Actually we don't consider the VM to be a security barrier, and the browser is a good reason why this is the case -- the vast majority of the browser (and the parts that tend to have security bugs) are in WebKit, which is a native C++ library. Our platform's primary security barrier is through process/uid separation, enforced by the kernel, so native code in an app is no less secure than Java code.
On Fri, Aug 27, 2010 at 8:32 AM, Tauren <[email protected]> wrote: > So let me see if I understand this fully in regards to the android > platform: > > Browser Level Sandboxing - this is part of the implementation of any > application and will attempt to use code correctly while not > implementing bugs, pwning this gives you access to the browsers > permissions. > Application level Sandboxing - this is an implementation within the > virtual machine running everything and is an attempt to stop escapes > from the applications sandbox, contains permissions, finding a bug > gives you access to the virtual machine and extended permissions? > Virtual Machine Level - Escaping this gives you access to the kernel > Kernel level - Pwn? > > That sound correct? > > > On Aug 27, 8:43 am, Eric Dorman <[email protected]> wrote: > > The SDK looks good and the documentation you guys have put out about > > this really helps myself who just wants to really just tell you guys > > of the possible bugs or holes I see in the software itself. > > > > Anyways Thanks again Dianne!!! :D > > > > God Bless & Thanks, > > Eric > > > > On Aug 27, 3:45 am, Dianne Hackborn <[email protected]> wrote: > > > > > Btw hopefully there's nothing too proprietary I need to worry about... > > > pretty much everything discussed on these groups is all in the open > source > > > code, there is just a lot we haven't had time to really document about > the > > > implementation. (Most of our effort is on the SDK level docs.) > > > > > On Fri, Aug 27, 2010 at 12:44 AM, Dianne Hackborn <[email protected] > >wrote: > > > > > > Thanks, I'm glad I can help. > > > > > > On Thu, Aug 26, 2010 at 9:47 PM, Duane Blanchard < > [email protected]>wrote: > > > > > >> Yes, thank you very much, Dianne, for this explanation. You've made > > > >> several great posts, and I just wanted to reinforce that we do all > > > >> appreciate your sharing a little insider knowledge with us. I don't > > > >> think you're sharing anything that is truly proprietary, but it all > > > >> seems hard to come by without your help. So, thanks. > > > > > >> D > > > > > >> -- > > > >> You received this message because you are subscribed to the Google > Groups > > > >> "Android Security Discussions" group. > > > >> To post to this group, send email to > > > >> [email protected]. > > > >> To unsubscribe from this group, send email to > > > >> [email protected]<android-security-discuss%[email protected]><android-security-disc > uss%[email protected] <uss%[email protected]>> > > > >> . > > > >> For more options, visit this group at > > > >>http://groups.google.com/group/android-security-discuss?hl=en. > > > > > > -- > > > > Dianne Hackborn > > > > Android framework engineer > > > > [email protected] > > > > > > Note: please don't send private questions to me, as I don't have time > to > > > > provide private support, and so won't reply to such e-mails. All > such > > > > questions should be posted on public forums, where I and others can > see and > > > > answer them. > > > > > -- > > > Dianne Hackborn > > > Android framework engineer > > > [email protected] > > > > > Note: please don't send private questions to me, as I don't have time > to > > > provide private support, and so won't reply to such e-mails. All such > > > questions should be posted on public forums, where I and others can see > and > > > answer them. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- Dianne Hackborn Android framework engineer [email protected] Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
