This section contains recommendations to ensure the security of network communications from Android devices.
Securing listening sockets
Use listening sockets with caution. There should generally not be any open listening sockets on devices as these provide a vector for a remote attacker to gain access to the device.
- Android devices should minimize the number of internet listening sockets
they expose, especially on boot or by default. No socket should be
listening on the internet at boot by default.
- Root processes and processes owned by the system unique identifier (UID) shouldn't expose any listening sockets.
- Listening sockets must be able to be disabled without an OTA update. This can be performed using either a server or user-device configuration change.
- For local IPC-using sockets, apps must use a UNIX domain socket with access limited to a group. Create a file descriptor for the IPC and make it +RW for a specific UNIX group. Any client apps must be within that UNIX group.
- Some devices with multiple processors (for example, a radio/modem separate from the app processor) use network sockets to communicate between processors. In such instances, the network socket used for inter-processor communication must use an isolated network interface to prevent access by unauthorized apps on the device (i.e. use iptables to prevent access by other apps on the device).
- Daemons that handle listening ports must be robust against malformed data. You should conduct fuzz-testing against the port using an unauthorized client, and, where possible, authorized client. File bugs to follow up on crashes.
The Android Compatibility Test Suite (CTS) includes tests that check for the presence of open listening ports.
Android Debug Bridge (ADB) is a valuable development and debugging tool, but is designed for use in a controlled, secure environment and should not be enabled for general use.
- Ensure that ADB is disabled by default.
- Ensure that ADB requires the user to turn it on before accepting connections.