Android的SandBox（沙箱）

標籤：android   sandbox   安全   



在研究Android系統時，有時會遇到Sandbox（沙箱）這個概念。沙箱概念本身並不是太新奇，但是一直不是很清楚Android是如何?它所稱的“沙箱”的。網上不少人聲稱應用使用了虛擬機器就是應用了沙箱，一直對這種說法表示懷疑。

最近發現Android的網站上更新了一些文檔，其中包括對Sandbox的解釋，這才明白Android中Sandbox的含義。

Android的”沙箱“就是在Linux的進程管理基礎上對UID的使用做了改進。普通的Linux中啟動的應用通常和登陸使用者相關聯，同一使用者的UID相同。但是Android中給不同的應用都賦予了不同的UID，這樣不同的應用將不能相互訪問資源。對應用而言，這樣會更加封閉，安全。雖然這個現象早已瞭解，但是一直不知道這就是Android所謂的”sandbox“。

有關英文解釋見下面：

The Application Sandbox
The Android platform takes advantage of the Linux user-based protection as a means of identifying and isolating application resources. The Android system assigns a unique user ID (UID) to each Android application and runs it as that user in a separate process. This approach is different from other operating systems (including the traditional Linux configuration), where multiple applications run with the same user permissions.

This sets up a kernel-level Application Sandbox. The kernel enforces security between applications and the system at the process level through standard Linux facilities, such as user and group IDs that are assigned to applications. By default, applications cannot interact with each other and applications have limited access to the operating system. If application A tries to do something malicious like read application B‘s data or dial the phone without permission (which is a separate application), then the operating system protects against this because application A does not have the appropriate user privileges. The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and file permissions.

Since the Application Sandbox is in the kernel, this security model extends to native code and to operating system applications. All of the software above the kernel in Figure 1, including operating system libraries, application framework, application runtime, and all applications run within the Application Sandbox. On some platforms, developers are constrained to a specific development framework, set of APIs, or language in order to enforce security. On Android, there are no restrictions on how an application can be written that are required to enforce security; in this respect, native code is just as secure as interpreted code.

In some operating systems, memory corruption errors generally lead to completely compromising the security of the device. This is not the case in Android due to all applications and their resources being sandboxed at the OS level. A memory corruption error will only allow arbitrary code execution in the context of that particular application, with the permissions established by the operating system.

Like all security features, the Application Sandbox is not unbreakable. However, to break out of

Android的SandBox（沙箱）