Security on Android devices

Adobe AIR 2.5 and later

On Android, as on all computing devices, AIR conforms to the native security model. At the same time, AIR maintains its own security rules, which are intended to make it easy for developers to write secure, Internet-connected applications.

Since AIR applications on Android use the Android package format, installation falls under the Android security model. The AIR application installer is not used.

The Android security model has three primary aspects:

  • Permissions

  • Application signatures

  • Application user IDs

Android permissions

Many features of Android are protected by the operating system permission mechanism. In order to use a protected feature, the AIR application descriptor must declare that the application requires the necessary permission. When a user attempts to install the app, the Android operating system displays all requested permissions to the user before the installation proceeds.

Most AIR applications will need to specify Android permissions in the application descriptor. By default, no permissions are included. The following permissions are required for protected Android features exposed through the AIR runtime:

Allows the application to access WIFI and cellular network location data through the Geolocation class.

Allows the application to access GPS data through the Geolocation class.

Allows the application to access network information the NetworkInfo class.

Allows the application to access the camera.

Allows the application to make network requests. Also allows remote debugging.

Allows the AIR runtime to mute audio when an incoming call occurs.

Allows the application to access the microphone.

Allows the application to prevent the device from going to sleep using the SystemIdleMode class settings.

Allows the application to write to the external memory card on the device.

Application signatures

All application packages created for the Android platform must be signed. Since AIR applications on Android are packaged in the native Android APK format, they are signed in accordance to Android conventions rather than AIR conventions. While Android and AIR use code signing in a similar fashion, there are significant differences:

  • On Android, the signature verifies that the private key is in possession of the developer, but is not used to verify the identity of the developer.

  • For apps submitted to the Android market, the certificate must be valid for at least 25 years.

  • Android does not support migrating the package signature to another certificate. If an update is signed by a different certificate, then users must uninstall the original app before they can install the updated app.

  • Two apps signed with the same certificate can specify a shared ID that permits them to access each others cache and data files. (Such sharing is not facilitated by AIR. )

Application user IDs

Android uses a Linux kernel. Every installed app is assigned a Linux-type user ID that determines its permissions for such operations as file access. Files in the application, application storage, and temporary directories are protected from access by file system permissions. Files written to external storage (in other words, the SD card) can be read, modified, and deleted by other applications, or by the user, when the SD card is mounted as a mass storage device on a computer.

Cookies received with internet requests are not shared between AIR applications.

Background image privacy

When a user switches an application to the background, some Android versions capture a screenshot that it uses a thumbnail in the recent applications list. This screenshot is stored in device memory and can be accessed by an attacker in physical control of the device.

If your application displays sensitive information, you should guard against such information being captured by the background screenshot. The deactivate event dispatched by the NativeApplication object signals that an application is about to switch to the background. Use this event to clear or hide any sensitive information.

Encrypted data on Android

AIR applications on Android can use the encryption options available in the built-in SQL database to save encrypted data. For optimum security, base the encryption key on a user-entered password that is entered whenever the application is run. A locally stored encryption key or password is difficult or impossible to “hide” from an attacker who has access to the application files. If the attacker can retrieve the key, then encrypting the data does not afford any additional protection beyond the user ID-based filesystem security provided by the Android system.

The EncryptedLocalStore class can be used to save data, but that data is not encrypted on Android devices. Instead, the Android security model relies on the application user ID to protect the data from other applications. Applications that use a shared user ID and which are signed with the same code signing certificate use the same encrypted local store.

Important: On a rooted phone, any application running with root privileges can access the files of any other application. Thus, data stored using the encrypted local store is not secure on a rooted device.

// Ethnio survey code removed