• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=Android Security FAQ
2parent.title=FAQs, Tips, and How-to
3parent.link=index.html
4@jd:body
5
6<ul>
7    <li><a href="#secure">Is Android Secure?</a></li>
8    <li><a href="#issue">I think I found a security flaw. How do I report
9    it?</a></li>
10    <li><a href="#informed">How can I stay informed about Android security?</a></li>
11    <li><a href="#use">How do I securely use my Android phone?</a></li>
12    <li><a href="#malware">I think I found malicious software being distributed
13    for Android. How can I help?</a></li>
14    <li><a href="#fixes">How will Android-powered devices receive security fixes?</a>
15    </li>
16    <li><a href="#directfix">Can I get a fix directly from the Android Platform
17    Project?</a></li>
18</ul>
19
20
21<a name="secure" id="secure"></a><h2>Is Android secure?</h2>
22
23<p>The security and privacy of our users' data is of primary importance to the
24Android Open Source Project. We are dedicated to building and maintaining one
25of the most secure mobile platforms available while still fulfilling our goal
26of opening the mobile device space to innovation and competition.</p>
27
28<p> A comprehensive overview  of the <a
29href="http://source.android.com/tech/security/index.html">Android
30security model and Android security processes</a> is provided in the Android
31Open Source Project Website.</p>
32
33<p>Application developers play an important part in the security of Android.
34The Android Platform provides developers with a rich <a
35href="http://code.google.com/android/devel/security.html">security model</a>
36that to request the capabilities, or access, needed by their
37application and to define new capabilities that other applications can request.
38The Android user can choose to grant or deny an application's request for
39certain capabilities on the handset.</p>
40
41<p>We have made great efforts to secure the Android platform, but it is
42inevitable that security bugs will be found in any system of this complexity.
43Therefore, the Android team works hard to find new bugs internally and responds
44quickly and professionally to vulnerability reports from external researchers.
45</p>
46
47
48<a name="issue" id="issue"></a><h2>I think I found a security flaw. How do I
49report it?</h2>
50
51<p>You can reach the Android security team at <a
52href="mailto:security@android.com">security@android.com</a>. If you like, you
53can protect your message using our <a
54href="http://code.google.com/android/security_at_android_dot_com.txt">PGP
55key</a>.</p>
56
57<p>We appreciate researchers practicing responsible disclosure by emailing us
58with a detailed summary of the issue and keeping the issue confidential while
59users are at risk. In return, we will make sure to keep the researcher informed
60of our progress in issuing a fix and will properly credit the reporter(s) when
61we provide the patch. We will always move swiftly to mitigate or fix an
62externally-reported flaw and provide updates to users. </p>
63
64
65<a name="informed" id="informed"></a><h2>How can I stay informed about Android security?</h2>
66
67<p>For general discussion of Android platform security, or how to use
68security features in your Android application, please subscribe to <a
69href="http://groups.google.com/group/android-security-discuss">android-security-discuss</a>.
70</p>
71
72
73<a name="use" id="use"></a><h2>How do I securely use my Android phone?</h2>
74
75<p>Android was designed so that you can safely use your phone without making
76any changes to the device or installing any special software.  Android applications
77run in an Application Sandbox that limits access to sensitive information or data
78with the users permission.</p>
79
80<p>To fully benefit from the security protections in Android, it is important that
81users only download and install software from known sources.</p>
82
83<p>As an open platform, Android allows users to visit any website and load
84software from any developer onto a device. As with a home PC, the user must be
85aware of who is providing the software they are downloading and must decide
86whether they want to grant the application the capabilities it requests.
87This decision can be informed by the user's judgment of the software
88developer's trustworthiness, and where the software came from.</p>
89
90
91<a name="malware" id="malware"></a><h2>I think I found malicious software being
92distributed for Android. How can I help?</h2>
93
94<p>Like any other platform, it will be possible for unethical developers
95to create malicious software, known as <a
96href="http://en.wikipedia.org/wiki/Malware">malware</a>, for Android. If you
97think somebody is trying to spread malware, please let us know at <a
98href="mailto:security@android.com">security@android.com</a>. Please include as
99much detail about the application as possible, with the location it is
100being distributed from and why you suspect it of being malicious software.</p>
101
102<p>The term <i>malicious software</i> is subjective, and we cannot make an
103exhaustive definition.  Some examples of what the Android Security Team believes
104to be malicious software is any application that:
105<ul>
106    <li>uses a bug or security vulnerability to gain permissions that have not
107    been granted by the user</li>
108    <li>shows the user unsolicited messages (especially messages urging the
109    user to buy something);</li>
110    <li>resists (or attempts to resist) the user's effort to uninstall it;</li>
111    <li>attempts to automatically spread itself to other devices;</li>
112    <li>hides its files and/or processes;</li>
113    <li>discloses the user's private information to a third party, without the
114    user's knowledge and consent;</li>
115    <li>destroys the user's data (or the device itself) without the user's
116    knowledge and consent;</li>
117    <li>impersonates the user (such as by sending email or buying things from a
118    web store) without the user's knowledge and consent; or</li>
119    <li>otherwise degrades the user's experience with the device.</li>
120</ul>
121</p>
122
123
124<a name="fixes" id="fixes"></a><h2>How do Android-powered devices receive security
125fixes?</h2>
126
127<p>The manufacturer of each device is responsible for distributing software
128upgrades for it, including security fixes. Many devices will update themselves
129automatically with software downloaded "over the air", while some devices
130require the user to upgrade them manually.</p>
131
132<p>Google provides software updates for a number of Android devices, including
133the <a href="http://www.google.com/nexus">Nexus</a>
134series of devices, using an "over the air" (OTA) update. These updates may include
135security fixes as well as new features.</p>
136
137<a name="directfix" id="directfix"></a><h2>Can I get a fix directly from the
138Android Platform Project?</h2>
139
140<p>Android is a mobile platform that is released as open source and
141available for free use by anybody. This means that there are many
142Android-based products available to consumers, and most of them are created
143without the knowledge or participation of the Android Open Source Project. Like
144the maintainers of other open source projects, we cannot build and release
145patches for the entire ecosystem of products using Android. Instead, we will
146work diligently to find and fix flaws as quickly as possible and to distribute
147those fixes to the manufacturers of the products through the open source project.</p>
148
149<p>If you are making an Android-powered device and would like to know how you can
150properly support your customers by keeping abreast of software updates, please
151contact us at <a
152href="mailto:info@openhandsetalliance.com">info@openhandsetalliance.com</a>.</p>
153