The security and privacy of our users' data is of primary importance to the Android Open Source Project. We are dedicated to building and maintaining one of the most secure mobile platforms available while still fulfilling our goal of opening the mobile device space to innovation and competition.
The Android Platform provides a rich security model that allows developers to request the capabilities, or access, needed by their application and to define new capabilities that other applications can request. The Android user can choose to grant or deny an application's request for certain capabilities on the handset.
We have made great efforts to secure the Android platform, but it is inevitable that security bugs will be found in any system of this complexity. Therefore, the Android team works hard to find new bugs internally and responds quickly and professionally to vulnerability reports from external researchers.
You can reach the Android security team at email@example.com. If you like, you can protect your message using our PGP key.
We appreciate researchers practicing responsible disclosure by emailing us with a detailed summary of the issue and keeping the issue confidential while users are at risk. In return, we will make sure to keep the researcher informed of our progress in issuing a fix and will properly credit the reporter(s) when we announce the patch. We will always move swiftly to mitigate or fix an externally-reported flaw and will publicly announce the fix once patches are available to users.
An important part of sustainably securing a platform, such as, Android is keeping the user and security community informed of bugs and fixes. We will publicly announce security bugs when the fixes are available via postings to the android-security-announce group on Google Groups. You can subscribe to this group as you would a mailing list and view the archives here.
For more general discussion of Android platform security, or how to use security features in your Android application, please subscribe to android-security-discuss.
As an open platform, Android allows users to load software from any developer onto a device. As with a home PC, the user must be aware of who is providing the software they are downloading and must decide whether they want to grant the application the capabilities it requests. This decision can be informed by the user's judgment of the software developer's trustworthiness, and where the software came from.
Despite the security protections in Android, it is important for users to only download and install software from developers they trust. More details on how Android users can make smart security decisions will be released when consumer devices become available.
Like any other open platform, it will be possible for unethical developers to create malicious software, known as malware, for Android. If you think somebody is trying to spread malware, please let us know at firstname.lastname@example.org. Please include as much detail about the application as possible, with the location it is being distributed from and why you suspect it of being malicious software.
The term malicious software is subjective, and we cannot make an exhaustive definition. Some examples of what the Android Security Team believes to be malicious software is any application that:
The manufacturer of each device is responsible for distributing software upgrades for it, including security fixes. Many devices will update themselves automatically with software downloaded "over the air", while some devices require the user to upgrade them manually.
When Android-powered devices are publicly available, this FAQ will provide links how Open Handset Alliance members release updates.
Android is a mobile platform that will be released as open source and available for free use by anybody. This means that there will be many Android-based products available to consumers, and most of them will be created without the knowledge or participation of the Android Open Source Project. Like the maintainers of other open source projects, we cannot build and release patches for the entire ecosystem of products using Android. Instead, we will work diligently to find and fix flaws as quickly as possible and to distribute those fixes to the manufacturers of the products.
In addition, We will add security fixes to the open source distribution of Android and publicly announce the changes on android-security-announce.
If you are making an Android-powered device and would like to know how you can properly support your customers by keeping abreast of software updates, please contact us at email@example.com.