Application Security for the Android Platform by Jeff Six

As we discussed in Chapter 2, Android takes a different approach to running apps than traditional, desktop-based systems. On traditional systems, apps run under the account of the user who started them, and run with whatever permissions were granted to that user account. There are no per-app separation mechanisms. In addition, all apps running under that same user account have the same level of access to system APIs and other services provided by the underlying environment; both a document viewer and a VoIP application have the same level of access to the networking system because they run under the same UID by default. If a user has full root access to a system, any app that user started will run with full access to the system, and all the data on it, by default. This is the fundamental assumption of this traditional security model: all apps running on behalf of a user should be granted the same privileges and permissions.

In the Android model, each app runs as its own user account. This has the effect of separating the apps and ensuring that they can access only their own data, not data belonging to other apps, by default. Android then goes further and applies a comprehensive permissions system to services that are provided for use of installed apps. In order to make use of services provided by other code on an Android device that may be sensitive or dangerous, such as accessing a user’s personal data or opening an Internet connection, an app ...