CDD: "Clarify what are the conditions to be met in order
to be classified as hadware backed and secure hardware".
Bug: 34343011
Change-Id: Iae36445e9eaad40704ab500d26cab4b94d8dd592
CDD: Clarified hardware-backed keystore requirement.
Bug: 35126445
Change-Id: Ie6ebddc9e242ab3bb508235a49d210dcbeed21a6
(cherry picked from commit 82acfb1241373cfe6f59a88a7f10b24d3c26c95a)
CDD: Clarified hardware-backed keystore requirement.
Bug: 35126445
Change-Id: Ie6ebddc9e242ab3bb508235a49d210dcbeed21a6
Docs: Final cleanup for CDD source.
- Fix rowspan in table in section 2.1.
- Put markdown links on a single line.
- Escape parentheses in URLs.
- Fix some internal links with dashes instead of underscores.
- Replace tabs with spaces.
- Other misc. cleanup.
Bug: 32070486
Change-Id: Ie44202b5a0bfe7133505880a0a9c74f08a9bac1f
CDD: Clarify that the system privileged permissions are not granted
to all apps on the system image.
Since Android 6.0, as already documented in the SDK (https://developer.android.com/reference/android/content/pm/PermissionInfo.html#PROTECTION_FLAG_SYSTEM),
not all apps in the system image are granted privilged permissions.
This requirements clarifies what mechanism would be used to implement
what is described in the SDK.
BUG: 33111571
Change-Id: Ia9b78470d764e105cb6c7e0c76a163050ace2e99
CDD: Functionality to provide encryption support.
Some Device Policy Controller(DPC)s may use the
DevicePolicyManager.getStorageEncryptionStatus() and expect
ENCRYPTION_STATUS_ACTIVE only as the valid state, and would keep asking
the user to add a password upon getting the
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY state. While enabling,encryption
of the master key (i.e. enabling the secure boot) would have some
downside on the user experience upon when the device is rebooted etc.
Each enterprise might have their own security policy and should be able
to choose the trade-off of user experience in favor of the security
benefits.
BUG: 27207717
Change-Id: I2ee43f349395b9e86e4abce511497b66c2dc79dd
CDD: Require system privileged permissions to only be granted to apps
pre-installed in the whitelisted path.
The system permissions should not be extended to any app, just because
it's part of the system image but restricted to apps that are planned
to be part of the system. The API name change in Android 6.0 from
PROTECTION_FLAG_SYSTEM to PROTECTION_FLAG_PRIVILEGED further
adds to this point.
BUG: 33111571
Change-Id: Ibee24f8e424dc844e8cb49d5a7a0b56c3e3801aa
Docs: Final cleanup for CDD source.
- Fix rowspan in table in section 2.1.
- Put markdown links on a single line.
- Escape parentheses in URLs.
- Fix some internal links with dashes instead of underscores.
- Replace tabs with spaces.
- Other misc. cleanup.
Bug: 32070486
Change-Id: Ie44202b5a0bfe7133505880a0a9c74f08a9bac1f
CDD: Clarify secure lock screen requirements.
As some device implementations started to add or modify the
authentication methods for the lock screen, and more APIs
are making an assumption on the security of the lock screen
credentials, we are clarifying the requirements of what
is a secure lock screen.
Bug: 27246863
Change-Id: I618999405a862125348758ae34a40701bfaa1b62
Docs: Fix list formatting.
Bug: 32070486
Change-Id: I1f57cd40a7018c3ac9125c8616df0647a56068e2
Docs: Fix link to seccomp-tsync material.
Bug: 32070486
Change-Id: I4bd044ce9dfcb7892f5bee1082e4a2dbe96f664c
Docs: Renumber duplicate section number.
Bug: 32070486
Change-Id: I19bd018ef4a9385792ef6f06ce86ca9ee76359fa
CDD: Direct boot and FBE requirements
Android N provide support for filebase encryption, allowing files to be
encrypted with seperate keys bound to either the device or users'
credentials. This allows system processe that do not handle sensitive
user data (telephony, alarms, etc) to start before the user enters the
credentials and elimiate the double boot necessary for full disk
encryption.
This requires the following changes and afforances in the CDD:
- Sufficiently performant devices, with lockscreens, must use
either FBE or FDE.
- Added Direct Boot Requirements
-- All Device must implement Direct Boot, regardless of encryption.
- Added FBE Requirements
-- DE anf CE keys must be bound to HW keystore and hardware
root of trust (VB).
-- Must not be able to disable "secure startup" option on FBE
devices. (In earlier versions of android the FDE implementation
supported a "secure startup" option which required the user to
provide their credentials before the device could boot. This option
was disabled by default. FBE and Direct Boot provides a better
solution and device implementations MUST NOT offer any method to
unlock the CE protected storage without the user supplied
credentials.)
-- MUST Support AES encryption as implemented in AOSP, MAY support
others but AOSP MUST be used be default.
-- SHOULD make essential preloaded app directBootAware.
FDE requirements remain semantically unchanged, except it is not
required if the device implementaion use FBE.
Updated 3_10_accessibility to require that any pre-installed
accessibilty service MUST be direct boot aware on FBE devices.
BUG: 25897972
BUG: 27207717
Change-Id: I36fbce4937ebc161b09fdcb507db44f7b8990a3e
CDD: Require splitted mediaserver processes to improve security.
Android 7.0 has architectual changes to mediaserver. Previous versions
of android used a single, monolithic mediaserver process with great many
permissions (camera access, audio access, video driver access, etc).
Android 7.0 splits the mediaserver process into several new processes
that each require a much smaller set of permission.
This new architecture is secure and ensures that even if a process is
compromised, malicious code does not have access to the full set of
permissions previously held by mediaserver.
Bug: 28422586
Change-Id: I337c293b26fd9d6effc3ac8f22b2388e69452571
CDD: Location change for sepolicy on N.
Bug: 32003330
Bug: 28169245
Change-Id: I26778cdce481b073fcbfed94027b56ffd9b1366f
Docs: Spell check
Change-Id: If9bf9affdf9d0ebc38f2a675e05ef620e03417ae
CDD: Require consistent system-wide root CAs across all Android
Android 7.0 is supporting the use case of apps to be configured with
app-specific root Certificate Authority (CA). Hence, now the policy
on the preinstalled root certificates in the system-trusted CA store
are more strictly enforced to make it harder to undermine the security
of the data communication from Android device implementations.
The guideline to handle public certificates are as below.
- Deprecated public CAs: MUST NOT be added.
- New public CAs not yet in AOSP: wait these public CAs to complete the
Mozilla CA inclusion process and then file a feature request against
Android (https://code.google.com/p/android/issues/entry to include the
new public root CA to AOSP.
- private CAs that may be needed to securely access application servers
or MNO(carrier) infrastructure, see:
https://developer.android.com/training/articles/security-config.html
Bug: 18335321
Change-Id: I49bbc894c700d70d8049f9535550547fe1fce8e1
CDD: Clarify req. to notify if data traffic can be monitored.
Bug: 27665217
Change-Id: Ie99bb1cee95e797b6acb40a096b3b006c52340a8
CDD: Introduce Safe Mode Requirements
Safe Mode, enabling users to boot into a state where only preinstalled
system apps are allowed to run, empowers the Android device users to
uninstall third-party apps.
The support of this mode is now STRONGLY RECOMMENDED as this mode can
be used to address cases where third-party apps might be interfering
with the user's capability to uninstall such apps.
Bug: 27337663
Change-Id: Ib921dc3ef7cca6db68d22e23d2063fdfb2877586
CDD: Add requirement for seccomp-BPF with TSYNC
Bug: 21472592
Change-Id: I05c79bae3b370faa34e3738adf9ac205f9dce248
CDD: Require reporting of flash lock status
Android 7.0 adds a new mechanism to report the flash lock state of the
bootloader up to the framework so that system services and apps can
utilize the signal.
This change also changes the name of the section from "verified boot"
to "device integrity" to be more general.
Bug: 28236305
Change-Id: I53664b0e9e4f6f1a9072519aff1ea3d89e3b89d7
CDD: Strict verified boot reqs. unless user has opted-out
Clarify when a verified boot may complete the booting sequence despite
failing the verification.
Clarify when verified boot may accept modifications to verified
partitions.
Bug: 27368088
Change-Id: Ic3db05f8cdffb88e1aecfcb89914e7ecd1a2e9b6
CDD: Security measures to protect vehicle systems
The potential impact of malicious or unintentional interaction
with the vehicle network and systems may be catastrophic. There
are several required mitigation strategies for Android Automotive
implementations.
Change-Id: Ie732227b07aef901e155299e640d920fd7ea3f0f
CDD: Automotive device usable in guest account
Vehicles may be highly personalized Android devices. However
the lack of a user-specific profile should never prevent a
driver from operating basic vehicle functions, e.g., turning
on the radio to listen to a traffic report.
Change-Id: Ief633d78cb128f5464d623ed9029a7345b9903bc
CDD: Allow DPC to set VPN, without user consent.
Android 7.0 introduces a new API method for the Device Policy Manager
(DPC) to enable VPN.
As an app being DPC already implicitly means there is consent from
the device owner to manage the device, there is no more need to provide
separate consent to progamatically enable VPN.
Bug: 27736570
Change-Id: Ief2917844457b8bad1f1e9e19f4df808008801e7
CDD: Require hardware-backed keystores
Previously in Android 6.0, the hardware-backed keystore was a
strongly recommended security feature, but noted as to become
a mandatory requirement in the next API version.
The implementation of an exponential backoff algorithm is now also
required, whereas previously it was only recommended.
Bug: 27126435
Change-Id: I9f360107feb58a39a021199cfce8f7804d5bbbfc
Docs: Add CDD docs and the build script, and test examples
Bug: 25199595
This is based on the amended final CDD for M, hosted as commit
1846a9622485855d572705a7972116caf0be3669 on the AOSP master branch.
Change-Id: Ic3bd96cd652f7d7b13def03a4ca1f04645c34255