122558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertypage.title=Android Security FAQ 222558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyparent.title=FAQs, Tips, and How-to 322558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyparent.link=index.html 422558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty@jd:body 522558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<ul> 722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li><a href="#secure">Is Android Secure?</a></li> 822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li><a href="#issue">I think I found a security flaw. How do I report 922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty it?</a></li> 104caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig <li><a href="#informed">How can I stay informed about Android security?</a></li> 1122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li><a href="#use">How do I securely use my Android phone?</a></li> 1222558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li><a href="#malware">I think I found malicious software being distributed 1322558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty for Android. How can I help?</a></li> 1422558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li><a href="#fixes">How will Android-powered devices receive security fixes?</a> 1522558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty </li> 1622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li><a href="#directfix">Can I get a fix directly from the Android Platform 1722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty Project?</a></li> 1822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty</ul> 1922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 2022558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 2122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<a name="secure" id="secure"></a><h2>Is Android secure?</h2> 2222558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 2322558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<p>The security and privacy of our users' data is of primary importance to the 2422558d0be8210aee1a2ab64b374bb357d4123acdDirk DoughertyAndroid Open Source Project. We are dedicated to building and maintaining one 2522558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyof the most secure mobile platforms available while still fulfilling our goal 2622558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyof opening the mobile device space to innovation and competition.</p> 2722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 284caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p> A comprehensive overview of the <a 294caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwighref="http://source.android.com/tech/security/index.html">Android 304caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigsecurity model and Android security processes</a> is provided in the Android 314caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian LudwigOpen Source Project Website.</p> 324caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig 334caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>Application developers play an important part in the security of Android. 344caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian LudwigThe Android Platform provides developers with a rich <a 3522558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="http://code.google.com/android/devel/security.html">security model</a> 364caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigthat to request the capabilities, or access, needed by their 3722558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyapplication and to define new capabilities that other applications can request. 3822558d0be8210aee1a2ab64b374bb357d4123acdDirk DoughertyThe Android user can choose to grant or deny an application's request for 3922558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertycertain capabilities on the handset.</p> 4022558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 4122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<p>We have made great efforts to secure the Android platform, but it is 4222558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyinevitable that security bugs will be found in any system of this complexity. 4322558d0be8210aee1a2ab64b374bb357d4123acdDirk DoughertyTherefore, the Android team works hard to find new bugs internally and responds 4422558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyquickly and professionally to vulnerability reports from external researchers. 4522558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty</p> 4622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 4722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 4822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<a name="issue" id="issue"></a><h2>I think I found a security flaw. How do I 4922558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyreport it?</h2> 5022558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 5122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<p>You can reach the Android security team at <a 5222558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="mailto:security@android.com">security@android.com</a>. If you like, you 5322558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertycan protect your message using our <a 5422558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="http://code.google.com/android/security_at_android_dot_com.txt">PGP 5522558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertykey</a>.</p> 5622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 574caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>We appreciate researchers practicing responsible disclosure by emailing us 584caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigwith a detailed summary of the issue and keeping the issue confidential while 5922558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyusers are at risk. In return, we will make sure to keep the researcher informed 605b1c8d33a7a8d3c044a37f29cc499fb28f083de0Nick Kralevichof our progress in issuing a fix. </p> 6122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 6222558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 634caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<a name="informed" id="informed"></a><h2>How can I stay informed about Android security?</h2> 6422558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 654caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>For general discussion of Android platform security, or how to use 6622558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertysecurity features in your Android application, please subscribe to <a 6722558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="http://groups.google.com/group/android-security-discuss">android-security-discuss</a>. 6822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty</p> 6922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 7022558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 7122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<a name="use" id="use"></a><h2>How do I securely use my Android phone?</h2> 7222558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 734caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>Android was designed so that you can safely use your phone without making 744caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigany changes to the device or installing any special software. Android applications 754caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigrun in an Application Sandbox that limits access to sensitive information or data 764caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigwith the users permission.</p> 774caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig 784caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>To fully benefit from the security protections in Android, it is important that 794caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigusers only download and install software from known sources.</p> 804caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig 814caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>As an open platform, Android allows users to visit any website and load 824caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigsoftware from any developer onto a device. As with a home PC, the user must be 8322558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyaware of who is providing the software they are downloading and must decide 8422558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertywhether they want to grant the application the capabilities it requests. 8522558d0be8210aee1a2ab64b374bb357d4123acdDirk DoughertyThis decision can be informed by the user's judgment of the software 8622558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertydeveloper's trustworthiness, and where the software came from.</p> 8722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 8822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 8922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<a name="malware" id="malware"></a><h2>I think I found malicious software being 9022558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertydistributed for Android. How can I help?</h2> 9122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 924caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>Like any other platform, it will be possible for unethical developers 9322558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyto create malicious software, known as <a 9422558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="http://en.wikipedia.org/wiki/Malware">malware</a>, for Android. If you 954caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigthink somebody is trying to spread malware, please let us know at <a 9622558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="mailto:security@android.com">security@android.com</a>. Please include as 9722558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertymuch detail about the application as possible, with the location it is 9822558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertybeing distributed from and why you suspect it of being malicious software.</p> 9922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 1004caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>The term <i>malicious software</i> is subjective, and we cannot make an 10122558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyexhaustive definition. Some examples of what the Android Security Team believes 10222558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyto be malicious software is any application that: 10322558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<ul> 1044caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig <li>uses a bug or security vulnerability to gain permissions that have not 1054caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig been granted by the user</li> 10622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>shows the user unsolicited messages (especially messages urging the 10722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty user to buy something);</li> 10822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>resists (or attempts to resist) the user's effort to uninstall it;</li> 10922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>attempts to automatically spread itself to other devices;</li> 11022558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>hides its files and/or processes;</li> 11122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>discloses the user's private information to a third party, without the 11222558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty user's knowledge and consent;</li> 11322558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>destroys the user's data (or the device itself) without the user's 11422558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty knowledge and consent;</li> 11522558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>impersonates the user (such as by sending email or buying things from a 11622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty web store) without the user's knowledge and consent; or</li> 11722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty <li>otherwise degrades the user's experience with the device.</li> 11822558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty</ul> 11922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty</p> 12022558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 12122558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 1224caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<a name="fixes" id="fixes"></a><h2>How do Android-powered devices receive security 12322558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyfixes?</h2> 12422558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 12522558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<p>The manufacturer of each device is responsible for distributing software 12622558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyupgrades for it, including security fixes. Many devices will update themselves 12722558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyautomatically with software downloaded "over the air", while some devices 12822558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyrequire the user to upgrade them manually.</p> 12922558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 1304caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>Google provides software updates for a number of Android devices, including 1314caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigthe <a href="http://www.google.com/nexus">Nexus</a> 1324caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigseries of devices, using an "over the air" (OTA) update. These updates may include 1334caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigsecurity fixes as well as new features.</p> 13422558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 13522558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty<a name="directfix" id="directfix"></a><h2>Can I get a fix directly from the 13622558d0be8210aee1a2ab64b374bb357d4123acdDirk DoughertyAndroid Platform Project?</h2> 13722558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 1384caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>Android is a mobile platform that is released as open source and 1394caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigavailable for free use by anybody. This means that there are many 1404caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian LudwigAndroid-based products available to consumers, and most of them are created 14122558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertywithout the knowledge or participation of the Android Open Source Project. Like 14222558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertythe maintainers of other open source projects, we cannot build and release 14322558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertypatches for the entire ecosystem of products using Android. Instead, we will 14422558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertywork diligently to find and fix flaws as quickly as possible and to distribute 1454caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwigthose fixes to the manufacturers of the products through the open source project.</p> 14622558d0be8210aee1a2ab64b374bb357d4123acdDirk Dougherty 1474caa0d72ebc935a3dbb3da6cf6d0877a251cd032Adrian Ludwig<p>If you are making an Android-powered device and would like to know how you can 14822558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyproperly support your customers by keeping abreast of software updates, please 14922558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertycontact us at <a 15022558d0be8210aee1a2ab64b374bb357d4123acdDirk Doughertyhref="mailto:info@openhandsetalliance.com">info@openhandsetalliance.com</a>.</p> 151