From 143e61097e3aa2f6fd2951c707f35c35d3be25e3 Mon Sep 17 00:00:00 2001 From: Chris Palmer Date: Fri, 24 Sep 2010 15:08:51 -0700 Subject: DO NOT MERGE Clarify the explanation of Android's security design. Assert plainly that Dalvik is not a boundary. Certificates are for distinction, not "fake trustworthiness through verifying cheap identities". Clarify that UID + GID are what the kernel bases its protection on, not PID. This is a fuzzy distinction on Android since (apart from sharedUserId and magical system processes) there is a 1:1 mapping from process <-> UID. But it's important to clarify what we mean. Clarify up front about the staticness (staticity?) of permissions. It's explained lower down, but experience shows people don't read that far down. Get the rationale (bad UX --> bad security) right up top. Change-Id: I403310668d7ba42e44239055cb480c086ef76cbc --- docs/html/guide/topics/security/security.jd | 76 ++++++++++++++++------------- 1 file changed, 42 insertions(+), 34 deletions(-) (limited to 'docs/html/guide/topics/security') diff --git a/docs/html/guide/topics/security/security.jd b/docs/html/guide/topics/security/security.jd index dbc9866..de0c6e5 100644 --- a/docs/html/guide/topics/security/security.jd +++ b/docs/html/guide/topics/security/security.jd @@ -21,14 +21,15 @@ page.title=Security and Permissions -

Android is a multi-process system, in which each application (and parts of the -system) runs in its own process. Most security between applications and -the system is enforced at the process level through standard Linux facilities, -such as user and group IDs that are assigned to applications. -Additional finer-grained security features are provided -through a "permission" mechanism that enforces restrictions on the specific -operations that a particular process can perform, and per-URI permissions -for granting ad-hoc access to specific pieces of data.

+

Android is a privilege-separated operating system, in which each +application runs with a distinct system identity (Linux user ID and group +ID). Parts of the system are also separated into distinct identities. +Linux thereby isolates applications from each other and from the system.

+ +

Additional finer-grained security features are provided through a +"permission" mechanism that enforces restrictions on the specific operations +that a particular process can perform, and per-URI permissions for granting +ad-hoc access to specific pieces of data.

Security Architecture

@@ -38,39 +39,46 @@ application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing -network access, keeping the device awake, etc.

- -

An application's process runs in a security sandbox. The sandbox is designed -to prevent applications from disrupting each other, except by explicitly -declaring the permissions they need for additional capabilities not -provided by the basic sandbox. The system handles requests for permissions -in various ways, typically by automatically allowing or disallowing based on -certificates or by prompting the user. The permissions required by an -application are declared statically in that application, so they can be known -up-front at install time and will not change after that.

+network access, keeping the device awake, etc.

+ +

Because the kernel sandboxes applications from each other, applications +must explicitly share resources and data. They do this by declaring the +permissions they need for additional capabilities not provided by +the basic sandbox. Applications statically declare the permissions they +require, and the Android system prompts the user for consent at the time the +application is installed. Android has no mechanism for granting permissions +dynamically (at run-time) because it complicates the user experience to the +detriment of security.

+ +

The kernel is solely responsible for sandboxing applications from each +other. In particular the Dalvik VM is not a security boundary, and any app +can run native code (see the Android NDK). +All types of applications — Java, native, and hybrid — are +sandboxed in the same way and have the same degree of security from each +other.

Application Signing

-

All Android applications (.apk files) must be signed with a certificate whose -private key is held by their developer. This certificate identifies the author -of the application. The certificate does not need to be signed by -a certificate authority: it is perfectly allowable, and typical, for Android -applications to use self-signed certificates. The certificate is used only -to establish trust relationships between applications, not for wholesale -control over whether an application can be installed. The most significant -ways that signatures impact security is by determining who can access -signature-based permissions and who can share user IDs.

- +

All Android applications (.apk files) must be signed with a certificate +whose private key is held by their developer. This certificate identifies +the author of the application. The certificate does not need to be +signed by a certificate authority: it is perfectly allowable, and typical, +for Android applications to use self-signed certificates. The purpose of +certificates in Android is to distinguish application authors. This allows +the system to grant or deny applications access to signature-level +permissions and to grant or deny an application's request to be given +the same Linux identity as another application.

User IDs and File Access

-

Each Android package (.apk) file installed on the device is given its -own unique Linux user ID, creating a sandbox for it and preventing it from touching -other applications (or other applications from touching it). This user ID is -assigned to it when the application is installed on the device, and -remains constant for the duration of its life on that device.

+

At install time, Android gives each package a distinct Linux user ID. The +identity remains constant for the duration of the package's life on that +device. On a different device, the same package may have a different UID; +what matters is that each package has a distinct UID on a given device.

Because security enforcement happens at the process level, the code of any two packages can not normally @@ -150,7 +158,7 @@ activities of other applications.

  • Both sending and receiving broadcasts, to control who can receive your broadcast or who can send a broadcast to you.
  • When accessing and operating on a content provider.
  • -
  • Binding or starting a service.
  • +
  • Binding to or starting a service.
  • -- cgit v1.1