Monday, 15 February 2016

Learn About Updating android securites

Security updates and resources

Android security bug lifecycle

The Android security team is responsible for managing security vulnerabilities discovered in the Android platform and many of the core Android apps bundled with Android devices.
The Android security team finds security vulnerabilities through internal research and also responds to bugs reported by third parties. Sources of external bugs include issues reported through the Android Open Source Project (AOSP) Security bug report template, published and pre-published academic research, upstream open source project maintainers, notifications from our device manufacturer partners, and publicly disclosed issues posted on blogs or social media.

Reporting security issues

Any developer, Android user, or security researcher can notify the Android security team of potential security issues through the AOSP bug tracker Security bug report template.
Bugs marked as security issues are not externally visible, but they may eventually be made visible after the issue is evaluated or resolved. If you plan to submit a patch or Compatibility Test Suite (CTS) test to resolve a security issue, please attach it to the bug report and wait for a response before uploading the code to AOSP.

Triaging bugs

The first task in handling a security vulnerability is to identify the severity of the bug and which component of Android is affected. The severity determines how the issue is prioritized, and the component determines who fixes the bug, who is notified, and how the fix gets deployed to users.

Severity

The severity of a bug generally reflects the potential harm that could occur if a bug was successfully exploited. Use the following criteria to determine the severity:
Table 1. Severity ratings and associated consequences
RatingConsequence of successful exploitation
Critical
  • Remote privileged code execution (execution at a privilege level that third-party apps cannot obtain)
  • Local permanent device compromise (device cannot be repaired without re-flashing the entire operating system, such as a verified boot or Trusted Execution Environment/TEE compromise)
  • Remote permanent denial of service (inoperability, either completely permanent or requiring re-flashing the device)
High
  • Remote unprivileged code execution (execution at a privilege level that third-party apps can obtain through installation)
  • Local access to system/signature-level permission data or capabilities without permission
  • Local permanent denial-of-service (inoperability, either completely permanent or requiring re-flashing the device)
  • Remote temporary denial-of-service (remote hang or reboot)
Moderate
  • Access to "dangerous" level permission data or capabilities without permission with an app installed on the device
  • Local temporary denial-of-service (can be resolved only through a factory reset)
Low
  • Access to "normal" level permission capabilities without permission with an app installed on the device
  • Local temporary denial-of-service (can be resolved by booting the device into Safe Mode and removing the problem application)
Though there are many types of software bugs outside of the security vulnerabilities detailed above, bugs reported are evaluated on a case-by-base basis to determine what security impact they have.
The Android security team may also adjust the severity of a vulnerability if it is determined the risk to users is higher or lower than the guidelines suggest. For example, if a certain piece of data is available only to apps with "system" level access but the data itself is not sensitive, the Android security team may consider it only a low-severity vulnerability.

Local vs. remote

A remote attack vector indicates the bug could be exploited without installing an app or without physical access to the device. This includes bugs that could be triggered by browsing to a web page, reading an email, receiving an SMS message, or connecting to a hostile network. For the purpose of our severity ratings, the Android security team also considers "proximal" attack vectors as remote. These include bugs that can be exploited only by an attacker who is physically near the target device, for example a bug that requires sending malformed Wi-Fi or Bluetooth packets.
Local attacks require the victim to install an app. For the purpose of severity ratings, the Android security team also considers physical attack vectors as local. These include bugs that can be exploited only by an attacker who has physical access to the device, for example a bug in a lock screen or one that requires plugging in a USB cable. The Android security team also considers NFC-based attacks as local.

Severity of vulnerabilities that affect high privilege levels

The Android security team will usually drop the severity rating for a bug that already requires executing code at a high privilege level. For example, a bug in a kernel driver accessible only from a privileged service that requires first compromising the service. In this case, the Android security team may drop the severity from "high" to "moderate."

Severity of kernel compromises

Whether a vulnerability that compromises the kernel is considered "high" or "critical" depends on the device and the version of Android. On devices with a TEE (or TrustZone) and verified boot, a kernel compromise is considered "high" because exploiting it won't allow permanently affecting the operation of the device unless a vulnerability is discovered in the TEE or verified boot implementation. In general, if the result of a compromise can be remediated with a factory reset, it's "high" or lower.
However, on older devices without verified boot, a kernel compromise can result in permanent device compromise if SELinux is disabled and the system partition is modified. On that device, a kernel compromise is considered "critical" because remediation requires re-flashing the device's firmware image.

Affected component

The development team responsible for fixing the bug depends on which component the bug is in. It could be a core component of the Android platform, a kernel driver supplied by an original equipment manufacturer (OEM), or one of the pre-loaded apps on Nexus devices.
Bugs in AOSP code are fixed by the Android engineering team. Low-severity bugs, bugs in certain components, or bugs that are already publicly known may be fixed directly in the publicly available AOSP master branch; otherwise they're fixed in our internal repositories first.
The component is also a factor in how users get updates. A bug in the framework or kernel will require an over-the-air (OTA) firmware update that each OEM will need to push. A bug in an app or library published in Google Play (e.g., Gmail, Google Play Services, WebView in Lollipop and later versions) can be sent to Android users as an update from Google Play.

Notifying partners

When a moderate or higher severity security vulnerability in AOSP is fixed, we'll notify Open Handset Alliancemembers with the details of the issue and provide patches for the most recent three Android releases. The Android security team currently provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), and 5.1 (Lollipop MR1). This list of backport-supported versions changes with each new Android release.

Releasing code to AOSP

If the security bug is in an AOSP component, the fix will be pushed out to AOSP after the OTA is released to users. Fixes for low-severity issues may be submitted directly to the AOSP master branch before a fix is available.

Receiving Android updates

Updates to the Android system are generally delivered to devices through OTA update packages. These updates may come from the OEM who produced the device or the carrier who provides service to the device. Google Nexus device updates come from the Google Nexus team after going through a carrier technical acceptance (TA) testing procedure. Google also publishes Nexus factory images that can be side-loaded to devices.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)