Android Security Mechanism

Android Security Mechanism

The Android system is developed based on the Linux kernel. Therefore, the Android system not only retains and inherits the security mechanism of the Linux operating system, but also has unique security features at all levels of its system architecture.

Linux Kernel Security Mechanism

The Android Linux kernel includes the mandatory access control mechanism and autonomous access control mechanism. The forced access control mechanism is implemented by the Linux security module. The autonomous access control mechanism is usually implemented by File Access Control. The permission control of the Linux file system is implemented by user, group, other and read (r), write (w), and execute (x). In this way, each file has three basic permission sets, which allow, restrict, and deny access by users, user groups, and other users.Generally, only users whose uid is "system" or "root" have the permission to access the Android system file, and applications can only access the corresponding file by applying for the Android permission.For this reason, Android uses the kernel-layer Linux autonomous access control mechanism and the Dalvik Virtual Machine in runtime to implement the Android "sandbox" mechanism.

Android sandbox Mechanism

Android sandbox is essentially designed to isolate different applications and processes. By default, applications do not have the permission to access system resources or other application resources. Each APP and system process is assigned a unique and fixed User Id, which corresponds to the uid of the kernel-layer process.Each APP runs in its own Dalvik Virtual Machine and has an independent address space and resources.. Processes running on the Dalvik virtual machine must exist based on the kernel-layer Linux process. ThereforeAndroid uses Dalvik Virtual Machine and Linux File Access control to implement the sandbox MechanismAny application that wants to access system resources or other application resources must declare permissions or share uid in its own manifest file.
Data in Android is divided into two zones: system and data. system is read-only and data is used to store the application's own data. This ensures that the system data is not rewritten at will.

Application permission Mechanism

Before using Android restricted resources (such as network, phone, SMS, Bluetooth, address book, and SdCard), any application must submit an application to the Android system in XML format, the application can use the corresponding resources only after the Android system approves the permission. the permission and Java API are many-to-many mappings.

How can two apps run in the same process? 1. Two apps use the same private key for signature. 2. Add android: sharedUserId to the Manifest file of the two apps and set it to the same UID.