| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Add an alternative section to define encryption requirements for
device implementations using per-user block-level encrypted
partition.
Bug: 184198954
Test: none
Change-Id: Icba5a5541c367f8863466b453e249800c1f6d9aa
(cherry picked from commit 2ea5b7f402881b48dcd02acbc12d1fc2348adb18)
|
|
|
|
|
|
|
|
|
|
|
| |
requirements.
This change has been introduced to ensure that TextClassifier
Service does not exfiltrate data off the device.
Bug: 149022430
Change-Id: I77368a337d54e54e6261fa7338f135208e322126
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Update biometric section to clarify security requirements and enforce
consistent biometric implementations. This ensures that biometric
solutions are correctly implemented and surfaced via the biometrics APIs,
and that their security is measured and tested appropriately.
Bug: 145928315
Test: make -j
Change-Id: I633980e0f8993eb5814451e57601c216e03adaa8
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Improvements in kernel support mean that we can now enable metadata
encryption on all devices. Metadata encryption improves user privacy,
and testing is more effective when we reduce ways for devices to vary.
Bug: 147690095
Test: n/a
Change-Id: Id94f110ad64b39db55d43501e929b26431b7fc53
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Intents have been classified as application intents and
broadcast intents.
Application intents have been listed for each form factor.
Removed the terminology of Core intents and called it common
application intents to be more inline with the developer pages.
Also renamed section "3.2.3.5 default app settings" to
"conditional application intents" and moved in the conditional
application intents in that section.
The goal is to provide clarity to OEM's and developers on the
list of intents to expect an activity/handler.
Change-Id: I4416c2b06b7845581e701f8137e7d870d4749938
BUG: 148181180
|
|\ \ \ \
| |_|/ /
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Blob Sharing is a new feature in R which allows
apps to share data blobs with other apps by contributing
the data to the system. The purpose of these new CDD requirements
are to ensure data blobs belonging to apps are only shared as
restricted by the originating application.
Bug: 145299226
Test: visual inspection in markdown editor
Change-Id: I0b418af6b32a85b2fdff4ca50168b9eadbf0f03a
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The idea is to eliminate bugs related to using uninitialized heap
variables in the kernel by force-initializing all the heap allocations
(page alloc and kmalloc()). This includes potential stability bugs as well
as information leaks as well as vulnerabilities related to control flow
subversion. Together with stack initialization, this change is going to
mitigate most of the bugs related to uninitialized memory in the kernel.
Test: None
Bug: 143931827
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: I3af6f5d8a02fd3895b9c5e125a602e8672478488
|
|\ \ \ \
| |/ / /
|/| | | |
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
Update File-based encryption to included content related to Resume On Reboot requirements.
Bug: b/145144304
Change-Id: Ifd18665d28e26e9afa7ac63011e1484f2559d6cc
|
|\ \ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This new type of bug report is well-defined starting with Android R, and
is intended to capture information relevant to connectivity (telephony,
wi-fi, and networking) debugging without including unnecessary PII.
Bug: 145145343
Change-Id: Ie6e320482aaf07ca0b739a14ce627d6545367aa3
|
|\ \ \ \ |
|
| | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
To ensure proper escrow token usage for
trusted devices, clarify that the encryption
keys must not be stored in any part of the
vehicle even if they are outside of Android
automotive head unit.
Bug: 151435941
Test: NA
Change-Id: I7450d0c116e832fef549074852a463afabc10c98
|
|\ \ \ \
| |_|_|/
|/| | |
| | | | |
rvc-dev
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The new articles require device implementation to support on-access
verification with trusted certificates, such that for an enabled file,
if a part of the file is tampered with, a read from the tampered part
will fail.
As an example, fs-verity, which is an implementation in Linux kernel
and is used to protect an APK if the APK is installed with a trusted
signature.
Test: check in an MD viewer
Bug: 144365636
Change-Id: Icae88a7cc3e4cdb61cf08cab98ab8adfa2931f77
|
|\ \ \ |
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Allow devices to offer a device-to-device application data migration
capability that does not limit the application data it copies to what
is configured by the application developer in the manifest and any
backup include and exclude files, subject to certain security and
privacy requirements.
Bug: 143524713
Change-Id: Iccf72a4b4e6959b63d0311cd50a2f09e83aa8562
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Dropped references to WRITE_EXTERNAL_STORAGE and
WRITE_MEDIA_STORAGE permissions as the permission
WRITE_EXTERNAL_STORAGE is a no-op for apps targeting Android R.
Also the privileged permission WRITE_MEDA_STORAGE is deprecated
in Android R.
* Scoped storage is enforced only by target SDK but the flag
requestLegacyExternalStorage is not a way to opt out when targeting
Android R.
* We no longer need text to emphasize how apps can access SD cards,
this is enforced in the SDK
* Raw file path access now allowed as privacy rules are enforced
behind the scenes
BUG: 144375132
Change-Id: I292426ee55ecb395dcdbcc3f840d8c9bc5e7a6fc
|
|\ \ \
| | | |
| | | |
| | | | |
ACTION_MANAGE_OVERLAY_PERMISSION intent." into rvc-dev
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ACTION_MANAGE_OVERLAY_PERMISSION intent.
Without such requirement intent android.settings.action.MANAGE_OVERLAY_PERMISSION
with data URI “package:<package>” can redirect the user
to the app-specific screen to enable permission
android.permission.SYSTEM_ALERT_WINDOW. This makes it too
easy for malicious apps to fool the user into enabling it.
Bug: 145286669
Change-Id: I5fce6cc6bf21b93f953b53ce077c0272dc71bae2
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Automotive devices have a different timeout.
The screen goes to locked screen whenever
the vehicle is turned off or the user
profile is switched. The timeout configuration
is not an applicable setting for automotive
devices. Removing the requirement.
Bug: 154351787
Test: NA
Change-Id: I339b85850adec12843bb8506b081912e6abb7659
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Clarify that automotive may use emergency
location bypass in the case of detection
of a crash/accident, satisfying eCall requirements
Bug: 152455211
Test: NA
Change-Id: I5b27dabd76ecba393ba85f9b08775caf9614cbeb
|
|\ \ \ |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The idea is to eliminate bugs related to using uninitialized local
variables in the kernel by force-initializing all the locals. This
includes potential stability bugs as well as information leaks as well
as vulnerabilities related to control flow subversion. Together with
heap initialization, this change is going to mitigate most of the bugs
related to uninitialized memory in the kernel.
Test: None
Bug: 143863382
Signed-off-by: Alexander Potapenko <glider@google.com>
Change-Id: Ia0fe68df775a89c1d49b8d348fd105dcb41ff494
|
|\ \ \
| |_|/
|/| | |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Identity Credential System allows app developers to store
and retrieve user identity documents, device implementations are
strongly recommended to implement Identity Credential in a secure area.
Bug: 146022741
Test: n/a
Change-Id: I69bb11fdb1e9b7abcc73bf4ff23a447ca4a413de
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The kernel portion of FBE originally used an AES-128-ECB based Key
Derivation Function (KDF) to derive per-file keys. While this met the
original security requirements, it is not a standard KDF and it does not
follow cryptographic best practices. For example, it is reversible, so
if a single file's key was compromised then all other files protected by
the same FBE policy were too. It is also inflexible, making it hard to
add new features to FBE and encouraging poor practices like reusing the
FBE master keys for both encryption and key derivation.
Android R supports a new FBE policy version which uses HKDF-SHA512
to derive all subkeys from the master key. It can be enabled using an
fstab option like "fileencryption=aes-256-xts:aes-256-cts:v2". It is
also the default setting when the shipping API level is >= R. Kernel
support is in android-4.14 and later, and in the upstream Linux kernel.
So, start requiring that a strong KDF be used and that FBE keys are not
used for different cryptographic purposes. As with the other storage
encryption format requirements, this only applies to new devices; this
is covered by the paragraph at the beginning of section 9.9.
This requirement does not require any special hardware support, and the
new KDF performs as well or better than the old KDF.
Bug: 144509061
Change-Id: Ie8b8df0a19be21dcfb7aed18aa3ac7e9c7e2b893
|
|/
|
|
|
|
|
|
| |
Apps targeting Android 11 cannot see details about other installed apps
by default, due to the package visibility change.
Bug: 145293555
Change-Id: Iba1d6facb57f492589c3f5d61c719d0369367d1c
|
|
|
|
|
|
|
| |
Bug: 140142603
Test: ./cdd_gen.sh --version <version-number> --branch <branch-name>
Change-Id: Ib0a8e55035eab94ff6ab28ad3c6aa6c7c1ae19d3
|
|
|
|
|
|
|
| |
bug: b/140142603
test: NA
Change-Id: Ie5047a8497c94c4cb4e9f0b2bbea51efab9f2eda
|
|
|
|
|
|
|
|
| |
Last line of file should end with a single newline.
Bug: 140034464
Test: N/A
Change-Id: Icdaaf61f25a0448fdf866fee4295b0ee15348812
|
|
|
|
|
|
| |
Bug: 140034464
Test: N/A
Change-Id: If526c0b31459c7f368c623a0d0e916bfc3fd344f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Introducing new biomatrics tier model, adding
the requirements and constraints for each tier.
- Some editorial changes by reorganizing and folding some sections
- Transferred ag/6940471 on master to qt-branch
Bug: 126002559
Bug: 120995257 (7.3.10/C-2-5)
Bug: 124243324 (9.11.1/C-7-12)
Bug: 124403616 (7.3.10 additional background)
Bug: 123365828 (9.11.1/C-7-11)
Test: NA
Change-Id: Ib36d40935c77ec370a2494ddb1506b0a952fd525
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Some minor changes for reporting GNSS measurements
- Bumping up from Should to SR for 3-axis accelerometer
- Update privacy requirements related to the user's location to align
with the updated privacy policy
Bug: 124539379
Bug: 124405285
Bug: 124405354
Bug: 123593924
Bug: 124404671
Bug: 124404696
Test: N/A
Change-Id: I6278b6af8f1f3f00fe455d66fa051d3d7f5a2dc7
|
|
|
|
|
|
|
|
|
|
| |
- Tighten the security consistently for Android ecosystem.
- Remove the condition of a secure lock screen for Keystore reqs for
form-factors (i.e. Handheld, Auto, TV) that have adopted keystore reqs.
Bug: 111748530
Change-Id: If7682e1410b52390135627d3edc9724d779a265f
|
|
|
|
|
|
|
|
|
| |
- Provide more transparency for users about casting/screen recording.
Bug: 135560873
Test: N/A
Change-Id: I36c4f4e26e113bd24737bb0b5fc1476f6d378c83
|
|
|
|
|
|
|
|
| |
- Updating the clipboard requirement to improve privacy.
Test: N/A
Fixes: 121159550
Change-Id: Id1cd6237ee741acdf2a24c43a9c4f5f2ec09d0ee
|
|\
| |
| |
| | |
into qt-dev
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Ensure the correct permission model is implemented for both location
and proprietary APIs that return location and physical activity.
- Correspond with the improved location/activity permission in Q.
Test: N/A
Bug: 124308476
Bug: 124124462
Change-Id: If5deec3f9c45c1784f66ebf24936e50602cd24a3
|
|/
|
|
|
|
|
|
|
| |
- Ensure the data captured on the device will not be leaked and abused.
Bug: 124510178
Test: none
Change-Id: I9840d1fca81b85c5198882ba8ddbdff527896e02
|
|
|
|
|
|
|
|
|
|
| |
- This is a minor language improvement for the spirit. Previously, the
document explicitly requires /system, but actually all partition
protected by Verified Boot is fine.
Test: None
Bug: 123365823
Change-Id: I405371c69323bb95bc07e18c09b78ed2d1bcf46e
|
|\
| |
| |
| | |
into qt-dev
|