• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1## 9.8\. Privacy
2
3### 9.8.1\. Usage History
4
5Android stores the history of the user's choices and manages such history by
6[UsageStatsManager](https://developer.android.com/reference/android/app/usage/UsageStatsManager.html).
7
8Device implementations:
9
10*   [C-0-1] MUST keep a reasonable retention period of such user history.
11*   [SR] Are STRONGLY RECOMMENDED to keep the 14 days retention period as
12    configured by default in the AOSP implementation.
13
14Android stores the system events using the [`StatsLog`](https://developer.android.com/reference/android/util/StatsLog.html)
15identifiers, and manages such history via the `StatsManager` and the
16`IncidentManager` System API.
17
18Device implementations:
19
20*   [C-0-2] MUST only include the fields marked with `DEST_AUTOMATIC` in the
21    incident report created by the System API class `IncidentManager`.
22*   [C-0-3] MUST not use the system event identifiers to log any other event
23    than what is described in the [`StatsLog`](https://developer.android.com/reference/android/util/StatsLog.html)
24    SDK documents. If additional system events are logged, they MAY use a
25    different atom identifier in the range between 100,000 and 200,000.
26
27### 9.8.2\. Recording
28
29Device implementations:
30
31*   [C-0-1] MUST NOT preload or distribute software components out-of-box that
32    send the user's private information (e.g. keystrokes, text displayed on the
33    screen, bugreport) off the device without the user's consent or clear
34    ongoing notifications.
35*   [C-0-2] MUST display and obtain explicit user consent that includes exactly
36    the same message as AOSP whenever screen casting or screen recording is
37    enabled via [`MediaProjection`](https://developer.android.com/reference/android/media/projection/MediaProjection)
38    or proprietary APIs. MUST NOT provide users an affordance to
39    disable future display of the user consent.
40*   [C-0-3] MUST have an ongoing notification to the user while screen casting
41    or screen recording is enabled. AOSP meets this requirement by showing an
42    ongoing notification icon in the status bar.
43
44If device implementations include functionality in the system that either
45captures the contents displayed on the screen and/or records the audio stream
46played on the device other than via the System API `ContentCaptureService`, or
47other proprietary means described in
48[Section 9.8.6 Content Capture](#9_8_6_content_capture), they:
49
50*   [C-1-1] MUST have an ongoing notification to the user whenever this
51    functionality is enabled and actively capturing/recording.
52
53If device implementations include a component enabled out-of-box, capable of
54recording ambient audio and/or record the audio played on the device
55to infer useful information about user’s context, they:
56
57*   [C-2-1] MUST NOT store in persistent on-device storage or transmit off the
58    device the recorded raw audio or any format that can be converted back into
59    the original audio or a near facsimile, except with explicit user consent.
60
61### 9.8.3\. Connectivity
62
63If device implementations have a USB port with USB peripheral mode support,
64they:
65
66*   [C-1-1] MUST present a user interface asking for the user's consent before
67allowing access to the contents of the shared storage over the USB port.
68
69
70### 9.8.4\. Network Traffic
71
72Device implementations:
73
74*   [C-0-1] MUST preinstall the same root certificates for the system-trusted
75    Certificate Authority (CA) store as [provided](https://source.android.com/security/overview/app-security.html#certificate-authorities)
76    in the upstream Android Open Source Project.
77*   [C-0-2] MUST ship with an empty user root CA store.
78*   [C-0-3] MUST display a warning to the user indicating the network traffic
79    may be monitored, when a user root CA is added.
80
81If device traffic is routed through a VPN, device implementations:
82
83*   [C-1-1] MUST display a warning to the user indicating either:
84    *   That network traffic may be monitored.
85    *   That network traffic is being routed through the specific VPN
86        application providing the VPN.
87
88If device implementations have a mechanism, enabled out-of-box by default, that
89routes network data traffic through a proxy server or VPN gateway (for example,
90preloading a VPN service with `android.permission.CONTROL_VPN` granted), they:
91
92*    [C-2-1] MUST ask for the user's consent before enabling that mechanism,
93     unless that VPN is enabled by the Device Policy Controller via the
94     [`DevicePolicyManager.setAlwaysOnVpnPackage()`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setAlwaysOnVpnPackage%28android.content.ComponentName, java.lang.String, boolean%29)
95     , in which case the user does not need to provide a separate consent, but
96     MUST only be notified.
97
98If device implementations implement a user affordance to toggle on the
99"always-on VPN" function of a 3rd-party VPN app, they:
100
101*    [C-3-1] MUST disable this user affordance for apps that do not support
102     always-on VPN service in the `AndroidManifest.xml` file via setting the
103     [`SERVICE_META_DATA_SUPPORTS_ALWAYS_ON`](https://developer.android.com/reference/android/net/VpnService.html#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON)
104     attribute to `false`.
105
106### 9.8.5\. Device Identifiers
107
108Device implementations:
109
110*   [C-0-1] MUST prevent access to the device serial number and, where
111    applicable, IMEI/MEID, SIM serial number, and International Mobile
112    Subscriber Identity (IMSI) from an app, unless it meets one of the following
113    requirements:
114    * is a signed carrier app that is verified by device manufacturers.
115    * has been granted the `READ_PRIVILEGED_PHONE_STATE` permission.
116    * has carrier privileges as defined in [`UICC Carrier Privileges`](https://source.android.com/devices/tech/config/uicc).
117    * is a device owner or profile owner that has been granted the
118      `READ_PHONE_STATE` permission.
119
120### 9.8.6\. Content Capture
121
122Android, through the System API `ContentCaptureService`, or by other proprietary
123means, supports a mechanism for device implementations to capture the
124following interactions between the applications and the user.
125
126*    Text and graphics rendered on-screen, including but not limited to,
127     notifications and assist data via [`AssistStructure`](
128     https://developer.android.com/reference/android/app/assist/AssistStructure)
129     API.
130*    Media data, such as audio or video, recorded or played by the device.
131*    Input events (e.g. key, mouse, gesture, voice, video, and accessibility).
132*    Any other events that an application provides to the system via the
133     [`Content Capture`](
134     https://developer.android.com/reference/android/view/contentcapture/package-summary)
135     API or a similarly capable, proprietary API.
136*    Any text or other data sent via the [`TextClassifier API`](https://developer.android.com/reference/android/view/textclassifier/TextClassifier)
137     to the System TextClassifier i.e to the system service to understand
138     the meaning of text, as well as generating predicted next actions based on
139     the text.
140
141If device implementations capture the data above, they:
142
143*    [C-0-1] MUST encrypt all such data when stored in the device. This
144     encryption MAY be carried out using Android File Based Encryption, or any
145     of the ciphers listed as API version 26+ described in [Cipher SDK](
146     https://developer.android.com/reference/javax/crypto/Cipher).
147*    [C-0-2] MUST NOT back up either raw or encrypted data using
148     [Android backup methods](
149     https://developer.android.com/guide/topics/data/backup) or any other back
150     up methods.
151*    [C-0-3] MUST only send all such data and the log of the device using a
152     privacy-preserving mechanism. The privacy-preserving mechanism
153     is defined as “those which allow only analysis in aggregate and prevent
154     matching of logged events or derived outcomes to individual users”, to
155     prevent any per-user data being introspectable (e.g., implemented using
156     a differential privacy technology such as [`RAPPOR`](
157     https://github.com/google/rappor)).
158*    [C-0-4] MUST NOT associate such data with any user identity (such
159     as [`Account`](https://developer.android.com/reference/android/accounts/Account))
160     on the device, except with explicit user consent each time the data is
161     associated.
162*    [C-0-5] MUST NOT share such data with other apps, except with
163     explicit user consent every time it is shared.
164*    [C-0-6] MUST provide user affordance to erase such data that
165     the `ContentCaptureService` or the proprietary means collects if the
166     data is stored in any form on the device.
167
168If device implementations include a service that implements the System API
169`ContentCaptureService`, or any proprietary service that captures the data
170as described as above, they:
171
172*    [C-1-1] MUST NOT allow users to replace the content capture service with a
173     user-installable application or service and MUST only allow the
174     preinstalled service to capture such data.
175*    [C-1-2] MUST NOT allow any apps other than the preinstalled content capture
176     service mechanism to be able to capture such data.
177*    [C-1-3] MUST provide user affordance to disable the content capture
178     service.
179*    [C-1-4] MUST NOT omit user affordance to manage Android permissions that
180     are held by the content capture service and follow Android permissions
181     model as described in [Section 9.1. Permission](#9_1_permissions.md).
182*    [C-SR] Are STRONGLY RECOMMENDED to keep the content capturing service
183     components separate, for example, not binding the service or sharing process
184     IDs, from other system components except for the following:
185
186     *    Telephony, Contacts, System UI, and Media
187
188### 9.8.7\. Clipboard Access
189
190Device implementations:
191
192  * [C-0-1] MUST NOT return a clipped data on the clipboard (e.g. via the
193    [`ClipboardManager`](
194    https://developer.android.com/reference/android/content/ClipboardManager)
195    API) unless the app is the default IME or is the app that currently has
196    focus.
197
198### 9.8.8\. Location
199
200Device implementations:
201
202*   [C-0-1] MUST NOT turn on/off device location setting and Wi-Fi/Bluetooth
203scanning settings without explicit user consent or user initiation.
204*   [C-0-2] MUST provide the user affordance to access location related
205information including recent location requests, app level permissions and usage
206of Wi-Fi/Bluetooth scanning for determining location.
207*   [C-0-3] MUST ensure that the application using Emergency Location Bypass API
208[LocationRequest.setLocationSettingsIgnored()] is a user initiated emergency
209session (e.g. dial 911 or text to 911). For Automotive however, a vehicle MAY
210initiate an emergency session without active user interaction in the case
211a crash/accident is detected (e.g. to satisfy eCall requirements).
212*   [C-0-4] MUST preserve the Emergency Location Bypass API's ability to
213bypass device location settings without changing the settings.
214*   [C-0-5] MUST schedule a notification that reminds the user after an app in
215the background has accessed their location using the
216[`ACCESS_BACKGROUND_LOCATION`] permission.
217
218### 9.8.9\. Installed apps
219
220Android apps targeting API level 30 or above cannot see details about other
221installed apps by default (see [Package visibility](
222https://developer.android.com/preview/privacy/package-visibility) in the Android
223SDK documentation).
224
225Device implementations:
226
227*   [C-0-1] MUST NOT expose to any app targeting API level 30 or above details
228    about any other installed app, unless the app is already able to see details
229    about the other installed app through the managed APIs. This includes but is
230    not limited to details exposed by any custom APIs added by the device
231    implementer, or accessible via the filesystem.
232
233### 9.8.10\. Connectivity Bug Report
234
235If device implementations generate bug reports using System API
236`BUGREPORT_MODE_TELEPHONY` with BugreportManager, they:
237
238*   [C-1-1] MUST obtain user consent every time the System API
239    `BUGREPORT_MODE_TELEPHONY` is called to generate a report and MUST NOT
240    prompt the user to consent to all future requests from the application.
241*   [C-1-2] MUST display and obtain explicit user consent when the reports are
242    starting to be generated and MUST NOT return the generated report
243    to the requesting app without explicit user consent.
244*   [C-1-3] MUST generate requested reports containing at least the following
245    information:
246    *   TelephonyDebugService dump
247    *   TelephonyRegistry dump
248    *   WifiService dump
249    *   ConnectivityService dump
250    *   A dump of the calling package's CarrierService instance (if bound)
251    *   Radio log buffer
252*   [C-1-4] MUST NOT include the following in the generated reports:
253    *   Any kind of information unrelated to connectivity debugging.
254    *   Any kind of user-installed application traffic logs or detailed profiles
255        of user-installed applications/packages (UIDs are okay, package names
256        are not).
257*   MAY include additional information that is not associated with any user
258    identity. (e.g. vendor logs).
259
260If device implementations include additional information (e.g vendor logs) in
261the bug report and that information has privacy/security/battery/storage/memory
262impact, they:
263
264*   [C-SR] Are STRONGLY RECOMMENDED to have a developer setting defaulted to
265    disabled. The AOSP meets this by providing the
266    `Enable verbose vendor logging` option in developer settings to include
267    additional device-specific vendor logs in the bug reports.
268
269### 9.8.11\. Data blobs sharing
270
271Android, through [BlobStoreManager](
272https://developer.android.com/reference/android/app/blob/BlobStoreManager)
273allows apps to contribute data blobs to the System to be shared with a selected
274set of apps.
275
276If device implementations support shared data blobs as described in the
277[SDK documentation](https://developer.android.com/reference/android/app/blob/BlobStoreManager),
278they:
279
280  * [C-1-1] MUST NOT share data blobs belonging to apps beyond what they
281    intended to allow (i.e. the scope of default access and the other access
282    modes that can be specified using
283    [BlobStoreManager.session#allowPackageAccess()](
284    https://developer.android.com/reference/android/app/blob/BlobStoreManager.Session#allowPackageAccess%28java.lang.String%2C%2520byte%5B%5D%29),
285    [BlobStoreManager.session#allowSameSignatureAccess()](
286    https://developer.android.com/reference/android/app/blob/BlobStoreManager.Session#allowSameSignatureAccess%28%29),
287    or [BlobStoreManager.session#allowPublicAccess()](
288    https://developer.android.com/reference/android/app/blob/BlobStoreManager.Session#allowPublicAccess%28%29)
289    MUST NOT be modified). The AOSP reference implementation meets these
290    requirements.
291  * [C-1-2] MUST NOT send off device or share with other apps the secure hashes
292    of data blobs (which are used to control access).