en/security/best-practices/network.html - platform/docs/source.android.com - Git at Google

 <html devsite>
   <head>
     <title>Network Security Best Practices</title>
     <meta name="project_path" value="/_project.yaml" />
     <meta name="book_path" value="/_book.yaml" />
   </head>
   <body>
   <!--
       Copyright 2018 The Android Open Source Project

       Licensed under the Apache License, Version 2.0 (the "License");
       you may not use this file except in compliance with the License.
       You may obtain a copy of the License at

           //www.apache.org/licenses/LICENSE-2.0

       Unless required by applicable law or agreed to in writing, software
       distributed under the License is distributed on an "AS IS" BASIS,
       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
       See the License for the specific language governing permissions and
       limitations under the License.
   -->

 <p>This section contains recommendations to ensure the security of network
   communications from Android devices.</p>

 <h2 id="securing-listening-sockets">Securing listening sockets</h2>

 <p>Use listening sockets with caution. There should generally
   not be any open listening sockets on devices as these provide a vector for a
   remote attacker to gain access to the device.</p>

 <ul>
   <li>Android devices should minimize the number of internet listening sockets
     they expose, especially on boot or by default. No socket should be
     listening on the internet at boot by default.
     <ul>
       <li>Root processes and processes owned by the system unique identifier
         (UID) shouldn't expose any listening sockets.</li>
     </ul>
   </li>
   <li>Listening sockets must be able to be disabled without an OTA update. This
     can be performed using either a server or user-device configuration change.</li>
   <li>For local IPC-using sockets, apps must use a UNIX domain socket with
     access limited to a group. Create a file descriptor for the IPC and make it
     +RW for a specific UNIX group. Any client apps must be within that UNIX
     group.</li>
   <li>Some devices with multiple processors (for example, a radio/modem separate
     from the app processor) use network sockets to communicate between
     processors. In such instances, the network socket used for inter-processor
     communication must use an isolated network interface to prevent access by
     unauthorized apps on the device (i.e. use iptables to prevent access by
     other apps on the device).</li>
   <li>Daemons that handle listening ports must be robust against malformed
     data. You should conduct fuzz-testing against the port using an
     unauthorized client, and, where possible, authorized client. File bugs to
     follow up on crashes.</li>
 </ul>

 <p>The <a href="/compatibility/tests/">Android Compatibility Test Suite</a>
    (CTS) includes tests that check for the presence of open listening ports.
 </p>

 <h3 id="disable-adb">Disable ADB</h3>

 <p>Android Debug Bridge (ADB) is a valuable development and debugging tool, but
   is designed for use in a controlled, secure environment and should not be
   enabled for general use.</p>

 <ul>
   <li>Ensure that ADB is disabled by default.</li>
   <li>Ensure that ADB requires the user to turn it on before accepting
     connections.</li>
 </ul>
 </body>
 </html>
	<html devsite>
	<head>
	<title>Network Security Best Practices</title>
	<meta name="project_path" value="/_project.yaml" />
	<meta name="book_path" value="/_book.yaml" />
	</head>
	<body>
	<!--
	Copyright 2018 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	//www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<p>This section contains recommendations to ensure the security of network
	communications from Android devices.</p>

	<h2 id="securing-listening-sockets">Securing listening sockets</h2>

	<p>Use listening sockets with caution. There should generally
	not be any open listening sockets on devices as these provide a vector for a
	remote attacker to gain access to the device.</p>

	<ul>
	<li>Android devices should minimize the number of internet listening sockets
	they expose, especially on boot or by default. No socket should be
	listening on the internet at boot by default.
	<ul>
	<li>Root processes and processes owned by the system unique identifier
	(UID) shouldn't expose any listening sockets.</li>
	</ul>
	</li>
	<li>Listening sockets must be able to be disabled without an OTA update. This
	can be performed using either a server or user-device configuration change.</li>
	<li>For local IPC-using sockets, apps must use a UNIX domain socket with
	access limited to a group. Create a file descriptor for the IPC and make it
	+RW for a specific UNIX group. Any client apps must be within that UNIX
	group.</li>
	<li>Some devices with multiple processors (for example, a radio/modem separate
	from the app processor) use network sockets to communicate between
	processors. In such instances, the network socket used for inter-processor
	communication must use an isolated network interface to prevent access by
	unauthorized apps on the device (i.e. use iptables to prevent access by
	other apps on the device).</li>
	<li>Daemons that handle listening ports must be robust against malformed
	data. You should conduct fuzz-testing against the port using an
	unauthorized client, and, where possible, authorized client. File bugs to
	follow up on crashes.</li>
	</ul>

	<p>The <a href="/compatibility/tests/">Android Compatibility Test Suite</a>
	(CTS) includes tests that check for the presence of open listening ports.
	</p>

	<h3 id="disable-adb">Disable ADB</h3>

	<p>Android Debug Bridge (ADB) is a valuable development and debugging tool, but
	is designed for use in a controlled, secure environment and should not be
	enabled for general use.</p>

	<ul>
	<li>Ensure that ADB is disabled by default.</li>
	<li>Ensure that ADB requires the user to turn it on before accepting
	connections.</li>
	</ul>
	</body>
	</html>