The Android Security Model with regards to sandboxing
Since there seem to be a bit of misunderstanding about the different sandboxes on Android, let me give a quick and high-level overview of the Android Security Model.
Categories
On a high level, there are four kinds of applications on Android (from high privilege to low privilege):
- System
- Privileged
- Untrusted
- Isolated
1 and 2 need vendor signing, so we are not interested in them. All third-party apps fall under category 3 and can optionally use category 4 for more security.
Untrusted (mandatory for third-party apps, per app):
- One different UID per app (and user profile, will omit this in the next sentences) given at installation time
- Selinux untrusted_app domain with a different MCS category per app
- Lax Seccomp-filter
- Protects the system and other apps, but not its own data from itself, because the sandbox is per app, not per process
Isolated (optional, stricter, per process):
- One UID per process
- Selinux isolatedProcess domain with a different MCS category per process
- Apps can use stricter seccomp filter (Chromium uses strict and fine-grained filtering)
- Very limited access to file system, only access to two or three services, no permissions
- Can protect its own app data from its processes running as isolatedProcess, because the sandbox is per process
- Chromium makes use of it e.g. for renderer processes, Firefox does not. Check
ps -Zvia ADB or see FF’s issue tracker
IPC
IPC is done through Binder. Apps (untrusted) can talk to each other but only with mutual consent and only within the same user profile.
Permission management
Permissions are declared in the app manifest, which is part of the App’s APK. They are granted either through Unix group assignment or runtime checks. In case of runtime checks, the app asks the corresponding provider/manager and the provider checks against the App database containing the permissions of apps. The app database reports permission status back to the provider and, if allowed, the provider grants access to the information.
Sources: