1 <html devsite> 2 <head> 3 <title>System and kernel security</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>At the operating system level, the Android platform provides the security of 27 the Linux kernel, as well as a secure inter-process communication (IPC) 28 facility to enable secure communication between applications running in 29 different processes. These security features at the OS level ensure that even 30 native code is constrained by the Application Sandbox. Whether that code is 31 the result of included application behavior or an exploitation of an 32 application vulnerability, the system is designed to prevent the rogue 33 application from harming other applications, the Android system, or the device 34 itself. See 35 <a href="/devices/tech/config/kernel.html">Kernel Configuration</a> 36 for measures you can take to strengthen the kernel on your devices. See the 37 <a href="/compatibility/cdd.html">Android Compatibility Definition 38 Document (CDD)</a> for required settings.</p> 39 <h2 id="linux-security">Linux Security</h2> 40 <p>The foundation of the Android platform is the Linux kernel. The Linux kernel 41 has been in widespread use for years, and is used in millions of 42 security-sensitive environments. Through its history of constantly being 43 researched, attacked, and fixed by thousands of developers, Linux has become a 44 stable and secure kernel trusted by many corporations and security 45 professionals.</p> 46 <p>As the base for a mobile computing environment, the Linux kernel provides 47 Android with several key security features, including:</p> 48 <ul> 49 <li>A user-based permissions model</li> 50 <li>Process isolation</li> 51 <li>Extensible mechanism for secure IPC</li> 52 <li>The ability to remove unnecessary and potentially insecure parts of the kernel</li> 53 </ul> 54 <p>As a multiuser operating system, a fundamental security objective of the Linux 55 kernel is to isolate user resources from one another. The Linux security 56 philosophy is to protect user resources from one another. Thus, Linux:</p> 57 <ul> 58 <li>Prevents user A from reading user B's files</li> 59 <li>Ensures that user A does not exhaust user B's memory</li> 60 <li>Ensures that user A does not exhaust user B's CPU resources</li> 61 <li>Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS, 62 Bluetooth)</li> 63 </ul> 64 <h2 id="the-application-sandbox">The Application Sandbox</h2> 65 <p>The Android platform takes advantage of the Linux user-based protection as a 66 means of identifying and isolating application resources. The Android system 67 assigns a unique user ID (UID) to each Android application and runs it as that user 68 in a separate process. This approach is different from other operating systems 69 (including the traditional Linux configuration), where multiple applications 70 run with the same user permissions.</p> 71 <p>This sets up a kernel-level Application Sandbox. The kernel enforces security 72 between applications and the system at the process level through standard Linux 73 facilities, such as user and group IDs that are assigned to applications. By 74 default, applications cannot interact with each other and applications have 75 limited access to the operating system. If application A tries to do something 76 malicious like read application B's data or dial the phone without permission 77 (which is a separate application), then the operating system protects against 78 this because application A does not have the appropriate user privileges. The 79 sandbox is simple, auditable, and based on decades-old UNIX-style user 80 separation of processes and file permissions.</p> 81 <p>Because the Application Sandbox is in the kernel, this security model extends to 82 native code and to operating system applications. All of the software above the 83 kernel, such as operating system libraries, application 84 framework, application runtime, and all applications, run within the Application 85 Sandbox. On some platforms, developers are constrained to a specific 86 development framework, set of APIs, or language in order to enforce security. 87 On Android, there are no restrictions on how an application can be written that 88 are required to enforce security; in this respect, native code is just as 89 secure as interpreted code.</p> 90 <p>In some operating systems, memory corruption errors in one application may 91 lead to corruption in other applications housed in the same memory space, 92 resulting in a complete compromise of the security of the device. Because all 93 applications and their resources are sandboxed at the OS level, a memory 94 corruption error will allow arbitrary code execution only in 95 the context of that particular application, with the permissions established by 96 the operating system.</p> 97 <p>Like all security features, the Application Sandbox is not unbreakable. 98 However, to break out of the Application Sandbox in a properly configured 99 device, one must compromise the security of the Linux kernel.</p> 100 <h2 id="system-partition-and-safe-mode">System Partition and Safe Mode</h2> 101 <p>The system partition contains Android's kernel as well as the operating system 102 libraries, application runtime, application framework, and applications. This 103 partition is set to read-only. When a user boots the device into Safe Mode, 104 third-party applications may be launched manually by the device owner but are 105 not launched by default.</p> 106 <h2 id="filesystem-permissions">Filesystem Permissions</h2> 107 <p>In a UNIX-style environment, filesystem permissions ensure that one user cannot 108 alter or read another user's files. In the case of Android, each application 109 runs as its own user. Unless the developer explicitly shares files with other 110 applications, files created by one application cannot be read or altered by 111 another application.</p> 112 <h2 id="se-linux">Security-Enhanced Linux</h2> 113 <p>Android uses Security-Enhanced 114 Linux (SELinux) to apply access control policies and establish 115 mandatory access control (mac) on processes. See 116 <a href="/security/selinux/index.html">Security-Enhanced Linux in 117 Android</a> for details.</p> 118 <h2 id="verified-boot">Verified boot</h2> 119 <p> 120 Android 6.0 and later supports verified boot and device-mapper-verity. Verified 121 boot guarantees the integrity of the device software starting from a hardware 122 root of trust up to the system partition. During boot, each stage 123 cryptographically verifies the integrity and authenticity of the next stage 124 before executing it. 125 </p> 126 <p> 127 Android 7.0 and later supports strictly enforced verified boot, which means 128 compromised devices cannot boot. 129 </p> 130 <p> 131 See <a href="/security/verifiedboot/index.html">Verified boot</a> for 132 more details. 133 </p> 134 135 <h2 id="crypto">Cryptography</h2> 136 <p> Android provides a set of cryptographic APIs for use by applications. These 137 include implementations of standard and commonly used cryptographic primitives 138 such as AES, RSA, DSA, and SHA. Additionally, APIs are provided for higher level 139 protocols such as SSL and HTTPS. </p> 140 <p> Android 4.0 introduced the 141 <a href="http://developer.android.com/reference/android/security/KeyChain.html">KeyChain</a> 142 class to allow applications to use the system credential storage for private 143 keys and certificate chains. </p> 144 <h2 id="rooting-devices">Rooting of Devices</h2> 145 <p>By default, on Android only the kernel and a small subset of the core 146 applications run with root permissions. Android does not prevent a user or 147 application with root permissions from modifying the operating system, kernel, 148 or any other application. In general, root has full access to all 149 applications and all application data. Users that change the permissions on an 150 Android device to grant root access to applications increase the security 151 exposure to malicious applications and potential application flaws. </p> 152 <p>The ability to modify an Android device they own is important to developers 153 working with the Android platform. On many Android devices users have the 154 ability to unlock the bootloader in order to allow installation of an alternate 155 operating system. These alternate operating systems may allow an owner to gain 156 root access for purposes of debugging applications and system components or to 157 access features not presented to applications by Android APIs. </p> 158 <p>On some devices, a person with physical control of a device and a USB cable is 159 able to install a new operating system that provides root privileges to the 160 user. To protect any existing user data from compromise the bootloader unlock 161 mechanism requires that the bootloader erase any existing user data as part of 162 the unlock step. Root access gained via exploiting a kernel bug or security 163 hole can bypass this protection. </p> 164 <p>Encrypting data with a key stored on-device does not protect the application 165 data from root users. Applications can add a layer of data protection using 166 encryption with a key stored off-device, such as on a server or a user 167 password. This approach can provide temporary protection while the key is not 168 present, but at some point the key must be provided to the application and it 169 then becomes accessible to root users. </p> 170 <p>A more robust approach to protecting data from root users is through the use of 171 hardware solutions. OEMs may choose to implement hardware solutions that limit 172 access to specific types of content such as DRM for video playback, or the 173 NFC-related trusted storage for Google wallet. </p> 174 <p>In the case of a lost or stolen device, full filesystem encryption on Android 175 devices uses the device password to protect the encryption key, so modifying 176 the bootloader or operating system is not sufficient to access user data 177 without the users device password. </p> 178 <h2 id="user-security">User Security Features</h2> 179 <h3 id="filesystem-encryption">Filesystem Encryption</h3> 180 <p>Android 3.0 and later provides full filesystem encryption, so all user data can 181 be encrypted in the kernel.</p> 182 <p> 183 Android 5.0 and later supports 184 <a href="/security/encryption/full-disk.html">full-disk encryption</a>. 185 Full-disk encryption uses a single keyprotected with the users device 186 passwordto protect the whole of a devices userdata partition. Upon boot, 187 users must provide their credentials before any part of the disk is accessible. 188 </p> 189 <p> 190 Android 7.0 and later supports 191 <a href="/security/encryption/file-based.html">file-based encryption</a>. 192 File-based encryption allows different files to be encrypted with different 193 keys that can be unlocked independently. 194 </p> 195 196 <p>More details on implementation of filesystem encryption are available in the 197 <a href="/security/encryption/index.html">Encryption</a> section.</p> 198 <h3 id="password-protection">Password Protection</h3> 199 <p>Android can be configured to verify a user-supplied password prior to providing 200 access to a device. In addition to preventing unauthorized use of the device, 201 this password protects the cryptographic key for full filesystem encryption.</p> 202 <p>Use of a password and/or password complexity rules can be required by a device 203 administrator.</p> 204 <h2 id="device-administration">Device Administration</h2> 205 <p>Android 2.2 and later provide the Android Device Administration API, which 206 provides device administration features at the system level. For example, the 207 built-in Android Email application uses the APIs to improve Exchange support. 208 Through the Email application, Exchange administrators can enforce password 209 policies including alphanumeric passwords or numeric PINs across 210 devices. Administrators can also remotely wipe (that is, restore factory 211 defaults on) lost or stolen handsets.</p> 212 <p>In addition to use in applications included with the Android system, these APIs 213 are available to third-party providers of Device Management solutions. Details 214 on the API are provided at <a 215 href="https://developer.android.com/guide/topics/admin/device-admin.html">Device 216 Administration</a>.</p> 217 218 </body> 219 </html> 220
