安全增強

Android 不斷改進其安全能力和產品。請參閱左側導覽中按版本列出的增強功能清單。

安卓14

每個 Android 版本都包含數十項安全增強功能來保護使用者。以下是 Android 14 中提供的一些主要安全增強功能:

  • Android 10 中引入的硬體輔助 AddressSanitizer (HWASan) 是一種類似AddressSanitizer 的記憶體錯誤偵測工具。 Android 14 為 HWASan 帶來了重大改進。了解它如何幫助防止 bug 進入 Android 版本, HWAddressSanitizer
  • 在Android 14 中,從與第三方共享位置數據的應用程式開始,系統運行時權限對話框現在包含一個可點擊的部分,突出顯示應用程式的數據共享實踐,包括應用程式為何決定與第三方共享數據等資訊。
  • Android 12 引入了在調變解調器層級停用 2G 支援的選項,這可以保護使用者免受 2G 過時安全模型帶來的固有安全風險。認識到禁用 2G 對企業客戶的重要性,Android 14 在 Android Enterprise 中啟用了此安全功能,引入了對 IT 管理員的支持,以限制託管設備降級到 2G 連接的能力。
  • 增加了對拒絕空加密蜂窩連接的支持,確保電路交換語音和 SMS 流量始終加密並免受被動無線攔截。詳細了解 Android 強化蜂巢連線的計畫
  • 新增了對多個 IMEI 的支持
  • 自 Android 14 起,AES-HCTR2 成為具有加速加密指令的裝置的首選檔案名稱加密模式。
  • 蜂巢連接
  • 為 Android安全中心新增了文檔
  • 如果您的應用程式面向 Android 14 並使用動態程式碼載入 (DCL),則所有動態載入的檔案都必須標記為唯讀。否則,系統會拋出異常。我們建議應用程式盡可能避免動態載入程式碼,因為這樣做會大大增加應用程式因程式碼注入或程式碼篡改而受到損害的風險。

查看我們完整的 AOSP發行說明以及 Android 開發人員功能和變更清單

安卓13

每個 Android 版本都包含數十項安全增強功能來保護使用者。以下是 Android 13 中提供的一些主要安全增強功能:

  • Android 13 新增了多重文件示範支援。這個新的演示會話介面使應用程式能夠執行多文檔演示,這是現有 API 無法實現的。欲了解更多信息,請參閱身份憑證
  • 在 Android 13 中,當且僅當源自外部應用程式的意圖與其聲明的意圖過濾器元素相符時,才會將其傳遞到導出的元件。
  • 開放行動 API (OMAPI) 是用於與裝置的安全元件進行通訊的標準 API。在 Android 13 之前,只有應用程式和框架模組可以存取此介面。透過將其轉換為供應商穩定的接口,HAL 模組還能夠透過 OMAPI 服務與安全元件進行通訊。有關詳細信息,請參閱OMAPI 供應商穩定介面
  • 從 Android 13-QPR 開始,共享 UID 已被棄用。 Android 13 或更高版本的使用者應將行 `android:sharedUserMaxSdkVersion="32"` 放入其清單中。此條目可防止新使用者取得共用 UID。有關 UID 的更多信息,請參閱應用程式簽名
  • Android 13 增加了對 Keystore 對稱加密原語的支持,例如 AES(高級加密標準)、HMAC(密鑰雜湊訊息驗證碼)和非對稱加密演算法(包括橢圓曲線、RSA2048、RSA4096 和 Curve 25519)
  • Android 13(API 等級 33)及更高版本支援從應用程式發送非豁免通知的執行時間權限。這使用戶可以控制他們看到的權限通知。
  • 為請求存取所有裝置日誌的應用程式新增了每次使用提示,使用戶能夠允許或拒絕存取。
  • 推出了Android 虛擬化框架 (AVF) ,它將不同的虛擬機器管理程式匯集在一個具有標準化 API 的框架下。它為執行由管理程式隔離的工作負載提供安全且私有的執行環境。
  • 引入了APK 簽章方案 v3.1所有使用 apksigner 的新金鑰輪換都將預設使用 v3.1 簽章方案來針對 Android 13 及更高版本進行目標輪替。

查看我們完整的 AOSP發行說明以及 Android 開發人員功能和變更清單

安卓12

每個 Android 版本都包含數十項安全增強功能來保護使用者。以下是 Android 12 中提供的一些主要安全增強功能:

  • Android 12 引入了BiometricManager.Strings API ,它為使用 BiometricPrompt 進行身份驗證的應用程式提供本地化字串。這些字串旨在實現裝置感知,並提供有關可以使用哪種身份驗證類型的更多特異性。 Android 12 也支援螢幕下指紋感應器
  • 增加了對屏下指紋感應器的支持
  • 指紋Android介面定義語言(AIDL)簡介
  • 支援新的Face AIDL
  • 引入 Rust 作為平台開發語言
  • 新增了用戶僅授予其大致位置存取權限的選項
  • 當應用程式使用攝影機或麥克風時,狀態列上新增了隱私指示器
  • Android 的私有運算核心 (PCC)
  • 新增了禁用 2G 支援的選項

安卓11

每個 Android 版本都包含數十項安全增強功能以保護用戶。有關 Android 11 中提供的一些主要安全增強功能的列表,請參閱Android 發行說明

安卓10

Every Android release includes dozens of security enhancements to protect users. Android 10 includes several security and privacy enhancements. See the Android 10 release notes for a complete list of changes in Android 10.

Security

BoundsSanitizer

Android 10 deploys BoundsSanitizer (BoundSan) in Bluetooth and codecs. BoundSan uses UBSan's bounds sanitizer. This mitigation is enabled on a per-module level. It helps keep critical components of Android secure and shouldn't be disabled. BoundSan is enabled in the following codecs:

  • libFLAC
  • libavcdec
  • libavcenc
  • libhevcdec
  • libmpeg2
  • libopus
  • libvpx
  • libspeexresampler
  • libvorbisidec
  • libaac
  • libxaac

Execute-only memory

By default, executable code sections for AArch64 system binaries are marked execute-only (nonreadable) as a hardening mitigation against just-in-time code reuse attacks. Code that mixes data and code together and code that purposefully inspects these sections (without first remapping the memory segments as readable) no longer functions. Apps with a target SDK of Android 10 (API level 29 or higher) are impacted if the app attempts to read code sections of execute-only memory (XOM) enabled system libraries in memory without first marking the section as readable.

Extended access

Trust agents, the underlying mechanism used by tertiary authentication mechanisms such as Smart Lock, can only extend unlock in Android 10. Trust agents can no longer unlock a locked device and can only keep a device unlocked for a maximum of four hours.

Face authentication

Face authentication allows users to unlock their device simply by looking at the front of their device. Android 10 adds support for a new face authentication stack that can securely process camera frames, preserving security and privacy during face authentication on supported hardware. Android 10 also provides an easy way for security-compliant implementations to enable app integration for transactions such as online banking or other services.

Integer Overflow Sanitization

Android 10 enables Integer Overflow Sanitization (IntSan) in software codecs. Ensure that playback performance is acceptable for any codecs that aren't supported in the device's hardware. IntSan is enabled in the following codecs:

  • libFLAC
  • libavcdec
  • libavcenc
  • libhevcdec
  • libmpeg2
  • libopus
  • libvpx
  • libspeexresampler
  • libvorbisidec

Modular system components

Android 10 modularizes some Android system components and enables them to be updated outside of the normal Android release cycle. Some modules include:

OEMCrypto

Android 10 uses OEMCrypto API version 15.

Scudo

Scudo is a dynamic user-mode memory allocator designed to be more resilient against heap-related vulnerabilities. It provides the standard C allocation and deallocation primitives, as well as the C++ primitives.

ShadowCallStack

ShadowCallStack (SCS) is an LLVM instrumentation mode that protects against return address overwrites (like stack buffer overflows) by saving a function's return address to a separately allocated ShadowCallStack instance in the function prolog of nonleaf functions and loading the return address from the ShadowCallStack instance in the function epilog.

WPA3 and Wi-Fi Enhanced Open

Android 10 adds support for the Wi-Fi Protected Access 3 (WPA3) and Wi-Fi Enhanced Open security standards to provide better privacy and robustness against known attacks.

Privacy

App access when targeting Android 9 or lower

If your app runs on Android 10 or higher but targets Android 9 (API level 28) or lower, the platform applies the following behavior:

  • If your app declares a <uses-permission> element for either ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION, the system automatically adds a <uses-permission> element for ACCESS_BACKGROUND_LOCATION during installation.
  • If your app requests either ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION, the system automatically adds ACCESS_BACKGROUND_LOCATION to the request.

Background activity restrictions

Starting in Android 10, the system places restrictions on starting activities from the background. This behavior change helps minimize interruptions for the user and keeps the user more in control of what's shown on their screen. As long as your app starts activities as a direct result of user interaction, your app most likely isn't affected by these restrictions.
To learn more about the recommended alternative to starting activities from the background, see the guide on how to alert users of time-sensitive events in your app.

Camera metadata

Android 10 changes the breadth of information that the getCameraCharacteristics() method returns by default. In particular, your app must have the CAMERA permission in order to access potentially device-specific metadata that is included in this method's return value.
To learn more about these changes, see the section about camera fields that require permission.

Clipboard data

Unless your app is the default input method editor (IME) or is the app that currently has focus, your app cannot access clipboard data on Android 10 or higher.

Device location

To support the additional control that users have over an app's access to location information, Android 10 introduces the ACCESS_BACKGROUND_LOCATION permission.
Unlike the ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION permissions, the ACCESS_BACKGROUND_LOCATION permission only affects an app's access to location when it runs in the background. An app is considered to be accessing location in the background unless one of the following conditions is satisfied:

  • An activity belonging to the app is visible.
  • The app is running a foreground service that has declared a foreground service type of location.
    To declare the foreground service type for a service in your app, set your app's targetSdkVersion or compileSdkVersion to 29 or higher. Learn more about how foreground services can continue user-initiated actions that require access to location.

External storage

By default, apps targeting Android 10 and higher are given scoped access into external storage, or scoped storage. Such apps can see the following types of files within an external storage device without needing to request any storage-related user permissions:

To learn more about scoped storage, as well as how to share, access, and modify files that are saved on external storage devices, see the guides on how to manage files in external storage and access and modify media files.

MAC address randomization

On devices that run Android 10 or higher, the system transmits randomized MAC addresses by default.
If your app handles an enterprise use case, the platform provides APIs for several operations related to MAC addresses:

  • Obtain randomized MAC address: Device owner apps and profile owner apps can retrieve the randomized MAC address assigned to a specific network by calling getRandomizedMacAddress().
  • Obtain actual, factory MAC address: Device owner apps can retrieve a device's actual hardware MAC address by calling getWifiMacAddress(). This method is useful for tracking fleets of devices.

Non-resettable device identifiers

Starting in Android 10, apps must have the READ_PRIVILEGED_PHONE_STATE privileged permission in order to access the device's non-resettable identifiers, which include both IMEI and serial number.

If your app doesn't have the permission and you try asking for information about non-resettable identifiers anyway, the platform's response varies based on target SDK version:

  • If your app targets Android 10 or higher, a SecurityException occurs.
  • If your app targets Android 9 (API level 28) or lower, the method returns null or placeholder data if the app has the READ_PHONE_STATE permission. Otherwise, a SecurityException occurs.

Physical activity recognition

Android 10 introduces the android.permission.ACTIVITY_RECOGNITION runtime permission for apps that need to detect the user's step count or classify the user's physical activity, such as walking, biking, or moving in a vehicle. This is designed to give users visibility of how device sensor data is used in Settings.
Some libraries within Google Play services, such as the Activity Recognition API and the Google Fit API, don't provide results unless the user has granted your app this permission.
The only built-in sensors on the device that require you to declare this permission are the step counter and step detector sensors.
If your app targets Android 9 (API level 28) or lower, the system auto-grants the android.permission.ACTIVITY_RECOGNITION permission to your app, as needed, if your app satisfies each of the following conditions:

  • The manifest file includes the com.google.android.gms.permission.ACTIVITY_RECOGNITION permission.
  • The manifest file doesn't include the android.permission.ACTIVITY_RECOGNITION permission.

If the system-auto grants the android.permission.ACTIVITY_RECOGNITION permission, your app retains the permission after you update your app to target Android 10. However, the user can revoke this permission at any time in system settings.

/proc/net filesystem restrictions

On devices that run Android 10 or higher, apps cannot access /proc/net, which includes information about a device's network state. Apps that need access to this information, such as VPNs, should use the NetworkStatsManager or ConnectivityManager class.

Permission groups removed from UI

As of Android 10, apps cannot look up how permissions are grouped in the UI.

Removal of contacts affinity

Starting in Android 10, the platform doesn't keep track of contacts affinity information. As a result, if your app conducts a search on the user's contacts, the results aren't ordered by frequency of interaction.
The guide about ContactsProvider contains a notice describing the specific fields and methods that are obsolete on all devices starting in Android 10.

Restricted access to screen contents

To protect users' screen contents, Android 10 prevents silent access to the device's screen contents by changing the scope of the READ_FRAME_BUFFER, CAPTURE_VIDEO_OUTPUT, and CAPTURE_SECURE_VIDEO_OUTPUT permissions. As of Android 10, these permissions are signature-access only.
Apps that need to access the device's screen contents should use the MediaProjection API, which displays a prompt asking the user to provide consent.

USB device serial number

If your app targets Android 10 or higher, your app cannot read the serial number until the user has granted your app permission to access the USB device or accessory.
To learn more about working with USB devices, see the guide on how to configure USB hosts.

Wi-Fi

Apps targeting Android 10 or higher cannot enable or disable Wi-Fi. The WifiManager.setWifiEnabled() method always returns false.
If you need to prompt users to enable and disable Wi-Fi, use a settings panel.

Restrictions on direct access to configured Wi-Fi networks

To protect user privacy, manual configuration of the list of Wi-Fi networks is restricted to system apps and device policy controllers (DPCs). A given DPC can be either the device owner or the profile owner.
If your app targets Android 10 or higher, and it isn't a system app or a DPC, then the following methods don't return useful data:

安卓9

每個 Android 版本都包含數十項安全增強功能以保護用戶。有關 Android 9 中提供的一些主要安全增強功能的列表,請參閱Android 發行說明

安卓8

每個 Android 版本都包含數十項安全增強功能以保護用戶。以下是 Android 8.0 中提供的一些主要安全增強功能:

  • 加密。添加了對在工作資料中逐出密鑰的支持。
  • 驗證啟動。添加了 Android 驗證啟動 (AVB)。經過驗證的引導代碼庫支持回滾保護,可在添加到 AOSP 的引導加載程序中使用。推薦引導加載程序支持 HLOS 的回滾保護。推薦的引導加載程序只能通過用戶與設備進行物理交互來解鎖。
  • 鎖屏。添加了對使用防篡改硬件來驗證鎖屏憑據的支持。
  • 密鑰庫。所有搭載 Android 8.0+ 的設備都需要密鑰證明。添加了ID 證明支持以改進零接觸註冊。
  • 沙盒。使用 Project Treble 在框架和設備特定組件之間的標準接口對許多組件進行更緊密的沙箱化。將 seccomp 過濾應用於所有不受信任的應用程序以減少內核的攻擊面。 WebView現在在一個隔離的進程中運行,對系統其餘部分的訪問非常有限。
  • 內核硬化。實施了強化的 usercopy 、PAN 仿真、init 後只讀和 KASLR。
  • 用戶空間強化。為媒體堆棧實施了 CFI。應用程序覆蓋不能再覆蓋系統關鍵窗口,用戶有辦法關閉它們。
  • 流式操作系統更新。在磁盤空間不足的設備上啟用更新
  • 安裝未知應用程序。用戶必須授予從非第一方應用商店的來源安裝應用的權限
  • 隱私。 Android ID (SSAID) 對設備上的每個應用和每個用戶都有不同的值。對於 Web 瀏覽器應用程序,Widevine 客戶端 ID 為每個應用程序包名稱和 Web 源返回不同的值。 net.hostname現在為空,dhcp 客戶端不再發送主機名。 android.os.Build.SERIAL已被Build.SERIAL API取代,該 API 受到用戶控制權限的保護。改進了某些芯片組中的 MAC 地址隨機化。

安卓7

每個 Android 版本都包含數十項安全增強功能以保護用戶。以下是 Android 7.0 中提供的一些主要安全增強功能:

  • 基於文件的加密。在文件級別加密,而不是將整個存儲區域作為單個單元進行加密,可以更好地隔離和保護設備上的個人用戶和配置文件(例如個人和工作)。
  • 直接啟動。通過基於文件的加密啟用,Direct Boot 允許某些應用程序(例如鬧鐘和輔助功能)在設備開機但未解鎖時運行。
  • 驗證啟動。現在嚴格執行驗證啟動,以防止受損設備啟動;它支持糾錯以提高針對非惡意數據損壞的可靠性。
  • SELinux .更新的 SELinux 配置和增加的 seccomp 覆蓋範圍進一步鎖定了應用程序沙箱並減少了攻擊面。
  • 庫加載順序隨機化和改進的 ASLR 。增加的隨機性使一些代碼重用攻擊不太可靠。
  • 內核硬化。通過將部分內核內存標記為只讀,限制內核對用戶空間地址的訪問並進一步減少現有的攻擊面,為較新的內核增加了額外的內存保護。
  • APK 簽名方案 v2 .引入了全文件簽名方案,提高了驗證速度並加強了完整性保證。
  • 受信任的 CA 存儲。為了使應用程序更容易控制對其安全網絡流量的訪問,默認情況下,用戶安裝的證書頒發機構和通過設備管理 API 安裝的證書頒發機構不再受針對 API 級別 24+ 的應用程序的信任。此外,所有新的 Android 設備都必須隨附同一個受信任的 CA 商店。
  • 網絡安全配置。通過聲明性配置文件配置網絡安全和 TLS。

安卓6

每個 Android 版本都包含數十項安全增強功能以保護用戶。以下是 Android 6.0 中提供的一些主要安全增強功能:

  • 運行時權限。應用程序在運行時請求權限,而不是在應用程序安裝時被授予。用戶可以打開和關閉 M 和 pre-M 應用程序的權限。
  • 驗證啟動。在執行之前對系統軟件進行一組加密檢查,以確保手機從引導加載程序一直到操作系統都是健康的。
  • 硬件隔離安全。指紋 API、鎖屏、設備加密和客戶端證書使用新的硬件抽象層 (HAL) 來保護密鑰免受內核洩露和/或本地物理攻擊
  • 指紋。現在只需輕輕一按即可解鎖設備。開發人員還可以利用新的 API 來使用指紋來鎖定和解鎖加密密鑰。
  • SD卡採用。設備可以採用可移動媒體並為應用程序本地數據、照片、視頻等擴展可用存儲空間,但仍受塊級加密保護。
  • 明文流量。開發人員可以使用新的 StrictMode 來確保他們的應用程序不使用明文。
  • 系統強化。通過 SELinux 實施的策略強化系統。這提供了更好的用戶隔離、IOCTL 過濾、減少暴露服務的威脅、進一步收緊 SELinux 域以及極其有限的 /proc 訪問。
  • USB 訪問控制:用戶必須確認允許 USB 訪問手機上的文件、存儲或其他功能。現在,默認僅對需要用戶明確批准的存儲訪問收費

安卓5

5.0

每個 Android 版本都包含數十項安全增強功能以保護用戶。以下是 Android 5.0 中提供的一些主要安全增強功能:

  • 默認加密。在附帶 L 開箱即用的設備上,默認情況下會啟用全盤加密,以提高對丟失或被盜設備上數據的保護。更新到 L 的設備可以在Settings > Security中加密。
  • 改進了全盤加密。使用scrypt保護用戶密碼免受暴力攻擊,並且在可用的情況下,將密鑰綁定到硬件密鑰庫以防止設備外攻擊。與往常一樣,Android 屏幕鎖定密碼和設備加密密鑰不會從設備發送出去或暴露給任何應用程序。
  • 使用 SELinux 增強的 Android 沙箱。 Android 現在要求所有域的 SELinux 處於強制模式。 SELinux 是 Linux 內核中的強制訪問控制 (MAC) 系統,用於增強現有的自主訪問控制 (DAC) 安全模型。這一新層提供了針對潛在安全漏洞的額外保護。
  • 智能鎖。 Android 現在包括為解鎖設備提供更多靈活性的 trustlet。例如,trustlet 可以允許設備在靠近另一個受信任設備(通過 NFC、藍牙)或被具有受信任面孔的人使用時自動解鎖。
  • 適用於手機和平板電腦的多用戶、受限個人資料和訪客模式。 Android 現在為手機上的多個用戶提供了一個訪客模式,該模式可用於提供對您的設備的輕鬆臨時訪問,而無需授予對您的數據和應用程序的訪問權限。
  • 在沒有 OTA 的情況下更新到 WebView。 WebView 現在可以獨立於框架進行更新,無需系統 OTA。這將允許更快地響應 WebView 中的潛在安全問題。
  • 更新了 HTTPS 和 TLS/SSL 的加密。現在啟用 TLSv1.2 和 TLSv1.1,現在首選前向保密,現在啟用 AES-GCM,並且現在禁用弱密碼套件(MD5、3DES 和導出密碼套件)。有關更多詳細信息,請參閱https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
  • 非 PIE 鏈接器支持已刪除。 Android 現在要求所有動態鏈接的可執行文件都支持 PIE(與位置無關的可執行文件)。這增強了 Android 的地址空間佈局隨機化 (ASLR) 實現。
  • FORTIFY_SOURCE 改進。以下 libc 函數現在實現 FORTIFY_SOURCE 保護: stpcpy()stpncpy()read()recvfrom()FD_CLR()FD_SET()FD_ISSET() 。這提供了針對涉及這些功能的內存損壞漏洞的保護。
  • 安全修復。 Android 5.0 還包括針對 Android 特定漏洞的修復。有關這些漏洞的信息已提供給開放手機聯盟成員,Android 開源項目中提供了修復程序。為提高安全性,一些裝有較早版本 Android 的設備也可能包含這些修復程序。

Android 4 及更低版本

Every Android release includes dozens of security enhancements to protect users. The following are some of the security enhancements available in Android 4.4:

  • Android sandbox reinforced with SELinux. Android now uses SELinux in enforcing mode. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) based security model. This provides additional protection against potential security vulnerabilities.
  • Per User VPN. On multi-user devices, VPNs are now applied per user. This can allow a user to route all network traffic through a VPN without affecting other users on the device.
  • ECDSA Provider support in AndroidKeyStore. Android now has a keystore provider that allows use of ECDSA and DSA algorithms.
  • Device Monitoring Warnings. Android provides users with a warning if any certificate has been added to the device certificate store that could allow monitoring of encrypted network traffic.
  • FORTIFY_SOURCE. Android now supports FORTIFY_SOURCE level 2, and all code is compiled with these protections. FORTIFY_SOURCE has been enhanced to work with clang.
  • Certificate Pinning. Android 4.4 detects and prevents the use of fraudulent Google certificates used in secure SSL/TLS communications.
  • Security Fixes. Android 4.4 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

Every Android release includes dozens of security enhancements to protect users. The following are some of the security enhancements available in Android 4.3:

  • Android sandbox reinforced with SELinux. This release strengthens the Android sandbox using the SELinux mandatory access control system (MAC) in the Linux kernel. SELinux reinforcement is invisible to users and developers, and adds robustness to the existing Android security model while maintaining compatibility with existing applications. To ensure continued compatibility this release allows the use of SELinux in a permissive mode. This mode logs any policy violations, but will not break applications or affect system behavior.
  • No setuid/setgid programs. Added support for filesystem capabilities to Android system files and removed all setuid/setguid programs.  This reduces root attack surface and the likelihood of potential security vulnerabilities.
  • ADB Authentication. Since Android 4.2.2, connections to ADB are authenticated with an RSA keypair. This prevents unauthorized use of ADB where the attacker has physical access to a device.
  • Restrict Setuid from Android Apps. The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs. This reduces root attack surface and the likelihood of potential security vulnerabilities.
  • Capability bounding. Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop unnecessary capabilities prior to executing applications. This prevents Android applications and applications launched from the shell from acquiring privileged capabilities.
  • AndroidKeyStore Provider. Android now has a keystore provider that allows applications to create exclusive use keys. This provides applications with an API to create or store private keys that cannot be used by other applications.
  • KeyChain isBoundKeyAlgorithm. Keychain API now provides a method (isBoundKeyType) that allows applications to confirm that system-wide keys are bound to a hardware root of trust for the device. This provides a place to create or store private keys that cannot be exported off the device, even in the event of a root compromise.
  • NO_NEW_PRIVS. Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges prior to execution application code. This prevents Android applications from performing operations which can elevate privileges via execve. (This requires Linux kernel version 3.5 or greater).
  • FORTIFY_SOURCE enhancements. Enabled FORTIFY_SOURCE on Android x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls. This can detect potential memory corruption vulnerabilities or unterminated string constants.
  • Relocation protections. Enabled read only relocations (relro) for statically linked executables and removed all text relocations in Android code. This provides defense in depth against potential memory corruption vulnerabilities.
  • Improved EntropyMixer. EntropyMixer now writes entropy at shutdown / reboot, in addition to periodic mixing. This allows retention of all entropy generated while devices are powered on, and is especially useful for devices that are rebooted immediately after provisioning.
  • Security Fixes. Android 4.3 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

Android 提供了Android 安全概述中描述的多層安全模型。 Android 的每次更新都包含數十項安全增強功能,以保護用戶。以下是 Android 4.2 中引入的一些安全增強功能:

  • 應用程序驗證- 用戶可以選擇啟用“驗證應用程序”並在安裝之前讓應用程序驗證者篩選應用程序。應用程序驗證可以在用戶嘗試安裝可能有害的應用程序時提醒用戶;如果應用程序特別糟糕,它可以阻止安裝。
  • 對高級 SMS 的更多控制- 如果應用程序嘗試將 SMS 發送到使用高級服務的短代碼,Android 將提供通知,這可能會導致額外費用。用戶可以選擇是允許應用程序發送消息還是阻止它。
  • 永遠在線的 VPN - 可以配置 VPN,以便應用程序在建立 VPN 連接之前無法訪問網絡。這可以防止應用程序通過其他網絡發送數據。
  • 證書固定- Android 核心庫現在支持證書固定。如果證書未鏈接到一組預期證書,則固定域將收到證書驗證失敗。這可以防止證書頒發機構受到可能的損害。
  • 改進的 Android 權限顯示- 權限已組織成更易於用戶理解的組。在查看權限時,用戶可以點擊該權限,查看該權限的更多詳細信息。
  • installd 強化- installd守護程序不以 root 用戶身份運行,從而減少了 root 權限升級的潛在攻擊面。
  • 初始化腳本強化- 初始化腳本現在應用O_NOFOLLOW語義來防止與符號鏈接相關的攻擊。
  • FORTIFY_SOURCE - Android 現在實現FORTIFY_SOURCE 。系統庫和應用程序使用它來防止內存損壞。
  • ContentProvider 默認配置- 以 API 級別 17 為目標的應用程序將默認將每個Content Provider的“export”設置為“false”,從而減少應用程序的默認攻擊面。
  • Cryptography - 修改 SecureRandom 和 Cipher.RSA 的默認實現以使用 OpenSSL。使用 OpenSSL 1.0.1 添加了對 TLSv1.1 和 TLSv1.2 的 SSL 套接字支持
  • 安全修復- 帶有安全修復的升級開源庫包括 WebKit、libpng、OpenSSL 和 LibXML。 Android 4.2 還包括針對 Android 特定漏洞的修復。有關這些漏洞的信息已提供給開放手機聯盟成員,Android 開源項目中提供了修復程序。為提高安全性,一些裝有較早版本 Android 的設備也可能包含這些修復程序。

Android 提供了Android 安全概述中描述的多層安全模型。 Android 的每次更新都包含數十項安全增強功能,以保護用戶。以下是 Android 版本 1.5 到 4.1 中引入的一些安全增強功能:

安卓 1.5
  • ProPolice 防止堆棧緩衝區溢出 (-fstack-protector)
  • safe_iop 減少整數溢出
  • 擴展 OpenBSD dlmalloc 以防止雙重 free() 漏洞並防止塊合併攻擊。塊合併攻擊是利用堆損壞的常用方法。
  • OpenBSD calloc 在內存分配期間防止整數溢出
安卓 2.3
  • 格式字符串漏洞保護(-Wformat-security -Werror=format-security)
  • 基於硬件的 No eXecute (NX) 可防止在堆棧和堆上執行代碼
  • Linux mmap_min_addr 以減輕空指針取消引用權限升級(在 Android 4.1 中進一步增強)
安卓4.0
地址空間佈局隨機化 (ASLR) 用於隨機化內存中的關鍵位置
安卓4.1
  • PIE(位置獨立可執行文件)支持
  • 只讀重定位/立即綁定 (-Wl,-z,relro -Wl,-z,now)
  • dmesg_restrict 啟用(避免洩漏內核地址)
  • 啟用 kptr_restrict(避免洩漏內核地址)