1page.title=Implementing Security
2@jd:body
3
4<!--
5    Copyright 2014 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<p>The Android Security Team regularly receives requests for information about
28preventing potential security issues on Android devices. We also occasionally
29spot check devices and let device manufacturers and affected partners know of
30potential issues.</p>
31
32<p>This page provides security best practices based on our experiences,
33extending the
34<a href="http://developer.android.com/guide/practices/security.html">Designing
35for Security</a> documentation we've provided for developers and includes
36details unique to building or installing system-level software on devices.</p>
37
38<p>To facilitate adoption of these best practices, where possible the Android
39Security Team incorporates tests into the
40<a href="{@docRoot}compatibility/cts-intro.html">Android Compatibility Test
41Suite</a> (CTS) and
42<a href="http://tools.android.com/tips/lint">Android Lint</a>. We encourage
43device implementers to contribute tests that can help other Android users (view
44security-related tests at
45<code>root/cts/tests/tests/security/src/android/security/cts</code>).</p>
46
47<h2 id="dev-process">Development process</h2>
48<p>Use the following best practices in your development processes and
49environment.</p>
50
51<h3 id="sec-review">Reviewing source code</h3>
52<p> Source code review can detect a broad range of security issues, including
53those identified in this document. Android strongly encourages both manual and
54automated source code review. Best practices:</p>
55
56<ul>
57<li>Run <a href="http://tools.android.com/tips/lint">Android Lint</a> on all
58application code using the Android SDK and correct any identified issues.</li>
59<li>Native code should be analyzed using an automated tool that can detect
60memory management issues such as buffer overflows and off-by-one errors.</li>
61</ul>
62
63<h3 id="auto-test">Using automated testing</h3>
64<p>Automated testing can detect a broad range of security issues, including
65several issues discussed below. Best practices:</p>
66
67<ul>
68<li>CTS is regularly updated with security tests; run the most recent version of
69CTS to verify compatibility.</li>
70<li>Run CTS regularly throughout the development process to detect problems
71early and reduce time to correction. Android uses CTS as part of continuous
72integration in our automated build process, which builds multiple times per day.
73</li>
74<li>Device manufacturers should automate security testing of interfaces,
75including testing with malformed inputs (fuzz testing).</li>
76</ul>
77
78<h3 id="sign-sysimg">Signing system images</h3>
79<p>The signature of the system image is critical for determining the integrity
80of the device. Best practices:</p>
81
82<ul>
83<li>Devices must not be signed with a key that is publicly known.</li>
84<li>Keys used to sign devices should be managed in a manner consistent with
85industry standard practices for handling sensitive keys, including a hardware
86security module (HSM) that provides limited, auditable access.</li>
87</ul>
88
89<h3 id="sign-apk">Signing applications (APKs)</h3>
90<p>Application signatures play an important role in device security and are used
91for permissions checks as well as software updates. When selecting a key to use
92for signing applications, it is important to consider whether an application
93will be available only on a single device or common across multiple devices.
94Best practices:</p>
95
96<ul>
97<li>Applications must not be signed with a key that is publicly known.</li>
98<li>Keys used to sign applications should be managed in a manner consistent with
99industry standard practices for handling sensitive keys, including an HSM that
100provides limited, auditable access.</li>
101<li>Applications should not be signed with the platform key.</li>
102<li>Applications with the same package name should not be signed with different
103keys. This often occurs when creating an application for different devices,
104especially when using the platform key. If the application is
105device-independent, use the same key across devices. If the application is
106device-specific, create unique package names per device and key.</li>
107</ul>
108
109<h3 id="apps-pub">Publishing applications</h3>
110<p>Google Play provides device manufacturers the ability to update applications
111without performing a complete system update. This can expedite response to
112security issues and delivery of new features, as well as provide a way to ensure
113your application has a unique package name. Best practices:</p>
114
115<ul>
116<li>Upload your applications to Google Play to allow automated updates without
117requiring a full over-the-air (OTA) update. Applications that are uploaded but
118unpublished are not directly downloadable by users but the applications are
119still updated. Users who have previously installed the app can re-install it
120and/or install on other devices.</li>
121<li>Create an application package name that is clearly associated with your
122company, such as by using a company trademark.</li>
123<li>Applications published by device manufacturers should be uploaded on the
124Google Play store to avoid package name impersonation by third-party users. If
125a device manufacturer installs an app on a device without publishing the app on
126the Play store, another developer could upload the same app, use the same
127package name, and change the metadata for the app. When the app is presented to
128the user, this unrelated metadata could create confusion.</li>
129</ul>
130
131<h3 id="incident-response">Responding to incidents</h3>
132<p>External parties must have the ability to contact device manufacturers about
133device-specific security issues. We recommend creating a publicly accessible
134email address for managing security incidents. Best practices:</p>
135
136<ul>
137<li>Create a <em>security@your-company.com</em> or similar address and publicize
138it.</li>
139<li>If you become aware of a security issue affecting Android OS or Android
140devices from multiple device manufacturers, you should contact the Android
141Security Team by filing a
142<a href="https://code.google.com/p/android/issues/entry?template=Security%20bug%20report">Security
143bug report</a>.</li>
144</ul>
145
146<h2 id="prod-implement">Product implementation</h2>
147<p>Use the following best practices when implementing a product.</p>
148
149<h3 id="root-processes">Isolating root processes</h3>
150<p>Root processes are the most frequent target of privilege escalation attacks,
151so reducing the number of root processes reduces risk of privilege escalation.
152CTS includes an informational test that lists root processes. Best practices:</p>
153
154<ul>
155<li>Devices should run the minimum necessary code as root. Where possible, use a
156regular Android process rather than a root process. The ICS Galaxy Nexus has
157only six root processes: vold, inetd, zygote, tf_daemon, ueventd, and init. If a
158process must run as root on a device, document the process in an AOSP feature
159request so it can be publicly reviewed.</li>
160<li>Where possible, root code should be isolated from untrusted data and
161accessed via IPC. For example, reduce root functionality to a small Service
162accessible via Binder and expose the Service with signature permission to an
163application with low or no privileges to handle network traffic.</li>
164<li>Root processes must not listen on a network socket.</li>
165<li>Root processes must not provide a general-purpose runtime for applications
166(e.g. a Java VM).</li>
167</ul>
168
169<h3 id="sys-apps">Isolating system apps</h3>
170<p>In general, pre-installed apps should not run with the shared system UID. If
171is it necessary, however, for an app to use the shared UID of system or another
172privileged service (i.e., phone), the app should not export any services,
173broadcast receivers, or content providers that can be accessed by third-party
174apps installed by users. Best practices:</p>
175
176<ul>
177<li>Devices should run the minimum necessary code as system. Where possible, use
178an Android process with its own UID rather than reusing the system UID.</li>
179<li>Where possible, system code should be isolated from untrusted data and
180expose IPC only to other trusted processes.</li>
181<li>System processes must not listen on a network socket.</li>
182</ul>
183
184<h3 id="process-isolate">Isolating processes</h3>
185<p>The Android Application Sandbox provides applications with an expectation of
186isolation from other processes on the system, including root processes and
187debuggers. Unless debugging is specifically enabled by the application and the
188user, no application should violate that expectation. Best practices:</p>
189
190<ul>
191<li>Root processes must not access data within individual application data
192folders, unless using a documented Android debugging method.</li>
193<li>Root processes must not access memory of applications, unless using a
194documented Android debugging method.</li>
195<li>Devices must not include any application that accesses data or memory of
196other applications or processes.</li>
197</ul>
198
199<h3 id="suid-files">Securing SUID files</h3>
200<p>New setuid programs should not be accessible by untrusted programs. Setuid
201programs have frequently been the location of vulnerabilities that can be used
202to gain root access, so strive to minimize the availability of the setuid
203program to untrusted applications. Best practices:</p>
204
205<ul>
206<li>SUID processes must not provide a shell or backdoor that can be used to
207circumvent the Android security model.</li>
208<li>SUID programs must not be writable by any user.</li>
209<li>SUID programs should not be world readable or executable. Create a group,
210limit access to the SUID binary to members of that group, and place any
211applications that should be able to execute the SUID program into that group.
212</li>
213<li>SUID programs are a common source of user rooting of devices. To reduce
214this risk, SUID programs should not be executable by the shell user.</li>
215</ul>
216
217<p>CTS verifier includes an informational test listing SUID files; some
218setuid files are not permitted per CTS tests.</p>
219
220<h3 id="listening-sockets">Securing listening sockets</h3>
221<p>CTS tests fail when a device is listening on any port, on any interface. In
222the event of a failure, Android verifies the following best practices are in
223use:</p>
224
225<ul>
226<li>There should be no listening ports on the device.</li>
227<li>Listening ports must be able to be disabled without an OTA. This can be
228either a server or user-device configuration change.</li>
229<li>Root processes must not listen on any port.</li>
230<li>Processes owned by the system UID must not listen on any port.</li>
231<li>For local IPC using sockets, applications must use a UNIX Domain Socket with
232access limited to a group. Create a file descriptor for the IPC and make it +RW
233for a specific UNIX group. Any client applications must be within that UNIX
234group.</li>
235<li>Some devices with multiple processors (e.g. a radio/modem separate from the
236application processor) use network sockets to communicate between processors.
237In such instances, the network socket used for inter-processor communication
238must use an isolated network interface to prevent access by unauthorized
239applications on the device (i.e. use iptables to prevent access by other
240applications on the device).</li>
241<li>Daemons that handle listening ports must be robust against malformed data.
242Google may conduct fuzz-testing against the port using an unauthorized client,
243and, where possible, authorized client. Any crashes will be filed as bugs with
244an appropriate severity.</li>
245</ul>
246
247<h3 id="logging">Logging data</h3>
248<p>Logging data increases the risk of exposure of that data and reduces system
249performance. Multiple public security incidents have occurred as the result of
250logging sensitive user data by applications installed by default on Android
251devices. Best practices:</p>
252
253<ul>
254<li>Applications or system services should not log data provided from
255third-party applications that might include sensitive information.</li>
256<li>Applications must not log any Personally Identifiable Information (PII) as
257part of normal operation.</li>
258</ul>
259
260<p>CTS includes tests that check for the presence of potentially sensitive
261information in the system logs.</p>
262
263<h3 id="directories">Limiting directory access</h3>
264<p>World-writable directories can introduce security weaknesses and enable an
265application to rename trusted files, substitute files, or conduct symlink-based
266attacks (attackers may use a symlink to a file to trick a trusted program into
267performing actions it shouldn't). Writable directories can also prevent the
268uninstall of an application from properly cleaning up all files associated with
269an application.</p>
270
271<p>As a best practice, directories created by the system or root users should
272not be world writable. CTS tests help enforce this best practice by testing
273known directories.</p>
274
275<h3 id="config-files">Securing configuration files</h3>
276<p>Many drivers and services rely on configuration and data files stored in
277directories such as <code>/system/etc</code> and <code>/data</code>. If these
278files are processed by a privileged process and are world writable, it is
279possible for an app to exploit a vulnerability in the process by crafting
280malicious contents in the world-writable file. Best practices:</p>
281
282<ul>
283<li>Configuration files used by privileged processes should not be world
284readable.</li>
285<li>Configuration files used by privileged processes must not be world
286writable.</li>
287</ul>
288
289<h3 id="native-code">Storing native code libraries</h3>
290<p>Any code used by privileged device manufacturer processes must be in
291<code>/vendor</code> or <code>/system</code>; these filesystems are mounted
292read-only on boot. As a best practice, libraries used by system or other
293highly-privileged apps installed on the phone should also be in these
294filesystems. This can prevent a security vulnerability that could allow an
295attacker to control the code that a privileged process executes.</p>
296
297<h3 id="device-drivers">Limiting device driver access</h3>
298<p>Only trusted code should have direct access to drivers. Where possible, the
299preferred architecture is to provide a single-purpose daemon that proxies calls
300to the driver and restricts driver access to that daemon. As a best practice,
301driver device nodes should not be world readable or writable. CTS tests help
302enforce this best practice by checking for known instances of exposed drivers.
303</p>
304
305<h3 id="adb">Disabling ADB</h3>
306<p>Android debug bridge (adb) is a valuable development and debugging tool, but
307is designed for use in controlled, secure environments and should not be enabled
308for general use. Best practices:</p>
309
310<ul>
311<li>ADB must be disabled by default.</li>
312<li>ADB must require the user to turn it on before accepting connections.</li>
313</ul>
314
315<h3 id="unlockable-bootloaders">Unlocking bootloaders</h3>
316<p>Many Android devices support unlocking, enabling the device owner to modify
317the system partition and/or install a custom operating system. Common use
318cases include installing a third-party ROM and performing systems-level
319development on the device. For example, a Google Nexus device owner can run
320<code>fastboot oem unlock</code> to start the unlocking process, which presents
321the following message to the user:</p>
322
323<div style="background-color: #B2EBF2; padding: 10px;margin-right:25px">
324
325<p><strong>Unlock bootloader?</strong></p>
326
327<p>If you unlock the bootloader, you will be able to install custom operating
328system software on this phone.</p>
329
330<p>A custom OS is not subject to the same testing as the original OS, and can
331cause your phone and installed applications to stop working properly.</p>
332
333<p>To prevent unauthorized access to your personal data, unlocking the
334bootloader will also delete all personal data from your phone (a "factory data
335reset").</p>
336
337<p>Press the Volume Up/Down buttons to select Yes or No. Then press the Power
338button to continue.</p>
339
340<p><strong>Yes</strong>: Unlock bootloader (may void warranty)</p>
341
342<p><strong>No</strong>: Do not unlock bootloader and restart phone.</p>
343</div>
344
345<br>
346<p>As a best practice, unlockable Android devices must securely erase all user
347data prior to being unlocked. Failure to properly delete all data on
348unlocking may allow a physically proximate attacker to gain unauthorized access
349to confidential Android user data. To prevent the disclosure of user data, a
350device that supports unlocking must implement it properly (we've seen numerous
351instances where device manufacturers improperly implemented unlocking). A
352properly implemented unlocking process has the following properties:</p>
353
354<ul>
355<li>When the unlocking command is confirmed by the user, the device must start
356an immediate data wipe. The <code>unlocked</code> flag must not be set until
357after the secure deletion is complete.</li>
358<li>If a secure deletion cannot be completed, the device must stay in a locked
359state.</li>
360<li>If supported by the underlying block device,
361<code>ioctl(BLKSECDISCARD)</code> or equivalent should be used. For eMMC
362devices, this means using a Secure Erase or Secure Trim command. For eMMC 4.5
363and later, this means using a normal Erase or Trim followed by a Sanitize
364operation.</li>
365<li>If <code>BLKSECDISCARD</code> is not supported by the underlying block
366device, <code>ioctl(BLKDISCARD)</code> must be used instead. On eMMC devices,
367this is a normal Trim operation.</li>
368<li>If <code>BLKDISCARD</code> is not supported, overwriting the block devices
369with all zeros is acceptable.</li>
370<li>An end user must have the option to require that user data be wiped prior to
371flashing a partition. For example, on Nexus devices, this is done via the
372<code>fastboot oem lock</code> command.</li>
373<li>A device may record, via efuses or similar mechanism, whether a device was
374unlocked and/or relocked.</li>
375</ul>
376
377<p>These requirements ensure that all data is destroyed upon the completion of
378an unlock operation. Failure to implement these protections is considered a
379moderate level security vulnerability.</p>
380
381<p>A device that is unlocked may be subsequently relocked using the
382<code>fastboot oem lock</code> command. Locking the bootloader provides the same
383protection of user data with the new custom OS as was available with the
384original device manufacturer OS (e.g. user data will be wiped if the device is
385unlocked again).</p>
386