225 226 <ul> 227 <li>There should be no listening ports on the device.</li> 228 <li>Listening ports must be able to be disabled without an OTA. This can be 229 either a server or user-device configuration change.</li> 230 <li>Root processes must not listen on any port.</li> 231 <li>Processes owned by the system UID must not listen on any port.</li> 232 <li>For local IPC using sockets, applications must use a UNIX Domain Socket with 233 access limited to a group. Create a file descriptor for the IPC and make it +RW 234 for a specific UNIX group. Any client applications must be within that UNIX 235 group.</li> 236 <li>Some devices with multiple processors (e.g. a radio/modem separate from the 237 application processor) use network sockets to communicate between processors. 238 In such instances, the network socket used for inter-processor communication 239 must use an isolated network interface to prevent access by unauthorized 240 applications on the device (i.e. use iptables to prevent access by other 241 applications on the device).</li> 242 <li>Daemons that handle listening ports must be robust against malformed data. 243 Google may conduct fuzz-testing against the port using an unauthorized client, 244 and, where possible, authorized client. Any crashes will be filed as bugs with 245 an appropriate severity.</li> 246 </ul> 247 248 <h3 id="logging">Logging data</h3> 249 <p>Logging data increases the risk of exposure of that data and reduces system 250 performance. Multiple public security incidents have occurred as the result of 251 logging sensitive user data by applications installed by default on Android 252 devices. Best practices:</p> 253 254 <ul> 255 <li>Applications or system services should not log data provided from 256 third-party applications that might include sensitive information.</li> 257 <li>Applications must not log any Personally Identifiable Information (PII) as 258 part of normal operation.</li> 259 </ul> 260 261 <p>CTS includes tests that check for the presence of potentially sensitive 262 information in the system logs.</p> 263 264 <h3 id="directories">Limiting directory access</h3> 265 <p>World-writable directories can introduce security weaknesses and enable an 266 application to rename trusted files, substitute files, or conduct symlink-based 267 attacks (attackers may use a symlink to a file to trick a trusted program into 268 performing actions it shouldn't). Writable directories can also prevent the 269 uninstall of an application from properly cleaning up all files associated with 270 an application.</p> 271 272 <p>As a best practice, directories created by the system or root users should 273 not be world writable. CTS tests help enforce this best practice by testing 274 known directories.</p> 275 276 <h3 id="config-files">Securing configuration files</h3> 277 <p>Many drivers and services rely on configuration and data files stored in 278 directories such as <code>/system/etc</code> and <code>/data</code>. If these 279 files are processed by a privileged process and are world writable, it is 280 possible for an app to exploit a vulnerability in the process by crafting 281 malicious contents in the world-writable file. Best practices:</p> 282 283 <ul> 284 <li>Configuration files used by privileged processes should not be world 285 readable.</li> 286 <li>Configuration files used by privileged processes must not be world 287 writable.</li> 288 </ul> 289 290 <h3 id="native-code">Storing native code libraries</h3> 291 <p>Any code used by privileged device manufacturer processes must be in 292 <code>/vendor</code> or <code>/system</code>; these filesystems are mounted 293 read-only on boot. As a best practice, libraries used by system or other 294 highly-privileged apps installed on the phone should also be in these 295 filesystems. This can prevent a security vulnerability that could allow an 296 attacker to control the code that a privileged process executes.</p> 297 298 <h3 id="device-drivers">Limiting device driver access</h3> 299 <p>Only trusted code should have direct access to drivers. Where possible, the 300 preferred architecture is to provide a single-purpose daemon that proxies calls 301 to the driver and restricts driver access to that daemon. As a best practice, 302 driver device nodes should not be world readable or writable. CTS tests help 303 enforce this best practice by checking for known instances of exposed drivers. 304 </p> 305 306 <h3 id="adb">Disabling ADB</h3> 307 <p>Android debug bridge (adb) is a valuable development and debugging tool, but 308 is designed for use in controlled, secure environments and should not be enabled 309 for general use. Best practices:</p> 310 311 <ul> 312 <li>ADB must be disabled by default.</li> 313 <li>ADB must require the user to turn it on before accepting connections.</li> 314 </ul> 315 316 <h3 id="unlockable-bootloaders">Unlocking bootloaders</h3> 317 <p>Many Android devices support unlocking, enabling the device owner to modify 318 the system partition and/or install a custom operating system. Common use 319 cases include installing a third-party ROM and performing systems-level 320 development on the device. For example, a Google Nexus device owner can run 321 <code>fastboot oem unlock</code> to start the unlocking process, which presents 322 the following message to the user:</p> 323 324 <div style="background-color: #B2EBF2; padding: 10px;margin-right:25px"> 325 326 <p><strong>Unlock bootloader?</strong></p> 327 328 <p>If you unlock the bootloader, you will be able to install custom operating 329 system software on this phone.</p> 330 331 <p>A custom OS is not subject to the same testing as the original OS, and can 332 cause your phone and installed applications to stop working properly.</p> 333 334 <p>To prevent unauthorized access to your personal data, unlocking the 335 bootloader will also delete all personal data from your phone (a "factory data 336 reset").</p> 337 338 <p>Press the Volume Up/Down buttons to select Yes or No. Then press the Power 339 button to continue.</p> 340 341 <p><strong>Yes</strong>: Unlock bootloader (may void warranty)</p> 342 343 <p><strong>No</strong>: Do not unlock bootloader and restart phone.</p> 344 </div> 345 346 <br> 347 <p>As a best practice, unlockable Android devices must securely erase all user 348 data prior to being unlocked. Failure to properly delete all data on 349 unlocking may allow a physically proximate attacker to gain unauthorized access 350 to confidential Android user data. To prevent the disclosure of user data, a 351 device that supports unlocking must implement it properly (we've seen numerous 352 instances where device manufacturers improperly implemented unlocking). A 353 properly implemented unlocking process has the following properties:</p> 354 355 <ul> 356 <li>When the unlocking command is confirmed by the user, the device must start 357 an immediate data wipe. The <code>unlocked</code> flag must not be set until 358 after the secure deletion is complete.</li> 359 <li>If a secure deletion cannot be completed, the device must stay in a locked 360 state.</li> 361 <li>If supported by the underlying block device, 362 <code>ioctl(BLKSECDISCARD)</code> or equivalent should be used. For eMMC 363 devices, this means using a Secure Erase or Secure Trim command. For eMMC 4.5 364 and later, this means using a normal Erase or Trim followed by a Sanitize 365 operation.</li> 366 <li>If <code>BLKSECDISCARD</code> is not supported by the underlying block 367 device, <code>ioctl(BLKDISCARD)</code> must be used instead. On eMMC devices, 368 this is a normal Trim operation.</li> 369 <li>If <code>BLKDISCARD</code> is not supported, overwriting the block devices 370 with all zeros is acceptable.</li> 371 <li>An end user must have the option to require that user data be wiped prior to 372 flashing a partition. For example, on Nexus devices, this is done via the 373 <code>fastboot oem lock</code> command.</li> 374 <li>A device may record, via efuses or similar mechanism, whether a device was 375 unlocked and/or relocked.</li> 376 </ul> 377 378 <p>These requirements ensure that all data is destroyed upon the completion of 379 an unlock operation. Failure to implement these protections is considered a 380 moderate level security vulnerability.</p> 381 382 <p>A device that is unlocked may be subsequently relocked using the 383 <code>fastboot oem lock</code> command. Locking the bootloader provides the same 384 protection of user data with the new custom OS as was available with the 385 original device manufacturer OS (e.g. user data will be wiped if the device is 386 unlocked again).</p> 387 388 </body> 389 </html> 390
