Home | History | Annotate | Download | only in 9_security-model 
      1 ## 9.5\. Multi-User Support
      2 
      3 Android includes [support for multiple users](
      4 http://developer.android.com/reference/android/os/UserManager.html)
      5 and provides support for full user isolation.
      6 
      7 *    Device implementations MAY but SHOULD NOT enable multi-user if they use
      8 [removable media](
      9 http://developer.android.com/reference/android/os/Environment.html)
     10 for primary external storage.
     11 
     12 If device implementations include multiple users, they:
     13 
     14 *   [C-1-1] MUST meet the following requirements related to
     15 [multi-user support](
     16 http://source.android.com/devices/storage/traditional.html).
     17 *   [C-1-2] MUST, for each user, implement a security
     18 model consistent with the Android platform security model as defined in
     19 [Security and Permissions reference document](
     20 http://developer.android.com/guide/topics/security/permissions.html)
     21 in the APIs.
     22 *   [C-1-3] MUST have separate and isolated shared application storage
     23 (a.k.a. `/sdcard`) directories for each user instance.
     24 *   [C-1-4] MUST ensure that applications owned by and running on behalf a
     25 given user cannot list, read, or write to the files owned by any other user,
     26 even if the data of both users are stored on the same volume or filesystem.
     27 *   [C-1-5] MUST encrypt the contents of the SD card when multiuser is enabled
     28 using a key stored only on non-removable media accessible only to the system if
     29 device implementations use removable media for the external storage APIs.
     30 As this will make the media unreadable by a host PC, device implementations
     31 will be required to switch to MTP or a similar system to provide host PCs with
     32 access to the current users data.
     33 
     34 If device implementations include multiple users and
     35 do not declare the `android.hardware.telephony` feature flag, they:
     36 
     37 *   [C-2-1] MUST support restricted profiles,
     38 a feature that allows device owners to manage additional users and their
     39 capabilities on the device. With restricted profiles, device owners can quickly
     40 set up separate environments for additional users to work in, with the ability
     41 to manage finer-grained restrictions in the apps that are available in those
     42 environments.
     43 
     44 If device implementations include multiple users and
     45 declare the `android.hardware.telephony` feature flag, they:
     46 
     47 *   [C-3-1] MUST NOT support restricted profiles but MUST align with the AOSP
     48 implementation of controls to enable /disable other users from accessing the
     49 voice calls and SMS.
     50 
     51