安全增強

Android 不斷改進其安全能力和產品。請參閱左側導覽中按版本列出的增強功能清單。

安卓14

Every Android release includes dozens of security enhancements to protect users. Here are some of the major security enhancements available in Android 14:

  • Hardware-assisted AddressSanitizer (HWASan), introduced in Android 10, is a memory error detection tool similar to AddressSanitizer. Android 14 brings significant improvements to HWASan. Learn how it helps prevent bugs from making it into Android releases, HWAddressSanitizer
  • In Android 14, starting with apps that share location data with third-parties, the system runtime permission dialog now includes a clickable section that highlights the app's data-sharing practices, including information such as why an app may decide to share data with third parties.
  • Android 12 introduced an option to disable 2G support at the modem level, which protects users from the inherent security risk from 2G's obsolete security model. Recognizing how critical disabling 2G could be for enterprise customers, Android 14 enables this security feature in Android Enterprise, introducing support for IT admins to restrict the ability of a managed device to downgrade to 2G connectivity.
  • Added support to reject null-ciphered cellular connections, ensuring that circuit-switched voice and SMS traffic is always encrypted and protected from passive over-the-air interception. Learn more about Android's program to harden cellular connectivity.
  • Added support for multiple IMEIs
  • Since Android 14, AES-HCTR2 is the preferred mode of filenames encryption for devices with accelerated cryptography instructions.
  • Cellular connectivity
  • Documentation added for Android Safety Center
  • If your app targets Android 14 and uses Dynamic Code Loading (DCL), all dynamically-loaded files must be marked as read-only. Otherwise, the system throws an exception. We recommend that apps avoid dynamically loading code whenever possible, as doing so greatly increases the risk that an app can be compromised by code injection or code tampering.

Check out our full AOSP release notes and the Android Developer features and changes list.

安卓13

Every Android release includes dozens of security enhancements to protect users. Here are some of the major security enhancements available in Android 13:

  • Android 13 adds multi-document presentation support. This new Presentation Session interface enables an application to do a multi-document presentation, something which isn't possible with the existing API. For further information, refer to Identity Credential
  • In Android 13, intents originating from external apps are delivered to an exported component if and only if the intents match their declared intent-filter elements.
  • Open Mobile API (OMAPI) is a standard API used to communicate with a device's Secure Element. Before Android 13, only applications and framework modules had access to this interface. By converting it to a vendor stable interface, HAL modules are also capable of communicating with the secure elements through the OMAPI service. For more information, see OMAPI Vendor Stable Interface.
  • As of Android 13-QPR, shared UIDs are deprecated. Users of Android 13 or higher should put the line `android:sharedUserMaxSdkVersion="32"` in their manifest. This entry prevents new users from getting a shared UID. For further information on UIDs, see Application signing.
  • Android 13 added support Keystore symmetric cryptographic primitives such as AES (Advanced Encryption Standard), HMAC (Keyed-Hash Message Authentication Code), and asymmetric cryptographic algorithms (including Elliptic Curve, RSA2048, RSA4096, and Curve 25519)
  • Android 13 (API level 33) and higher supports a runtime permission for sending non-exempt notifications from an app. This gives users control over which permission notifications they see.
  • Added per-use prompt for apps requesting access to all device logs, giving users the ability to allow or deny access.
  • introduced the Android Virtualization Framework (AVF), which brings together different hypervisors under one framework with standardized APIs. It provides secure and private execution environments for executing workloads isolated by hypervisor.
  • Introduced APK signature scheme v3.1 All new key rotations that use apksigner will use the v3.1 signature scheme by default to target rotation for Android 13 and higher.

Check out our full AOSP release notes and the Android Developer features and changes list.

安卓12

每個 Android 版本都包含數十項安全增強功能來保護使用者。以下是 Android 12 中提供的一些主要安全增強功能:

  • Android 12 引入了BiometricManager.Strings API ,它為使用 BiometricPrompt 進行身份驗證的應用程式提供本地化字串。這些字串旨在實現裝置感知,並提供有關可以使用哪種身份驗證類型的更多特異性。 Android 12 也支援螢幕下指紋感應器
  • 增加了對屏下指紋感應器的支持
  • 指紋Android介面定義語言(AIDL)簡介
  • 支援新的Face AIDL
  • 引入 Rust 作為平台開發語言
  • 新增了用戶僅授予其大致位置存取權限的選項
  • 當應用程式使用攝影機或麥克風時,狀態列上新增了隱私指示器
  • Android 的私有運算核心 (PCC)
  • 新增了禁用 2G 支援的選項

安卓11

每個 Android 版本都包含數十項安全增強功能以保護用戶。有關 Android 11 中提供的一些主要安全增強功能的列表,請參閱Android 發行說明

安卓10

每個 Android 版本都包含數十項安全增強功能來保護使用者。 Android 10 包含多項安全性和隱私增強功能。有關Android 10 中更改的完整列表,請參閱 Android 10 發行說明

安全

邊界消毒劑

Android 10 在藍牙和編解碼器中部署了BoundsSanitizer (BoundSan) 。 BoundSan 使用 UBSan 的邊界消毒劑。此緩解措施是在每個模組層級啟用的。它有助於確保 Android 關鍵元件的安全,不應被停用。 BoundSan 在以下編解碼器中啟用:

  • libFLAC
  • libavcdec
  • libavcenc
  • libhevcdec
  • libmpeg2
  • libopus
  • libvpx
  • libspeexresampler
  • libvorbisidec
  • libaac
  • libxaac

只執行記憶體

預設情況下,AArch64 系統二進位檔案的可執行程式碼部分被標記為僅執行(不可讀取),作為即時程式碼重複使用攻擊的強化緩解措施。將資料和程式碼混合在一起的程式碼以及有目的地檢查這些部分的程式碼(無需首先將記憶體段重新映射為可讀)不再起作用。如果目標 SDK 為 Android 10(API 等級 29 或更高)的應用程式嘗試讀取記憶體中啟用只執行記憶體 (XOM) 的系統函式庫的程式碼部分,而不先將該部分標記為可讀,則會受到影響。

擴展訪問

信任代理是 Smart Lock 等三級身份驗證機制使用的底層機制,在 Android 10 中只能延長解鎖時間。信任代理無法再解鎖鎖定的設備,並且只能將設備保持解鎖狀態最多四個小時。

臉部認證

人臉驗證允許用戶只需查看設備正面即可解鎖設備。 Android 10 增加了對新的人臉身份驗證堆疊的支持,該堆疊可以安全地處理相機幀,從而在受支援的硬體上進行人臉身份驗證期間保護安全性和隱私。 Android 10 也為安全相容實施提供了一種簡單的方法,以實現線上銀行或其他服務等交易的應用程式整合。

整數溢位清理

Android 10 在軟體編解碼器中啟用整數溢位清理 (IntSan) 。確保設備硬體不支援的任何編解碼器的播放性能是可接受的。 IntSan 在以下編解碼器中啟用:

  • libFLAC
  • libavcdec
  • libavcenc
  • libhevcdec
  • libmpeg2
  • libopus
  • libvpx
  • libspeexresampler
  • libvorbisidec

模組化系統組件

Android 10模組化了一些 Android 系統元件,並使它們能夠在正常的 Android 發布週期之外進行更新。一些模組包括:

OEM加密

Android 10 使用 OEMCrypto API 版本 15。

斯庫多

Scudo是一種動態使用者模式記憶體分配器,旨在更好地抵禦堆疊相關漏洞。它提供標準 C 分配和釋放原語以及 C++ 原語。

影子呼叫堆疊

ShadowCallStack (SCS)是一種LLVM 偵測模式,透過將函數的回傳位址儲存到非葉函數的函數序言中單獨指派的ShadowCallStack實例,並從ShadowCallStack實例載入傳回位址來防止傳回位址覆蓋(如堆疊緩衝區溢出)。函數結語。

WPA3 和 Wi-Fi 增強開放

Android 10 增加了對Wi-Fi 保護存取 3 (WPA3) 和 Wi-Fi 增強開放安全標準的支持,以提供更好的隱私性和抵禦已知攻擊的穩健性。

隱私

針對 Android 9 或更低版本時的應用程式訪問

如果您的應用程式在 Android 10 或更高版本上運行,但面向 Android 9(API 等級 28)或更低版本,則平台將套用下列行為:

  • 如果您的應用程式為ACCESS_FINE_LOCATIONACCESS_COARSE_LOCATION宣告了<uses-permission>元素,系統會在安裝過程中自動為ACCESS_BACKGROUND_LOCATION新增<uses-permission>元素。
  • 如果您的應用程式要求ACCESS_FINE_LOCATIONACCESS_COARSE_LOCATION ,系統會自動將ACCESS_BACKGROUND_LOCATION新增至要求中。

後台活動限制

從 Android 10 開始,系統對從後台啟動 Activity 進行了限制。此行為變更有助於最大程度地減少對使用者的干擾,並使使用者更好地控制螢幕上顯示的內容。只要您的應用程式啟動活動是使用者互動的直接結果,您的應用程式很可能不會受到這些限制的影響。
要了解有關從後台啟動活動的推薦替代方案的更多信息,請參閱有關如何提醒用戶應用程式中的時間敏感事件的指南。

相機元數據

Android 10 更改了getCameraCharacteristics()方法預設回傳的資訊的廣度。特別是,您的應用程式必須具有CAMERA權限才能存取此方法的傳回值中包含的潛在裝置特定元資料。
要了解有關這些變更的更多信息,請參閱有關需要權限的相機欄位的部分。

剪貼簿數據

除非您的應用程式是預設輸入法編輯器 (IME)或是目前具有焦點的應用,否則您的應用程式無法存取 Android 10 或更高版本上的剪貼簿資料。

設備位置

為了支援使用者對應用程式存取位置資訊的額外控制,Android 10 引入了ACCESS_BACKGROUND_LOCATION權限。
ACCESS_FINE_LOCATIONACCESS_COARSE_LOCATION權限不同, ACCESS_BACKGROUND_LOCATION權限僅影響應用程式在背景執行時對位置的存取。除非滿足以下條件之一,否則應用程式將被視為在背景存取位置:

  • 屬於該應用程式的活動可見。
  • 該應用程式正在運行一個前台服務,該服務已聲明前台服務類型location
    若要聲明應用程式中服務的前台服務類型,請將應用程式的targetSdkVersioncompileSdkVersion設定為29或更高。詳細了解前台服務如何繼續使用者發起的需要存取位置的操作

外部儲存

預設情況下,面向 Android 10 及更高版本的應用程式會獲得對外部儲存或範圍儲存的有限存取權。此類應用程式可以查看外部儲存裝置中的以下類型的文件,而無需請求任何與儲存相關的使用者權限:

要了解有關作用域存儲以及如何共享、訪問和修改保存在外部存儲設備上的文件的更多信息,請參閱有關如何管理外部存儲中的文件以及訪問和修改媒體文件的指南。

MAC位址隨機化

在運行 Android 10 或更高版本的裝置上,系統預設傳輸隨機 MAC 位址。
如果您的應用程式處理企業使用案例,該平台會提供用於與 MAC 位址相關的多個操作的 API:

  • 取得隨機 MAC 位址:裝置擁有者應用程式和設定檔擁有者應用程式可以透過呼叫getRandomizedMacAddress()來擷取分配給特定網路的隨機 MAC 位址。
  • 取得實際的出廠 MAC 位址:裝置擁有者應用程式可以透過呼叫getWifiMacAddress()來擷取裝置的實際硬體 MAC 位址。此方法對於追蹤設備群很有用。

不可重置的裝置標識符

從 Android 10 開始,應用程式必須擁有READ_PRIVILEGED_PHONE_STATE特權才能存取裝置的不可重置標識符,其中包括 IMEI 和序號。

如果您的應用程式沒有權限,並且您嘗試詢問有關不可重置標識符的信息,則平台的響應會根據目標 SDK 版本而有所不同:

  • 如果您的應用程式面向 Android 10 或更高版本,則會發生SecurityException
  • 如果您的應用程式面向 Android 9(API 等級 28)或更低版本,且該應用程式具有READ_PHONE_STATE權限,則該方法將傳回null或占位符資料。否則,將會發生SecurityException

身體活動識別

Android 10 為需要檢測使用者步數或對使用者身體活動(例如步行、騎自行車或乘車移動)進行分類的應用引入了android.permission.ACTIVITY_RECOGNITION運行時權限。這樣做的目的是讓用戶了解如何在「設定」中使用裝置感測器資料。
Google Play 服務中的某些程式庫(例如Activity Recognition APIGoogle Fit API )不會提供結果,除非使用者授予您的應用程式此權限。
裝置上唯一需要您聲明此權限的內建感測器步數計數器步數偵測器感測器。
如果您的應用程式是針對 Android 9(API 等級 28)或更低版本,且您的應用程式符合以下每個條件,系統會根據需要自動向您的應用程式授予android.permission.ACTIVITY_RECOGNITION權限:

  • 清單檔案包含com.google.android.gms.permission.ACTIVITY_RECOGNITION權限。
  • 清單檔案包含android.permission.ACTIVITY_RECOGNITION權限。

如果系統自動授予android.permission.ACTIVITY_RECOGNITION權限,則在您將應用程式更新至面向 Android 10 後,您的應用程式將保留該權限。但是,使用者可以隨時在系統設定中撤銷該權限。

/proc/net 檔案系統限制

在運行 Android 10 或更高版本的裝置上,應用程式無法存取/proc/net ,其中包含有關裝置網路狀態的資訊。需要存取此資訊的應用程式(例如 VPN)應使用NetworkStatsManagerConnectivityManager類別。

從 UI 中刪除的權限群組

從 Android 10 開始,應用程式無法尋找權限在 UI 中的分組方式。

刪除聯絡人親和力

從 Android 10 開始,平台不再追蹤聯絡人親緣關係資訊。因此,如果您的應用程式對使用者的聯絡人進行搜索,結果不會按互動頻率排序。
有關ContactsProvider的指南包含一個通知,描述了從 Android 10 開始的所有裝置上已過時的特定欄位和方法

限制存取螢幕內容

為了保護使用者的螢幕內容,Android 10 透過更改READ_FRAME_BUFFERCAPTURE_VIDEO_OUTPUTCAPTURE_SECURE_VIDEO_OUTPUT權限的範圍來防止對裝置螢幕內容的靜默存取。從 Android 10 開始,這些權限僅限於簽名存取
需要存取裝置螢幕內容的應用程式應使用MediaProjection API,該 API 會顯示一條提示,要求使用者提供同意。

USB 裝置序號

如果您的應用程式面向 Android 10 或更高版本,則在使用者授予您的應用程式存取 USB 裝置或配件的權限之前,您的應用程式無法讀取序號。
要了解有關使用 USB 設備的更多信息,請參閱有關如何配置 USB 主機的指南。

無線上網

面向 Android 10 或更高版本的應用程式無法啟用或停用 Wi-Fi。 WifiManager.setWifiEnabled()方法始終傳回false
如果您需要提示使用者啟用和停用 Wi-Fi,請使用設定面板

直接存取已設定 Wi-Fi 網路的限制

為了保護使用者隱私,Wi-Fi 網路清單的手動配置僅限於系統應用程式和裝置策略控制器 (DPC) 。給定的 DPC 可以是裝置擁有者或設定檔擁有者。
如果您的應用程式面向 Android 10 或更高版本,且它不是系統應用程式或 DPC,則以下方法不會傳回有用的資料:

安卓9

每個 Android 版本都包含數十項安全增強功能以保護用戶。有關 Android 9 中提供的一些主要安全增強功能的列表,請參閱Android 發行說明

安卓8

Every Android release includes dozens of security enhancements to protect users. Here are some of the major security enhancements available in Android 8.0:

  • Encryption. Added support to evict key in work profile.
  • Verified Boot. Added Android Verified Boot (AVB). Verified Boot codebase supporting rollback protection for use in boot loaders added to AOSP. Recommend bootloader support for rollback protection for the HLOS. Recommend boot loaders can only be unlocked by user physically interacting with the device.
  • Lock screen. Added support for using tamper-resistant hardware to verify lock screen credential.
  • KeyStore. Required key attestation for all devices that ship with Android 8.0+. Added ID attestation support to improve Zero Touch Enrollment.
  • Sandboxing. More tightly sandboxed many components using Project Treble's standard interface between framework and device-specific components. Applied seccomp filtering to all untrusted apps to reduce the kernel's attack surface. WebView is now run in an isolated process with very limited access to the rest of the system.
  • Kernel hardening. Implemented hardened usercopy, PAN emulation, read-only after init, and KASLR.
  • Userspace hardening. Implemented CFI for the media stack. App overlays can no longer cover system-critical windows and users have a way to dismiss them.
  • Streaming OS update. Enabled updates on devices that are are low on disk space.
  • Install unknown apps. Users must grant permission to install apps from a source that isn't a first-party app store.
  • Privacy. Android ID (SSAID) has a different value for each app and each user on the device. For web browser apps, Widevine Client ID returns a different value for each app package name and web origin. net.hostname is now empty and the dhcp client no longer sends a hostname. android.os.Build.SERIAL has been replaced with the Build.SERIAL API which is protected behind a user-controlled permission. Improved MAC address randomization in some chipsets.

安卓7

Every Android release includes dozens of security enhancements to protect users. Here are some of the major security enhancements available in Android 7.0:

  • File-based encryption. Encrypting at the file level, instead of encrypting the entire storage area as a single unit, better isolates and protects individual users and profiles (such as personal and work) on a device.
  • Direct Boot. Enabled by file-based encryption, Direct Boot allows certain apps such as alarm clock and accessibility features to run when device is powered on but not unlocked.
  • Verified Boot. Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports error correction to improve reliability against non-malicious data corruption.
  • SELinux. Updated SELinux configuration and increased seccomp coverage further locks down the application sandbox and reduces attack surface.
  • Library load-order randomization and improved ASLR. Increased randomness makes some code-reuse attacks less reliable.
  • Kernel hardening. Added additional memory protection for newer kernels by marking portions of kernel memory as read-only, restricting kernel access to userspace addresses and further reducing the existing attack surface.
  • APK signature scheme v2. Introduced a whole-file signature scheme that improves verification speed and strengthens integrity guarantees.
  • Trusted CA store. To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are no longer trusted by default for apps targeting API Level 24+. Additionally, all new Android devices must ship with the same trusted CA store.
  • Network Security Config. Configure network security and TLS through a declarative configuration file.

安卓6

Every Android release includes dozens of security enhancements to protect users. Here are some of the major security enhancements available in Android 6.0:

  • Runtime Permissions. Applications request permissions at runtime instead of being granted at App install time. Users can toggle permissions on and off for both M and pre-M applications.
  • Verified Boot. A set of cryptographic checks of system software are conducted prior to execution to ensure the phone is healthy from the bootloader all the way up to the operating system.
  • Hardware-Isolated Security. New Hardware Abstraction Layer (HAL) used by Fingerprint API, Lockscreen, Device Encryption, and Client Certificates to protect keys against kernel compromise and/or local physical attacks
  • Fingerprints. Devices can now be unlocked with just a touch. Developers can also take advantage of new APIs to use fingerprints to lock and unlock encryption keys.
  • SD Card Adoption. Removable media can be adopted to a device and expand available storage for app local data, photos, videos, etc., but still be protected by block-level encryption.
  • Clear Text Traffic. Developers can use a new StrictMode to make sure their application doesn't use cleartext.
  • System Hardening. Hardening of the system via policies enforced by SELinux. This offers better isolation between users, IOCTL filtering, reduce threat of exposed services, further tightening of SELinux domains, and extremely limited /proc access.
  • USB Access Control: Users must confirm to allow USB access to files, storage, or other functionality on the phone. Default is now charge only with access to storage requiring explicit approval from the user.

安卓5

5.0

每個 Android 版本都包含數十項安全增強功能以保護用戶。以下是 Android 5.0 中提供的一些主要安全增強功能:

  • 默認加密。在附帶 L 開箱即用的設備上,默認情況下會啟用全盤加密,以提高對丟失或被盜設備上數據的保護。更新到 L 的設備可以在Settings > Security中加密。
  • 改進了全盤加密。使用scrypt保護用戶密碼免受暴力攻擊,並且在可用的情況下,將密鑰綁定到硬件密鑰庫以防止設備外攻擊。與往常一樣,Android 屏幕鎖定密碼和設備加密密鑰不會從設備發送出去或暴露給任何應用程序。
  • 使用 SELinux 增強的 Android 沙箱。 Android 現在要求所有域的 SELinux 處於強制模式。 SELinux 是 Linux 內核中的強制訪問控制 (MAC) 系統,用於增強現有的自主訪問控制 (DAC) 安全模型。這一新層提供了針對潛在安全漏洞的額外保護。
  • 智能鎖。 Android 現在包括為解鎖設備提供更多靈活性的 trustlet。例如,trustlet 可以允許設備在靠近另一個受信任設備(通過 NFC、藍牙)或被具有受信任面孔的人使用時自動解鎖。
  • 適用於手機和平板電腦的多用戶、受限個人資料和訪客模式。 Android 現在為手機上的多個用戶提供了一個訪客模式,該模式可用於提供對您的設備的輕鬆臨時訪問,而無需授予對您的數據和應用程序的訪問權限。
  • 在沒有 OTA 的情況下更新到 WebView。 WebView 現在可以獨立於框架進行更新,無需系統 OTA。這將允許更快地響應 WebView 中的潛在安全問題。
  • 更新了 HTTPS 和 TLS/SSL 的加密。現在啟用 TLSv1.2 和 TLSv1.1,現在首選前向保密,現在啟用 AES-GCM,並且現在禁用弱密碼套件(MD5、3DES 和導出密碼套件)。有關更多詳細信息,請參閱https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
  • 非 PIE 鏈接器支持已刪除。 Android 現在要求所有動態鏈接的可執行文件都支持 PIE(與位置無關的可執行文件)。這增強了 Android 的地址空間佈局隨機化 (ASLR) 實現。
  • FORTIFY_SOURCE 改進。以下 libc 函數現在實現 FORTIFY_SOURCE 保護: stpcpy()stpncpy()read()recvfrom()FD_CLR()FD_SET()FD_ISSET() 。這提供了針對涉及這些功能的內存損壞漏洞的保護。
  • 安全修復。 Android 5.0 還包括針對 Android 特定漏洞的修復。有關這些漏洞的信息已提供給開放手機聯盟成員,Android 開源項目中提供了修復程序。為提高安全性,一些裝有較早版本 Android 的設備也可能包含這些修復程序。

Android 4 及更低版本

Every Android release includes dozens of security enhancements to protect users. The following are some of the security enhancements available in Android 4.4:

  • Android sandbox reinforced with SELinux. Android now uses SELinux in enforcing mode. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) based security model. This provides additional protection against potential security vulnerabilities.
  • Per User VPN. On multi-user devices, VPNs are now applied per user. This can allow a user to route all network traffic through a VPN without affecting other users on the device.
  • ECDSA Provider support in AndroidKeyStore. Android now has a keystore provider that allows use of ECDSA and DSA algorithms.
  • Device Monitoring Warnings. Android provides users with a warning if any certificate has been added to the device certificate store that could allow monitoring of encrypted network traffic.
  • FORTIFY_SOURCE. Android now supports FORTIFY_SOURCE level 2, and all code is compiled with these protections. FORTIFY_SOURCE has been enhanced to work with clang.
  • Certificate Pinning. Android 4.4 detects and prevents the use of fraudulent Google certificates used in secure SSL/TLS communications.
  • Security Fixes. Android 4.4 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

Every Android release includes dozens of security enhancements to protect users. The following are some of the security enhancements available in Android 4.3:

  • Android sandbox reinforced with SELinux. This release strengthens the Android sandbox using the SELinux mandatory access control system (MAC) in the Linux kernel. SELinux reinforcement is invisible to users and developers, and adds robustness to the existing Android security model while maintaining compatibility with existing applications. To ensure continued compatibility this release allows the use of SELinux in a permissive mode. This mode logs any policy violations, but will not break applications or affect system behavior.
  • No setuid/setgid programs. Added support for filesystem capabilities to Android system files and removed all setuid/setguid programs.  This reduces root attack surface and the likelihood of potential security vulnerabilities.
  • ADB Authentication. Since Android 4.2.2, connections to ADB are authenticated with an RSA keypair. This prevents unauthorized use of ADB where the attacker has physical access to a device.
  • Restrict Setuid from Android Apps. The /system partition is now mounted nosuid for zygote-spawned processes, preventing Android applications from executing setuid programs. This reduces root attack surface and the likelihood of potential security vulnerabilities.
  • Capability bounding. Android zygote and ADB now use prctl(PR_CAPBSET_DROP) to drop unnecessary capabilities prior to executing applications. This prevents Android applications and applications launched from the shell from acquiring privileged capabilities.
  • AndroidKeyStore Provider. Android now has a keystore provider that allows applications to create exclusive use keys. This provides applications with an API to create or store private keys that cannot be used by other applications.
  • KeyChain isBoundKeyAlgorithm. Keychain API now provides a method (isBoundKeyType) that allows applications to confirm that system-wide keys are bound to a hardware root of trust for the device. This provides a place to create or store private keys that cannot be exported off the device, even in the event of a root compromise.
  • NO_NEW_PRIVS. Android zygote now uses prctl(PR_SET_NO_NEW_PRIVS) to block addition of new privileges prior to execution application code. This prevents Android applications from performing operations which can elevate privileges via execve. (This requires Linux kernel version 3.5 or greater).
  • FORTIFY_SOURCE enhancements. Enabled FORTIFY_SOURCE on Android x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls. This can detect potential memory corruption vulnerabilities or unterminated string constants.
  • Relocation protections. Enabled read only relocations (relro) for statically linked executables and removed all text relocations in Android code. This provides defense in depth against potential memory corruption vulnerabilities.
  • Improved EntropyMixer. EntropyMixer now writes entropy at shutdown / reboot, in addition to periodic mixing. This allows retention of all entropy generated while devices are powered on, and is especially useful for devices that are rebooted immediately after provisioning.
  • Security Fixes. Android 4.3 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

Android provides a multi-layered security model described in the Android Security Overview. Each update to Android includes dozens of security enhancements to protect users. The following are some of the security enhancements introduced in Android 4.2:

  • Application verification - Users can choose to enable “Verify Apps" and have applications screened by an application verifier, prior to installation. App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.
  • More control of premium SMS - Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.
  • Always-on VPN - VPN can be configured so that applications will not have access to the network until a VPN connection is established. This prevents applications from sending data across other networks.
  • Certificate Pinning - The Android core libraries now support certificate pinning. Pinned domains will receive a certificate validation failure if the certificate does not chain to a set of expected certificates. This protects against possible compromise of Certificate Authorities.
  • Improved display of Android permissions - Permissions have been organized into groups that are more easily understood by users. During review of the permissions, the user can click on the permission to see more detailed information about the permission.
  • installd hardening - The installd daemon does not run as the root user, reducing potential attack surface for root privilege escalation.
  • init script hardening - init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks.
  • FORTIFY_SOURCE - Android now implements FORTIFY_SOURCE. This is used by system libraries and applications to prevent memory corruption.
  • ContentProvider default configuration - Applications which target API level 17 will have "export" set to "false" by default for each Content Provider, reducing default attack surface for applications.
  • Cryptography - Modified the default implementations of SecureRandom and Cipher.RSA to use OpenSSL. Added SSL Socket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
  • Security Fixes - Upgraded open source libraries with security fixes include WebKit, libpng, OpenSSL, and LibXML. Android 4.2 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

Android provides a multi-layered security model described in the Android Security Overview. Each update to Android includes dozens of security enhancements to protect users. The following are some of the security enhancements introduced in Android versions 1.5 through 4.1:

Android 1.5
  • ProPolice to prevent stack buffer overruns (-fstack-protector)
  • safe_iop to reduce integer overflows
  • Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilities and to prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption.
  • OpenBSD calloc to prevent integer overflows during memory allocation
Android 2.3
  • Format string vulnerability protections (-Wformat-security -Werror=format-security)
  • Hardware-based No eXecute (NX) to prevent code execution on the stack and heap
  • Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1)
Android 4.0
Address Space Layout Randomization (ASLR) to randomize key locations in memory
Android 4.1
  • PIE (Position Independent Executable) support
  • Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)
  • dmesg_restrict enabled (avoid leaking kernel addresses)
  • kptr_restrict enabled (avoid leaking kernel addresses)