Android is based on the Linux kernel, which provides
a security model. Android has abstractions that are unique to it,
however, and they are implemented on top of Linux, leveraging Linux
user accounts to silo applications. Android permissions are rights
given to applications to allow them to take pictures, use the GPS, make
phone calls, and so on. When installed, applications are given a unique
user identifier (UID); this is the familiar Unix UID seen on desktops
and servers. It is a small number like 1011 that is unique on a given
system and used by the kernel to control access to files, devices, and
other resources. Applications will always run as their given UID on a
particular device, just like users always have their same UID on a
particular server but different UIDs on unrelated systems. The UID of
an application is used to protect its data, and developers need to be
explicit about sharing data with other applications. Applications can
entertain users with graphics, play music, run native code and launch
other programs without needing any permissions.
The
need for permissions minimizes the impact of malicious software, unless
a user unwisely grants powerful rights to dubious software. Preventing
people from making bad but informed choices is beyond the scope of the
security model—the permission model is designed to make the choice an
informed one. The Android permission model is extensible, and
developers need to keep in mind what is reasonable for a phone user to
understand when defining new permissions for them. A confused user
can’t make good choices. To minimize the extent of abuse possible,
permissions are needed for programs that perform potentially dangerous
operations that the phone needs to support, such as the following:
Directly dialing calls (which may incur tolls)
Accessing private data
Altering address books, e-mail, and so on
Generally a user’s
response to annoying, buggy, or malicious software is simply to
uninstall it. If the software is disrupting the phone enough that the
user can’t uninstall it, they can reboot the phone (optionally in safe
mode, which stops nonsystem code from running) and then remove the
software before it has a chance to run again.
Android’s runtime
system tracks which permissions each application has; these permissions
are granted either when the OS was installed or upon installation of
the application by the user. In order to be installed, the application
requests that the user approve its permissions. Users will be hesitant
to install applications that want access to personal data or the
dialer. Most won’t mind giving Internet or coarse location access, or
any permission that makes sense for the application being installed.
