• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=Android Security FAQ
2parent.title=FAQs, Tips, and How-to
3parent.link=index.html
4@jd:body
5
6<ul>
7    <li><a href="#secure">Is Android Secure?</a></li>
8    <li><a href="#issue">I think I found a security flaw. How do I report
9    it?</a></li>
10    <li><a href="#informed">How can I stay informed of Android security
11    announcements?</a></li>
12    <li><a href="#use">How do I securely use my Android phone?</a></li>
13    <li><a href="#malware">I think I found malicious software being distributed
14    for Android. How can I help?</a></li>
15    <li><a href="#fixes">How will Android-powered devices receive security fixes?</a>
16    </li>
17    <li><a href="#directfix">Can I get a fix directly from the Android Platform
18    Project?</a></li>
19</ul>
20
21
22<a name="secure" id="secure"></a><h2>Is Android secure?</h2>
23
24<p>The security and privacy of our users' data is of primary importance to the
25Android Open Source Project. We are dedicated to building and maintaining one
26of the most secure mobile platforms available while still fulfilling our goal
27of opening the mobile device space to innovation and competition.</p>
28
29<p>The Android Platform provides a rich <a
30href="http://code.google.com/android/devel/security.html">security model</a>
31that allows developers to request the capabilities, or access, needed by their
32application and to define new capabilities that other applications can request.
33The Android user can choose to grant or deny an application's request for
34certain capabilities on the handset.</p>
35
36<p>We have made great efforts to secure the Android platform, but it is
37inevitable that security bugs will be found in any system of this complexity.
38Therefore, the Android team works hard to find new bugs internally and responds
39quickly and professionally to vulnerability reports from external researchers.
40</p>
41
42
43<a name="issue" id="issue"></a><h2>I think I found a security flaw. How do I
44report it?</h2>
45
46<p>You can reach the Android security team at <a
47href="mailto:security@android.com">security@android.com</a>. If you like, you
48can protect your message using our <a
49href="http://code.google.com/android/security_at_android_dot_com.txt">PGP
50key</a>.</p>
51
52<p>We appreciate researchers practicing responsible disclosure by emailing us
53with a detailed summary of the issue and keeping the issue confidential while
54users are at risk. In return, we will make sure to keep the researcher informed
55of our progress in issuing a fix and will properly credit the reporter(s) when
56we announce the patch. We will always move swiftly to mitigate or fix an
57externally-reported flaw and will publicly announce the fix once patches are
58available to users.</p>
59
60
61<a name="informed" id="informed"></a><h2>How can I stay informed of Android
62security announcements?</h2>
63
64<p>An important part of sustainably securing a platform, such as, Android is
65keeping the user and security community informed of bugs and fixes. We will
66publicly announce security bugs when the fixes are available via postings to
67the <a
68href="http://groups.google.com/group/android-security-announce">android-security-announce</a>
69group on Google Groups. You can subscribe to this group as you would a mailing
70list and view the archives here.</p>
71
72<p>For more general discussion of Android platform security, or how to use
73security features in your Android application, please subscribe to <a
74href="http://groups.google.com/group/android-security-discuss">android-security-discuss</a>.
75</p>
76
77
78<a name="use" id="use"></a><h2>How do I securely use my Android phone?</h2>
79
80<p>As an open platform, Android allows users to load software from any
81developer onto a device.  As with a home PC, the user must be
82aware of who is providing the software they are downloading and must decide
83whether they want to grant the application the capabilities it requests.
84This decision can be informed by the user's judgment of the software
85developer's trustworthiness, and where the software came from.</p>
86
87<p>Despite the security protections in Android, it is important
88for users to only download and install software from developers they trust.
89More details on how Android users can make smart security decisions will be
90released when consumer devices become available.</p>
91
92
93<a name="malware" id="malware"></a><h2>I think I found malicious software being
94distributed for Android. How can I help?</h2>
95
96<p>Like any other open platform, it will be possible for unethical developers
97to create malicious software, known as <a
98href="http://en.wikipedia.org/wiki/Malware">malware</a>, for Android. If you
99think somebody is trying to spread malware, please let us know at <a
100href="mailto:security@android.com">security@android.com</a>. Please include as
101much detail about the application as possible, with the location it is
102being distributed from and why you suspect it of being malicious software.</p>
103
104<p>The term <i>malicious software</i> is subjective, and we cannot make an
105exhaustive definition.  Some examples of what the Android Security Team believes
106to be malicious software is any application that:
107<ul>
108    <li>drains the device's battery very quickly;</li>
109    <li>shows the user unsolicited messages (especially messages urging the
110    user to buy something);</li>
111    <li>resists (or attempts to resist) the user's effort to uninstall it;</li>
112    <li>attempts to automatically spread itself to other devices;</li>
113    <li>hides its files and/or processes;</li>
114    <li>discloses the user's private information to a third party, without the
115    user's knowledge and consent;</li>
116    <li>destroys the user's data (or the device itself) without the user's
117    knowledge and consent;</li>
118    <li>impersonates the user (such as by sending email or buying things from a
119    web store) without the user's knowledge and consent; or</li>
120    <li>otherwise degrades the user's experience with the device.</li>
121</ul>
122</p>
123
124
125<a name="fixes" id="fixes"></a><h2>How will Android-powered devices receive security
126fixes?</h2>
127
128<p>The manufacturer of each device is responsible for distributing software
129upgrades for it, including security fixes. Many devices will update themselves
130automatically with software downloaded "over the air", while some devices
131require the user to upgrade them manually.</p>
132
133<p>When Android-powered devices are publicly available, this FAQ will provide links how
134Open Handset Alliance members release updates.</p>
135
136<a name="directfix" id="directfix"></a><h2>Can I get a fix directly from the
137Android Platform Project?</h2>
138
139<p>Android is a mobile platform that will be released as open source and
140available for free use by anybody. This means that there will be many
141Android-based products available to consumers, and most of them will be created
142without the knowledge or participation of the Android Open Source Project. Like
143the maintainers of other open source projects, we cannot build and release
144patches for the entire ecosystem of products using Android. Instead, we will
145work diligently to find and fix flaws as quickly as possible and to distribute
146those fixes to the manufacturers of the products.</p>
147
148<p>In addition, We will add security fixes to the open source distribution of
149Android and publicly announce the changes on <a
150href="http://groups.google.com/group/android-security-announce">android-security-announce</a>.
151</p>
152
153<p>If you are making an Android-powered device and would like to know how you can
154properly support your customers by keeping abreast of software updates, please
155contact us at <a
156href="mailto:info@openhandsetalliance.com">info@openhandsetalliance.com</a>.</p>
157