1 <html devsite> 2 <head> 3 <title>Security Updates and Resources</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>The Android security team is responsible for managing security vulnerabilities 27 discovered in the Android platform and many of the core Android apps bundled 28 with Android devices.</p> 29 30 <p>The Android security team finds security vulnerabilities through internal 31 research and also responds to bugs reported by third parties. Sources of 32 external bugs include issues reported through the <a 33 href="https://issuetracker.google.com/issues/new?component=190951">Android 34 Security Issue template</a>, published and pre-published academic research, 35 upstream open source project maintainers, notifications from our device 36 manufacturer partners, and publicly disclosed issues posted on blogs or social 37 media.</p> 38 39 <h2 id="report-issues">Reporting security issues</h2> 40 41 <p>Any developer, Android user, or security researcher can notify the Android 42 security team of potential security issues through the <a 43 href="https://issuetracker.google.com/issues/new?component=190951"> 44 Android Security Issue template</a>.</p> 45 46 <p>Bugs marked as security issues are not externally visible, but they may 47 eventually be made visible after the issue is evaluated or resolved. If you 48 plan to submit a patch or Compatibility Test Suite (CTS) test to resolve a 49 security issue, please attach it to the bug report and wait for a response 50 before uploading the code to AOSP.</p> 51 52 <h2 id="triaging_bugs">Triaging bugs</h2> 53 54 <p>The first task in handling a security vulnerability is to identify the severity 55 of the bug and which component of Android is affected. The severity determines 56 how the issue is prioritized, and the component determines who fixes the bug, 57 who is notified, and how the fix gets deployed to users.</p> 58 59 <h3 id="process_types">Process types</h3> 60 <p>This table covers the definitions of process types. The process type can be 61 defined by the type of application or process or the area in which it runs. 62 This table is ordered from least to most privileged.</p> 63 <table> 64 <col width="30%"> 65 <col width="70%"> 66 <tr> 67 <th>Process type</th> 68 <th>Type definition</th> 69 </tr> 70 <tr> 71 <td>Constrained process</td> 72 <td>A process that runs in a highly limited SELinux domain.<br /> 73 OR<br /> 74 A process that is significantly more limited than a normal application.</td> 75 </tr> 76 <tr> 77 <td>Unprivileged process</td> 78 <td>A third-party application or process.<br /> 79 OR<br /> 80 An application or process that runs in the SELinux <code>untrusted_app</code> 81 domain.</td> 82 </tr> 83 <tr> 84 <td>Privileged process</td> 85 <td>An application or process with capabilities that are restricted by 86 SELinux <code>untrusted_app</code> domain.<br /> 87 OR<br /> 88 An application or process with important privileges that a third-party 89 application cannot obtain.</td> 90 </tr> 91 <tr> 92 <td>Trusted Computing Base (TCB)</td> 93 <td>Functionality that is part of the kernel, runs in the same CPU context as 94 the kernel (such as device drivers), has direct access to kernel memory (such as 95 hardware components on the device), or is one of a handful of user services 96 that is considered kernel equivalent: <code>init</code>, <code>ueventd</code>, 97 and <code>vold</code>.</td> 98 </tr> 99 <tr> 100 <td>Trusted Execution Environment (TEE)</td> 101 <td> A component that is designed to be protected from even a hostile kernel.</td> 102 </tr> 103 </table> 104 105 106 <h3 id="severity">Severity</h3> 107 108 109 <p>The severity of a bug generally reflects the potential harm that could occur if 110 a bug was successfully exploited. Use the following criteria to determine the 111 severity:</p> 112 <table> 113 <tr> 114 <th>Rating</th> 115 <th>Consequence of successful exploitation</th> 116 </tr> 117 <tr> 118 <td><strong>Critical</strong></td> 119 <td> 120 <ul> 121 <li>Arbitrary code execution in the TEE</li> 122 <li>Remote arbitrary code execution in a privileged process or the TCB</li> 123 <li>Remote permanent denial of service (device inoperability: completely 124 permanent or requiring re-flashing the entire operating system)</li> 125 <li>Remote bypass of user interaction requirements on package installation or 126 equivalent behavior</li> 127 <li>Secure Boot bypass</li> 128 </ul> 129 </td> 130 </tr> 131 <tr> 132 <td><strong>High</strong></td> 133 <td> 134 <ul> 135 <li>Remote arbitrary code execution in an unprivileged process</li> 136 <li>Arbitrary local code execution in a privileged process or the TCB</li> 137 <li>Unauthorized access to data secured by the TEE</li> 138 <li>Remote access to protected data (data normally accessible only to locally 139 installed apps that request permission, or that is limited to a privileged 140 process)</li> 141 <li>Local permanent denial of service (device inoperability: completely 142 permanent or requiring re-flashing the entire operating system)</li> 143 <li>Remote temporary device denial of service (remote hang or reboot)</li> 144 <li>Remote bypass of user interaction requirements (access to functionality that 145 would normally require either user initiation or user permission)</li> 146 <li>Local bypass of user interaction requirements for any developer or security 147 settings modifications</li> 148 <li>A general bypass for operating system protections that isolate application 149 data from other applications</li> 150 <li>A general bypass for operating system protections that isolate users or 151 profiles from one another</li> 152 <li>Cryptographic Vulnerability in Standard TLS that allows for 153 man-in-the-middle attacks</li> 154 <li>Lockscreen bypass</li> 155 </ul> 156 </td> 157 </tr> 158 <tr> 159 <td><strong>Moderate</strong></td> 160 <td> 161 <ul> 162 <li>Remote arbitrary code execution in a constrained process</li> 163 <li>Local arbitrary code execution in an unprivileged process</li> 164 <li>A general bypass for a defense in depth or exploit mitigation technology in 165 a privileged process, the TCB, or the TEE</li> 166 <li>Bypass of restrictions on a constrained process</li> 167 <li>Remote access to unprotected data (data normally accessible to any locally 168 installed app)</li> 169 <li>Local access to protected data (data normally accessible only to locally 170 installed apps that request permission, or that is limited to a privileged 171 process)</li> 172 <li>Local bypass of user interaction requirements (access to functionality that 173 would normally require either user initiation or user permission)</li> 174 <li>Local permanent denial of service (device requires a factory reset)</li> 175 <li>Cryptographic Vulnerability in standard crypto primitives that allows 176 leaking of plaintext (not primitives used in TLS)</li> 177 <li>Bypass of Device Protection/ Factory Reset Protection</li> 178 <li>Bypass of Carrier Restrictions</li> 179 <li>Targeted prevention of access to emergency services</li> 180 </ul> 181 </td> 182 </tr> 183 <tr> 184 <td><strong>Low</strong></td> 185 <td> 186 <ul> 187 <li>Local arbitrary code execution in a constrained process</li> 188 <li>Cryptographic Vulnerability in non-standard usage</li> 189 <li>A general bypass for a user level defense in depth or exploit 190 mitigation technology in an unprivileged process</li> 191 </ul> 192 </td> 193 </tr> 194 <tr> 195 <td><strong>No Security Impact (NSI)</strong></td> 196 <td> 197 <ul> 198 <li>A vulnerability whose impact has been mitigated by one or more rating 199 modifiers or version-specific architecture changes such that the effective 200 severity is below Low, although the underlying code issue may remain</li> 201 </ul> 202 </td> 203 </tr> 204 </table> 205 206 207 <h4 id="local_vs_remote">Local vs. remote</h4> 208 209 <p>A remote attack vector indicates the bug could be exploited without installing 210 an app or without physical access to the device. This includes bugs that could 211 be triggered by browsing to a web page, reading an email, receiving an SMS 212 message, or connecting to a hostile network. For the purpose of our severity 213 ratings, the Android security team also considers "proximal" attack vectors as 214 remote. These include bugs that can be exploited only by an attacker who is 215 physically near the target device, for example a bug that requires sending 216 malformed Wi-Fi or Bluetooth packets.</p> 217 218 <p>Local attacks require the victim to install an app. For the purpose of severity 219 ratings, the Android security team also considers physical attack vectors as 220 local. These include bugs that can be exploited only by an attacker who has 221 physical access to the device, for example a bug in a lock screen or one that 222 requires plugging in a USB cable. The Android security team also considers 223 NFC-based attacks as local.</p> 224 225 <h3 id="rating_modifiers">Rating modifiers</h3> 226 <p>While the severity of security vulnerabilities is often easy to identify, 227 ratings may change based on circumstances.</p> 228 <table> 229 <tr> 230 <th>Reason</th> 231 <th>Effect</th> 232 </tr> 233 <tr> 234 <td>Requires running as a privileged process to execute the attack</td> 235 <td>-1 Severity</td> 236 </tr> 237 <tr> 238 <td>Vulnerability-specific details limit the impact of the issue</td> 239 <td>-1 Severity</td> 240 </tr> 241 <tr> 242 <td>Compiler or platform configurations mitigate a vulnerability in the 243 source code</td> 244 <td>Moderate Severity if the underlying vulnerability is Moderate or higher</td> 245 </tr> 246 <tr> 247 <td>Requires tamper-evident physical access</td> 248 <td>-2 Severity</td> 249 </tr> 250 <tr> 251 <td>If no SELinux domain can conduct the operation under the Google-provided 252 SEPolicy</td> 253 <td>No Security Impact</td> 254 </tr> 255 </table> 256 257 <p class="note"> 258 <strong>Note</strong>: A CVE may not be issued for issues assessed as Low or NSI. 259 </p> 260 261 262 263 <h3 id="affected_component">Affected component</h3> 264 265 <p>The development team responsible for fixing the bug depends on which component 266 the bug is in. It could be a core component of the Android platform, a kernel 267 driver supplied by an original equipment manufacturer (OEM), or one of the 268 pre-loaded apps on Nexus devices.</p> 269 270 <p>Bugs in AOSP code are fixed by the Android engineering team. Low-severity bugs, 271 bugs in certain components, or bugs that are already publicly known may be 272 fixed directly in the publicly available AOSP master branch; otherwise they're 273 fixed in our internal repositories first.</p> 274 275 <p>The component is also a factor in how users get updates. A bug in the framework 276 or kernel will require an over-the-air (OTA) firmware update that each OEM will 277 need to push. A bug in an app or library published in Google Play (e.g., Gmail, 278 Google Play Services, WebView in Lollipop and later versions) can be sent to 279 Android users as an update from Google Play.</p> 280 281 <h2 id="notifying_partners">Notifying partners</h2> 282 283 <p>When a security vulnerability in AOSP is fixed in an Android Security 284 Bulletin, we'll notify Android partners of issue details and provide patches. 285 The Android security team currently provides patches for Android versions 4.4 286 (KitKat) and above. This list of backport-supported versions changes with each 287 new Android release.</p> 288 289 <h2 id="releasing_code_to_aosp">Releasing code to AOSP</h2> 290 291 <p>If the security bug is in an AOSP component, the fix will be pushed out to AOSP 292 after the OTA is released to users. Fixes for low-severity issues may be 293 submitted directly to the AOSP master branch before a fix is available.</p> 294 295 <h2 id="android_updates">Receiving Android updates</h2> 296 297 <p>Updates to the Android system are generally delivered to devices through 298 OTA update packages. These updates may come from the OEM who 299 produced the device or the carrier who provides service to the device. Google 300 Nexus device updates come from the Google Nexus team after going through a 301 carrier technical acceptance (TA) testing procedure. Google also publishes <a 302 href="https://developers.google.com/android/nexus/images">Nexus factory 303 images</a> that can be side-loaded to devices.</p> 304 305 <h2 id="updating_google_services">Updating Google services</h2> 306 307 <p>In addition to providing patches for security bugs, the Android security team 308 also review security bugs to determine if there are other ways to protect 309 users. For example, Google Play scans all applications and will remove any 310 application that attempts to exploit a security bug. For applications installed 311 from outside of Google Play, devices with Google Play Services may also use the 312 <a href="https://support.google.com/accounts/answer/2812853">Verify Apps</a> 313 feature to warn users about applications that may be potentially harmful.</p> 314 315 <h2 id="other_resources">Other resources</h2> 316 317 <p>Information for Android application developers: <a 318 href="https://developer.android.com">https://developer.android.com</a></p> 319 320 <p>Security information exists throughout the Android Open Source and Developer 321 sites. Good places to start:<br> 322 <a href="/security/index.html">https://source.android.com/security/index.html</a><br> 323 <a href="https://developer.android.com/training/articles/security-tips.html">https://developer.android.com/training/articles/security-tips.html</a></p> 324 325 <h3 id="reports">Reports</h3> 326 <p>Sometimes the Android Security team publishes reports or whitepapers. Here are some of the most recent.</p> 327 <ul> 328 <li><a href="/security/reports/Google_Android_Security_2016_Report_Final.pdf"> 329 Android Security 2016 Year In Review</a></li> 330 <li><a href="/security/reports/Google_Android_Security_2015_Report_Final.pdf"> 331 Android Security 2015 Year In Review</a></li> 332 <li><a href="/security/reports/Google_Android_Security_2014_Report_Final.pdf"> 333 Android Security 2014 Year In Review</a></li> 334 <li><a href="/security/reports/Android_WhitePaper_Final_02092016.pdf"> 335 Android Security white paper</a></li> 336 <li><a href="/security/reports/Google_Android_Security_PHA_classifications.pdf"> 337 Classifications for Potentially Harmful Applications</a></li> 338 </ul> 339 340 <h3 id=slides>Presentations</h3> 341 <p>The Android Security team presents at various conferences and talks. Here are some of their slides:</p> 342 <ul> 343 <li><a href="/security/reports/Android-Bootcamp-2016-Verified-Boot-and-Encryption.pdf"> 344 Verified boot and encryption</a></li> 345 <li><a href="/security/reports/Android-Bootcamp-2016-SafetyNet.pdf"> 346 SafetyNet</a></li> 347 <li><a href="/security/reports/Android-Bootcamp-2016-New-App-Lifecycle-for-Encryption.pdf"> 348 New app life cycle for encryption</a></li> 349 <li><a href="/security/reports/Android-Bootcamp-2016-Keeping-Google-Play-safe.pdf"> 350 Keeping Google Play safe</a></li> 351 <li><a href="/security/reports/Android-Bootcamp-2016-Defense-in-depth-efforts.pdf"> 352 Defense in depth efforts</a></li> 353 <li><a href="/security/reports/Android-Bootcamp-2016-Android-Keystore-Attestation.pdf"> 354 Keystore attestation</a></li> 355 <li><a href="/security/reports/Android-Bootcamp-2016-Android-Attack-Team.pdf"> 356 Android attack team</a></li> 357 </ul> 358 </body> 359 </html> 360
