Typo fixes for Android 10 CDD
Bugs: 160330923
Test: cdd-gen.sh script to build
Change-Id: I01a08d586925a52c6db2ecf919274848b90112d0
CDD: Added local regulations carveout to Device Identifiers requirements.
Updating device identifiers requirements to allow apps to have access
to SIM serial number/ICCID where local regulations require the app to
detect changes in subscriber identity.
Change-Id: I5b9eef79c58e546c3ef3d859def0e515342821cc
BUG: 168387648
Docs: Almost final Cleanup CL.
Bug: 140142603
Test: ./cdd_gen.sh --version <version-number> --branch <branch-name>
Change-Id: Ib0a8e55035eab94ff6ab28ad3c6aa6c7c1ae19d3
Docs: Fix typos
Bug: 149871806
Test: N/A
Change-Id: I83bbd389c22a168744472a575616ae68aa8178e2
Docs: Fix bullet list formatting
See screenshots attached to the bug.
Bug: 149871806
Test: needs to be confirmed by rendering
Change-Id: I7ab2880fc13cb79c015bd13811ed5330b1cbea66
Docs: consistently follow convention to capitalize auxiliaries
Specific auxiliaries fixed in this CL:
* MUST
* SHOULD
* STRONGLY RECOMMEND
* VERY STRONGLY ENCOURAGED
See also https://www.britannica.com/topic/auxiliary
Bug: 149871806
Test: N/A
Change-Id: Ibeab9037bf58ead36ad3b0983845efcc37d94ada
CDD: TrustAgent and Biometric Carve-out
7.3.10: Relaxing C-1-8 biometrics requirement for upgrading devices.
9.11.1: Relaxing C-7-8 trustagent requirement for Automotive, considering
driver distraction could be of concern.
Bug: 141269831
Test: NA
Change-Id: I922d92300ad6565d99adff732877052e02f14850
CDD: User consent message substantially same as AOSP.
Test: make_cdd.sh script
Change-Id: I4fa138bd6cbfb9b31fd87231be8ce8930033c9b9
CDD: Location permissions for BLE scans
Test: make_cdd.sh script
Change-Id: Ie2cdd1d0827e6cbe77629147190e4e311cf1918a
Docs: Update to clarify what's allowed for Trust Agent
Test: make_cdd.sh script
Change-Id: I7bf9bc3d0313ffc719f176eda3c80a9bd7b0d6c9
CDD: Carveout automotive from Restricted profiles
Removed the multiple user restricted profiles from
the core requirement and add them to all the
device configurations except automotive
Bug: 143736934
Test: N/A
Change-Id: Ia9d8e606a50567c2dfab190423923c809ecc5ca2
Docs: Editorial Fixes for Section 9.8 and 5.2.5 (video codec table)
bug: b/140142603
test: NA
Change-Id: Ie5047a8497c94c4cb4e9f0b2bbea51efab9f2eda
Docs: Whitespace at EOF
Last line of file should end with a single newline.
Bug: 140034464
Test: N/A
Change-Id: Icdaaf61f25a0448fdf866fee4295b0ee15348812
Docs: Fix misspellings
Bug: 140034464
Test: N/A
Change-Id: If526c0b31459c7f368c623a0d0e916bfc3fd344f
CDD: Lockscreen and biometrics changes
- Introducing new biomatrics tier model, adding
the requirements and constraints for each tier.
- Some editorial changes by reorganizing and folding some sections
- Transferred ag/6940471 on master to qt-branch
Bug: 126002559
Bug: 120995257 (7.3.10/C-2-5)
Bug: 124243324 (9.11.1/C-7-12)
Bug: 124403616 (7.3.10 additional background)
Bug: 123365828 (9.11.1/C-7-11)
Test: NA
Change-Id: Ib36d40935c77ec370a2494ddb1506b0a952fd525
CDD: Updating location and corresponding privacy requirements
- Some minor changes for reporting GNSS measurements
- Bumping up from Should to SR for 3-axis accelerometer
- Update privacy requirements related to the user's location to align
with the updated privacy policy
Bug: 124539379
Bug: 124405285
Bug: 124405354
Bug: 123593924
Bug: 124404671
Bug: 124404696
Test: N/A
Change-Id: I6278b6af8f1f3f00fe455d66fa051d3d7f5a2dc7
CDD: Tighten keystore req
- Tighten the security consistently for Android ecosystem.
- Remove the condition of a secure lock screen for Keystore reqs for
form-factors (i.e. Handheld, Auto, TV) that have adopted keystore reqs.
Bug: 111748530
Change-Id: If7682e1410b52390135627d3edc9724d779a265f
CDD: Require user consent for screen casting and screen recording
- Provide more transparency for users about casting/screen recording.
Bug: 135560873
Test: N/A
Change-Id: I36c4f4e26e113bd24737bb0b5fc1476f6d378c83
CDD: Update clipboard requirement
- Updating the clipboard requirement to improve privacy.
Test: N/A
Fixes: 121159550
Change-Id: Id1cd6237ee741acdf2a24c43a9c4f5f2ec09d0ee
CDD: Require runtime permission for location and physical Activity
- Ensure the correct permission model is implemented for both location
and proprietary APIs that return location and physical activity.
- Correspond with the improved location/activity permission in Q.
Test: N/A
Bug: 124308476
Bug: 124124462
Change-Id: If5deec3f9c45c1784f66ebf24936e50602cd24a3
CDD: Update privacy requirements for capturing contents
- Ensure the data captured on the device will not be leaked and abused.
Bug: 124510178
Test: none
Change-Id: I9840d1fca81b85c5198882ba8ddbdff527896e02
CDD: priv apps root of trust on Verified Boot
- This is a minor language improvement for the spirit. Previously, the
document explicitly requires /system, but actually all partition
protected by Verified Boot is fine.
Test: None
Bug: 123365823
Change-Id: I405371c69323bb95bc07e18c09b78ed2d1bcf46e
CDD: Revise section about Android Protected Confirmation API
- Make the security requirements more concise to cover a larger design
space of possible implementations while preserving the expected
security guarantees.
Bug: 119186987
Test: n/a
Change-Id: I64a7b52a1218df8f16a2a6bb63f1d78465b9d916
CDD: Scope Factory Data Reset(FDR) wording to userdata partition.
This is to improve user data privacy.
Bug: 124238463
Test: None
Change-Id: I0a098daec3362417b105bda7be56cea424f62253
CDD: Permisssions for the hardRestricted level
- The permission model (including permission) restriction is the most
important mechanism to protect the users privacy
- Apps need a consitent permission model to be able to effectivly deal
with user data
Fixes: 124522273
Change-Id: If85a3f266ab75de64e5ac840101fb3ce983e179d
CDD: Clarify privacy requirement for bugreports.
Clarify that bugreports are covered by the following requirement:
MUST NOT preload or distribute software components out-of-box that send
user's private information off the device without the user's consent or
clear ongoing notifications.
Bug: 132458597
Test: N/A
Change-Id: I4d1732bb45153e5eccce1964437f9bdf25350d54
CDD: Require new device identifier access restrictions
Devices must prevent access to all device identifiers from
an app that does not meet one of the new requirements.
Bug: 123367433
Test: N/A
Change-Id: I683ff569f8f51c38fa4defa0f60c898ea48414ab
CDD: Strongly recommend StrongBox for devices with secure processors
This arguably is a weakening of the P recommendation, but it's part of
an incremental strategy to mandate StrongBox across the entire
ecosystem. We'll start by recommending it for devices with the
necessary hardware, then move to mandating it for such devices and
recommending that all devices add such hardware, then mandate it for
all devices.
Bug: 135707870
Test: N/A
Change-Id: Idf18fde8fc163ee0944a6ce1e611441414ebc461
CDD: Relax hardware vulnerability requirements
Limit mitigation requirements to vulnerable hardware.
Bug: 122834364
Change-Id: If81385671bfd42f0d100f139c081fd759de81cd0
CDD: Align mic and playback capture requirement
- The two audio sources should have the same privacy requirements.
- Some typo correction for section 5.4.
Test: N/A
Bug: 124333245
Change-Id: Ida67df090b028b35f0dbea84c1e43de8339c5696
Signed-off-by: Kevin Rocard <krocard@google.com>
CDD: Update CDD for CFI and SCS
-Strongly recommend shadow-call-stack (SCS) and control-flow-integrity
(CFI) for the kernel and userspace to provide additional protection
against code-reuse attacks.
Bug: 123365748
Test: --
Change-Id: Ida7b2f190da26439443d5247d467047e134933c1
CDD: Remove "shared device" exception for encryption
-This can potentially be used to try to gain exceptions for devices
we never envisioned (for example, many phones allow multiple user
accounts, and any device shipping with family features is
pretty much by definition going to be "shared").
-This exception was also somewhat designed for devices with
lower hardware capabilities. But with Adiantum available, we
haven't seen any data showing such an exception is still
needed.
Bug: 124123642
Test: None
Change-Id: Ie2b3f0b5be2c8cda80176160255558e6e5a2cff5
CDD: Remove encryption performance exception
We now require encryption on all devices, without any
exceptions for performance.
For devices which lack AES CPU instructions, and thus have
performance concerns with AES, we allow the use of Adiantum as
the encryption method.
Bug: 118200376
Test: None
Change-Id: I219fd6d1733c053741d8b71b7f5bd067938d1196
CDD: Remove FDE, mandate FBE where encryption is mandated
- Already-launched devices are exempted, and must instead follow
mandates of their launch CDD.
Bug: 118760699
Test: not applicable to CDD changes
Change-Id: Icea70b46c986af187248d9b946e5c17d2b8ef1dd
CDD: Clarify data deletion requirements
- Make it clear that all generated data, not just user-generated data
should be deleted on factory device reset.
- Clarify that only operating system files on read-only filesystems are
exempt from being deleted.
Bug: 124238463
Test: None
Change-Id: I3cd0bb57ed2c425763b7a50849dc216bc5dcab50
Docs: Errata for Android 9 CDD.
- Fixed Section 9.10 by removing C-2-1 due to the introduction of C-0-2
- Fixed typos in other sections
Bug: 112010610
Test: ./cdd_gen.sh --version 9 --branch pie-dev
Change-Id: Ie4003beb20425a7fc83cf68ea23772aca389b85b
CDD: Move the req of supporting encryption under perf carve-out
- Ensure the consistent security across devices
- Replace the carve-out of secure lock screen with the perf carve-out
for supporting encryption
Test: None
Bug: 71909258
Change-Id: Ied56bb0bdd99e3f27e68c13829073c5982019c74
CDD: Clarifying kernel page table isolation
- Modifying the requirement language for C-0-12(kernel page table isolation)
requirement to add clarity.
Bug: 79088532
Change-Id: If3b3da40b78203c177cb4b833ea49837336a72b7
CDD: Require logging of some basic events available to app developers through statsd.
Enlist required fields to be more specific about what is
needed for developer tools and what is needed for privacy.
Bug: 76161779
Bug: 74125988
Test: None
Change-Id: I4ff9a73f72c3270caaac0f116297d666a58561fb
CDD: Requirements for services that have access to "android.permission.RECOVER_KEYSTORE"
- Prevent brute-force attacks on the lockscreen knowledge factor.
Bug: 73599998
Test: None
Change-Id: I8f7fa701b11f015e26429c4683a36d37aa2faa47
CDD: Add section about Android Protected Confirmation API
- Device implementations with secure hardware may implement the
Android Protected Confirmation API to request the user to
approve a textual message.
Bug: 73001803
Test: n/a
Change-Id: I96c5929b0b4ab99b31a9fe7ca0ac82710f94cdca
CDD: Update CDD language for biometrics and lockscreen.
This CL makes CDD changes that are aimed at providing more explicit
guidance on creating secure biometric based unlocks, and on
consolidating the CDD language for secure lockscreens to make the
authentication model consistent with our security bar.
More specifically, it changes the following things:
(1) A new section similar to "7.3.10 Fingerprint Sensors" that's more
generic and applicable to all biometric sensors. Should have mostly
the same constraints but slightly altered where necessary.
(2) Language that deals with match-on-chip solutions for biometrics.
(3) A new requirement in 9.11 that mandates keeping a minimum
Sleep timeout of at most 15 seconds.
(4) New requirements in "9.11.1 Secure Lock Screens" that:
(a) Constrain what a primary authentication can be.
(b) Adds information related to alternate biometric unlocks and
adhering to the SAR/IAR bar that was introduced in the 8.1 CDD
(c) Adds requirements around 'passive' biometric unlocks like Face
when used to unlock keystore keys.
(d) Clarifies some language around falling back to requiring primary
auth every 72 hours for all non-primary modes of authentication
(5) Removes the API requirement to return false for both the KeyguardManager.isKeyguardSecure() and the KeyguardManager.isDeviceSecure() methods.
Bug: 73723272
Bug: 77656214
Bug: 111053551
Test: --
Change-Id: Iede9eba5ac79de56802cd830c3dc4e521f40e098
CDD: 9.10. Device Integrity: Change verified boot items from SR to MUST.
Change STRONGLY RECOMMENDED to MUST for verified boot items and slight
cleanup of language used:
- MUST use tamper-evident storage: for storing whether the bootloader
is unlocked. Tamper-evident storage means that the boot loader can
detect if the storage has been tampered with from inside Android.
- MUST prompt the user, while using the device, and require physical
confirmation before allowing a transition from boot loader locked
mode to boot loader unlocked mode.
- MUST implement rollback protection for the partitions used by
Android (e.g. boot, system partitions) and use tamper-evident
storage for storing the metadata used for determining the minimum
allowable OS version.
Test: n/a
Bug: 72919368
Change-Id: Ifcb0c994cb86f92a422dcde6fa6da1ca064d4ca0
CDD: Update CDD changes for CFI and IOSAN
This CL renames section 9.7 to 'Security Features' (instead of kernel
security features), and adds a new sub-section for userspace specific
security feature advice. There's only a single recommendation in for
P, but we will be using this section to add more details and
recommendations/constraints for Q.
Bug: 73724250
Test: --
Change-Id: If45c5fd9b7668dcafc9ce8dbd2a59b9c4418ca42
CDD: StrongBox requirements
- Tighten the security by supporting StrongBox.
- Clarifying the requirements if StrongBox is supported.
Bug: 73002261
Test: N/A
Change-Id: I9834ced2e697bee013cb0725f31745826da1f0c5
CDD: Require verified boot on all devices, including low ram devices
We remove the low RAM exception for verified boot.
Test: None
Bug: 73374550
Change-Id: I340e8753c8648bbe2a68426123851359d4cba1cb
Docs: clarify that that CONFIG_ARM_LPAE is not allowed for 32-bit ARM
- It's incompatible with PAN emulation for arm32 kernels.
- This is already implicitly tested when checking for
CONFIG_CPU_SW_DOMAIN_PAN.
Bug: 109828784, 74078653, 79088532, 73728376
Test: n/a
Change-Id: Idb6a96d6f8c13a959b4bdc2c5580294beeff2d7c
CDD: Allow escrow keys to unlock CE storage.
- Much of the purpose of escrow keys is to allow storage
to be unlocked when a user forgets their LSKF, so we
must allow this in CDD.
Bug: 111561428
Test: Documentation change.
Change-Id: I0de44228e35728713405a8d84ec3b8e6f8a9ecbf
CDD: Recommend metadata encryption
- Tighten the security.
Bug: 73662717
Test: Compiled and inspected HTML
Change-Id: Ib2be403ef2db8525c9ad579a289eca79132696e9
CDD: MUST NOT send user's private data off the device without the user's consent
- Ensure that user's private data is protected and is not sent off the device without user's consent.
Bug: 74620344
Change-Id: I41559d7d3903ea3d44d1471abe896ad7698ef6be
Test: N/A
CDD: Require to include only the data with 'DEST_AUTO' in the incident report
Ensure that the data other than `DEST_AUTO` is not included in the report for
privacy protection. As fields or messages annotated with DEST_AUTO
can be sent by automatic means, without per-sending user consent. The user
still must have previously accepted a consent to share this information.
Bug: 76161779
Test: N/A
Change-Id: I813c96d43395b092ab0e8681893cf205723d26bb
CCD: Add recommendations for Full Stack Integrity
Android P adds support for extending the protections of Verified Boot
beyond OS partitions to privileged apps that are installed on /data.
This change recommends that device implementations perform
integrity checks of these privileged apps.
Test: None
Bug: 73001552
Change-Id: I773c4ad431ab0f2c16a762ba342653502ea98912
CDD: Tightening kernel security requirements from SR to MUST
- The tightened MUST requirements are applicable for devices that
originally ship with API level 28 and above.
These security requirements provide better protections for the kernel by
mitigating common classes of vulnerabilities and privilege escalation
techniques.
Bug: 74078653
Bug: 79088532
Bug: 73728376
Test: n/a
Change-Id: I62450948e5474939d94b22b280d11a6d56e35f3e
CDD: Describe subscription plan security model.
Bug: 71816837
Test: ./cdd_gen.sh
Change-Id: I670a694bd37436e71b37f4746c5261d2d93b6b91
CDD: add per-app selinux requirements for P
Apps that target Android P can no longer share data with other apps
using world-accessible Unix permissions. This change improves the
integrity of the Android Application Sandbox, particularly the
requirement that an app's private data is accessible only by that
app. [1]
To share files with another another app, use a content provider
or shared space in external storage.
This feature enforces an existing requirement that files saved in
internal storage are accessible by the owning app. [2]
[1] https://developer.android.com/guide/topics/data/data-storage.html#filesInternal
[2] https://developer.android.com/training/data-storage/files.html#PublicFiles
Bug: 73728376
Test: n/a
Change-Id: Ib2a93fde25f660782f315d5e02978637680f7594
CDD: Clarify the requirement for kernel stack buffer overflow protections.
- Update 9.7. Kernel Security Features [C-0-7].
- Differentiate the requirement and the sample mechanism.
Bug: 67317614
Test: N/A
Change-Id: I1c79e59d611b22d469e85fc81b976cbb98221234
CDD: Clarify the key attestation is required only for new devices
- Add the clarification note for 9.11 [C-1-4].
- Clarified for old devices with earlier version of Android to be
exempted from the key attestation requirement.
Bug: 72461553
Change-Id: I9b14119bcd67b5aa2063b3fb21b995fd658fc9d7
CDD: Require verified boot when device has enough RAM vs.
good AES-crypto performance
Update verified boot requirement to be MUST for devices that report
feature flag android.hardware.ram.normal
Bug: 35039737
Test: N/A
Change-Id: If7346873f92879a551935b55597762a46b5e89c8
CDD: Require secure storage of lock screen credentials
- With credential-based Factory Reset Protection, the
credential handle is stored on an unencrypted partition. To maintain
security guarantees, implementations must make sure that the handle
does not leak information about the credential.
Bug: 64209214
Test: n/a
Change-Id: I55f15cc75502016824d9307c03d947c4041744b0
CDD: Changes to measure biometric unlock security.
Adds imposter and spoof acceptance rate metrics for biometric based
unlocks, and mandates showing a disclosure of the risks involved when
an unlock modality does not meet the bar.
Bug: 66013719
Bug: 63910023
Test: N/A
Change-Id: I6a129481c0036c756f8c7d95cf3da1bab9f3f0f1
CDD: AES encrypt the encryption key by default
For Android O-MR1 we are requiring that all encryption keys are
encrypted with AES by default, unless the user explicitly opts out.
Bug: 33744049
Change-Id: Ic74dcd960ef89b752f580bd2ce2e42acca643c1f
Test: Not necessary -- this is a policy change.
Docs: Move dev-specific reqs to Ch 2.
Test: python make_cdd.py --version <version-number> --branch <mybranch>
Bug: 64164626
Merged-In: Ie091c0be79ad4a797f26a60e95ee2594f053f804
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804
(cherry picked from commit 0ece682cb7f915f4289ba6d7b5c86957e6d5d276)
(cherry picked from commit d72cc3b7971126e352c0c8fd83693f458d3785ec)
Docs: Move dev-specific reqs to Ch 2.
Test: python make_cdd.py --version <version-number> --branch <mybranch>
Bug: 64164626
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804
(cherry picked from commit 0ece682cb7f915f4289ba6d7b5c86957e6d5d276)
CDD: add requirement for always-on VPN opt-out.
Require UI implementations to observe the always-on VPN opt-out manifest
flag in app manifest, if such implementation exists.
See VpnService.SERVICE_META_DATA_SUPPORTS_ALWAYS_ON
Bug: 65561270
Test: N/A
Change-Id: Ie0b5ea506affbec0ab3b0268c2539bc0184721aa
Docs: Misc fixes for CDD.
Bug: 67405273
Test: make_cdd.py --version 8.0 --branch "oc-dev"
Change-Id: Icee371d41284f56ef6d9ad90ab8992c94134d5bd
CDD: O errata changes
Fixes to missing/incorrect id's in CDD.
Bug: 66482816
Test: N/A
Change-Id: I8241e1f96f7bc2c5d9e190e96da87fcb504cde02
Docs: Move dev-specific reqs to Ch 2.
Test: python make_cdd.py --version <version-number> --branch <mybranch>
Bug: 64164626
Change-Id: Ie091c0be79ad4a797f26a60e95ee2594f053f804
Docs: Restructure section 9.9.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: If35c39e10f621e1b9bad51eb9a89770815d2226d
Docs: Restructure section 9.14.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I8f106180bb29452ce3de28ba100dcb76dae74737
Docs: Restructure section 9.6.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I82b2f7099ec8811980b90b7a6969b5865fd25740
Docs: Restructure section 9.11
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I2d8ccd24e8572d397f38718088cc43274962bf12
Docs: Restructure section 9.10.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: Ic2ce057ffc3d072c4aacd52d4f0c8ebe578e9c61
Docs: Restructure CDD section 9.1.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I912f83d868078cc90345766ce6dc5e05efc8078c
Docs: Restructure section 9.8.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I33113c2c4b5026ecd9155d5dc5c2a81743db3407
Docs: Restructure section 9.2.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I9cf7fbb4938b714682b434da196b2321a9b9bcea
Docs: Restructure section 9.13.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: Icb98a0c74708c61cec94db74d04e17ec38ab819b
Docs: Restructure section 9.7.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I076fa1c1ce0a11ebc20e90e088cbd64b08046832
Docs: Restructured section 9.5.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: If8e02513604ce19e695e0033ea5a98a6a2d5c00b
Docs: Restructure section 9.12.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I4402611e292482ed38e508716677c6b6c61be94d
Docs: Restructure section 9.3.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: If9d5d1be2b256923d669efe6c66b9d901ba0513b
Docs: Restructure section 9.4.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I730c279f6067ad1002bb1c75dde664246f7eaa8d
Docs: Restructure CDD section 9.0.
Part of restructuring work for CDD.
Test: N/A
Bug: 64811960
Change-Id: I840ca61cace0f61fe85353fcedca0627a8647ca7
CDD: Add req for the trust agent escrow token system API
Add requirements to account for the new methods in
TrustAgentService that allow unlocking a device based on escrow
tokens.
Bug: 36237319
Test: Documentation update.
Change-Id: I38cec1d94bbcbcbf97782308dc800abf650d6532
CDD: Require checking the primary authentication periodically
- Added this requirement for the following reasons:
- Security; The supplemental unlocks are less secure than the primary
credential so limit the risk by periodically asking for the main
password.
- Usability; Make sure the user enters their primary knowledge factor
often enough not to forget it.
Bug: 38314942
Change-Id: I664813f58f5881c51500559eb7175fd759885d9e
CDD: Updated Kernel security requirements.
Added requirements to make sure the Android ecosystem has
a minimum safe bar for kernel configurations.
Bug: 36371578
Test: N/A
Change-Id: Iea6207dfd5805392ea1bbdf232004d32cc19ff52
CDD: Require indicating to the user the impact of TrustAgentService
on screen locks.
TrustAgentService is able to change the behavior of screen locks, and
hence such a state has to be indicated to the end user in a more
transparent way.
Test: description only
Bug: 35849818
Change-Id: Id4e1cd29bbfc2e2c51ee0d852a30983a69c4786a
CDD: Require user affordances to grant/revoke PACKAGE_USAGE_STATS
permission.
Without the user-accessible mechanism, the android.app.usage package
APIs can't be granted/revoked despite the API documents for the
android.app.usage package multiple times referring to
"However, declaring the permission implies intention to use the API
and the user of the device can grant permission through the Settings
application."
Bug: 34107152
Test: N/A
Change-Id: Ie7385f54c024a72e943bf7b6d33b13d0b7ce6806
CDD: Clarify requirement for alternative authentication method
- This update is to ensure that the authentication method, used for
secure lock screen, behaves as documented in SDK so that the related
APIs work correctly for third-party apps.
Bug: 37426035
Change-Id: I01659d6cafce1654810bf6c3c76f1016f3bd6cce
CDD: Updated Privacy section with req. related to Ambient Sound Service.
Bug: 37323391
Test: N/A
Change-Id: I20380f9ec103ec140ceeadc3c63605e8fcb1fa0a
CDD: Require support for hardware-backed key attestation
- Attestation will provide a way for developers to verify off-device
that a particular key has the expected security properties.
- This is important for trustworthy security designs for particularly
sensitive applications, e.g. payment & banking.
Bug:33676518, 30974815
Change-Id: I92c39b69e26a7c7cd8c32dd4689de52b0cc8f1f0
CDD: Require a default passcode to wrap the encryption key
If the user has not specified a lock screen credential, the process for
recovering the disk encryption key should still be bound to Keymaster
and the root of trust, so that an attacker who changes the OS to an
unsigned OS can't easily recover the disk encryption key. A default
passcode is the easy way to achieve that.
Given this, we are changing "SHOULD" to "MUST".
Bug: 33744049
Change-Id: I8e5026f394a8e4e6902f2b86449b367b6668f13b
CDD: Add recommendations for Verified Boot
Android Verified Boot or AVB (aka Verified Boot 2.0) is added to
Android 8.0, replacing the old Verified Boot feature and improving
security including the rollback prevention feature.
AVB requires adding a new disk partition, so can only be applied to
new device launches. However we're adding recommendations to support
these new features and also highlighting that there is an open-source
implementation that can be used to support the features as Android
Verified Boot would allow better integrity of the Android security model
that app developers would rely on.
Bug: 33676518
Change-Id: I6ff469ae61387038094a71bef0fa82b6455d1308
CDD: Users or app developers MUST NOT change SELinux Policies.
SELinux is the mandatory access control system used by Android. The
security rules manage access to every part of the system. Allowing users
or developers to change SELinux policies could either:
1) Add new security holes, allowing the compromise of application or
user data; or
2) Improperly reduce functionality, which could prevent applications
from working properly and introduce bugs.
A stable SELinux implementation is in app developer and user's best
interest, as it ensure consistency across the Android ecosystem.
Bug: 34278546
Test: N/A
Change-Id: I690082859980083f3cd4305e86da5ff100baec5e
CDD: Require privileged permissions only to be granted when explicitly
whitelisted per app/permission
This is to ensure that the standard android permission model is kept
consistent as documented in the Android SDK.
See https://developer.android.com/guide/topics/permissions/requesting.html
and https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_PRIVILEGED
Bug:33499917
Test: manual
Change-Id: Ie1f18dcb6cfb6d4a5329b0f0eb52f7feb3ed9a7e
Docs: Add missing newline at EOF
Test: N/A
Change-Id: Ia22922cd8affb795e435748b362718b2ceab6f23
CDD: Updated VPN disclosure requirements for privacy
The AOSP implementation of Android 8.0, have made improvements to the
VPN user interface in order to better emphasize the risk differences
between VPNs and root CAs by making the VPN user interface of the
warning explicit as to what is happening.
Bug: 36031671
Test: N/A
Change-Id: I50bf21e18fe893fa8deeb741096fde1ff66e8cdf
CDD: Requirement for retention duration of user selection history.
Rewords "retention length" to "retention period".
bug: 33423136
Test: skipped.
Change-Id: I79a7660a835a698546aac8821ff0c9e34184e9f6
CDD: Require checking the primary authentication periodically
- Added this requirement for the following reasons:
- Security; The supplemental unlocks are less secure than the primary
credential so limit the risk by periodically asking for the main password.
- Usability; Make sure the user enters their primary knowledge factor
often enough not to forget it.
Bug: 38314942
Change-Id: I708bd3db39868ad42d7ec4ad9632b2982c3979b6
CDD: "Clarify what are the conditions to be met in order
to be classified as hadware backed and secure hardware".
Bug: 34343011
Change-Id: Iae36445e9eaad40704ab500d26cab4b94d8dd592
CDD: Requirement for retention duration of user selection history.
Android 8.0 introduces the Smart sharing API, it learns about users'
personalized sharing preferences and better understands for each type of
content which are the right apps to share with. To support this API,
device implementations MUST keep a reasonable retention length of users'
sharing histories. It is Strongly Recommended to use the default
retention length.
bug: 33423136
Test: skipped.
Change-Id: I94bc1278aa2bfd11dce728e96bba61aa380d139b