diff options
Diffstat (limited to 'docs/html/resources/faq/security.jd')
| -rw-r--r-- | docs/html/resources/faq/security.jd | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/docs/html/resources/faq/security.jd b/docs/html/resources/faq/security.jd new file mode 100644 index 0000000..b0d832b --- /dev/null +++ b/docs/html/resources/faq/security.jd @@ -0,0 +1,156 @@ +page.title=Android Security FAQ +parent.title=FAQs, Tips, and How-to +parent.link=index.html +@jd:body + +<ul> + <li><a href="#secure">Is Android Secure?</a></li> + <li><a href="#issue">I think I found a security flaw. How do I report + it?</a></li> + <li><a href="#informed">How can I stay informed of Android security + announcements?</a></li> + <li><a href="#use">How do I securely use my Android phone?</a></li> + <li><a href="#malware">I think I found malicious software being distributed + for Android. How can I help?</a></li> + <li><a href="#fixes">How will Android-powered devices receive security fixes?</a> + </li> + <li><a href="#directfix">Can I get a fix directly from the Android Platform + Project?</a></li> +</ul> + + +<a name="secure" id="secure"></a><h2>Is Android secure?</h2> + +<p>The security and privacy of our users' data is of primary importance to the +Android Open Source Project. We are dedicated to building and maintaining one +of the most secure mobile platforms available while still fulfilling our goal +of opening the mobile device space to innovation and competition.</p> + +<p>The Android Platform provides a rich <a +href="http://code.google.com/android/devel/security.html">security model</a> +that allows developers to request the capabilities, or access, needed by their +application and to define new capabilities that other applications can request. +The Android user can choose to grant or deny an application's request for +certain capabilities on the handset.</p> + +<p>We have made great efforts to secure the Android platform, but it is +inevitable that security bugs will be found in any system of this complexity. +Therefore, the Android team works hard to find new bugs internally and responds +quickly and professionally to vulnerability reports from external researchers. +</p> + + +<a name="issue" id="issue"></a><h2>I think I found a security flaw. How do I +report it?</h2> + +<p>You can reach the Android security team at <a +href="mailto:security@android.com">security@android.com</a>. If you like, you +can protect your message using our <a +href="http://code.google.com/android/security_at_android_dot_com.txt">PGP +key</a>.</p> + +<p>We appreciate researchers practicing responsible disclosure by emailing us +with a detailed summary of the issue and keeping the issue confidential while +users are at risk. In return, we will make sure to keep the researcher informed +of our progress in issuing a fix and will properly credit the reporter(s) when +we announce the patch. We will always move swiftly to mitigate or fix an +externally-reported flaw and will publicly announce the fix once patches are +available to users.</p> + + +<a name="informed" id="informed"></a><h2>How can I stay informed of Android +security announcements?</h2> + +<p>An important part of sustainably securing a platform, such as, Android is +keeping the user and security community informed of bugs and fixes. We will +publicly announce security bugs when the fixes are available via postings to +the <a +href="http://groups.google.com/group/android-security-announce">android-security-announce</a> +group on Google Groups. You can subscribe to this group as you would a mailing +list and view the archives here.</p> + +<p>For more general discussion of Android platform security, or how to use +security features in your Android application, please subscribe to <a +href="http://groups.google.com/group/android-security-discuss">android-security-discuss</a>. +</p> + + +<a name="use" id="use"></a><h2>How do I securely use my Android phone?</h2> + +<p>As an open platform, Android allows users to load software from any +developer onto a device. As with a home PC, the user must be +aware of who is providing the software they are downloading and must decide +whether they want to grant the application the capabilities it requests. +This decision can be informed by the user's judgment of the software +developer's trustworthiness, and where the software came from.</p> + +<p>Despite the security protections in Android, it is important +for users to only download and install software from developers they trust. +More details on how Android users can make smart security decisions will be +released when consumer devices become available.</p> + + +<a name="malware" id="malware"></a><h2>I think I found malicious software being +distributed for Android. How can I help?</h2> + +<p>Like any other open platform, it will be possible for unethical developers +to create malicious software, known as <a +href="http://en.wikipedia.org/wiki/Malware">malware</a>, for Android. If you +think somebody is trying to spread malware, please let us know at <a +href="mailto:security@android.com">security@android.com</a>. Please include as +much detail about the application as possible, with the location it is +being distributed from and why you suspect it of being malicious software.</p> + +<p>The term <i>malicious software</i> is subjective, and we cannot make an +exhaustive definition. Some examples of what the Android Security Team believes +to be malicious software is any application that: +<ul> + <li>drains the device's battery very quickly;</li> + <li>shows the user unsolicited messages (especially messages urging the + user to buy something);</li> + <li>resists (or attempts to resist) the user's effort to uninstall it;</li> + <li>attempts to automatically spread itself to other devices;</li> + <li>hides its files and/or processes;</li> + <li>discloses the user's private information to a third party, without the + user's knowledge and consent;</li> + <li>destroys the user's data (or the device itself) without the user's + knowledge and consent;</li> + <li>impersonates the user (such as by sending email or buying things from a + web store) without the user's knowledge and consent; or</li> + <li>otherwise degrades the user's experience with the device.</li> +</ul> +</p> + + +<a name="fixes" id="fixes"></a><h2>How will Android-powered devices receive security +fixes?</h2> + +<p>The manufacturer of each device is responsible for distributing software +upgrades for it, including security fixes. Many devices will update themselves +automatically with software downloaded "over the air", while some devices +require the user to upgrade them manually.</p> + +<p>When Android-powered devices are publicly available, this FAQ will provide links how +Open Handset Alliance members release updates.</p> + +<a name="directfix" id="directfix"></a><h2>Can I get a fix directly from the +Android Platform Project?</h2> + +<p>Android is a mobile platform that will be released as open source and +available for free use by anybody. This means that there will be many +Android-based products available to consumers, and most of them will be created +without the knowledge or participation of the Android Open Source Project. Like +the maintainers of other open source projects, we cannot build and release +patches for the entire ecosystem of products using Android. Instead, we will +work diligently to find and fix flaws as quickly as possible and to distribute +those fixes to the manufacturers of the products.</p> + +<p>In addition, We will add security fixes to the open source distribution of +Android and publicly announce the changes on <a +href="http://groups.google.com/group/android-security-announce">android-security-announce</a>. +</p> + +<p>If you are making an Android-powered device and would like to know how you can +properly support your customers by keeping abreast of software updates, please +contact us at <a +href="mailto:info@openhandsetalliance.com">info@openhandsetalliance.com</a>.</p> |