Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This article aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.

中文翻译：

---

Android 平台安全模型

Android 是部署最广泛的以最终用户为中心的操作系统。随着通信、导航、媒体消费、娱乐、金融、健康以及对传感器、执行器、摄像头或麦克风的访问等用例的不断增长，其底层安全模型需要解决各种不同领域中的大量实际威胁。同时对非安全专家有用。该模型需要在最终用户的安全性、隐私和可用性、应用程序开发人员的保证以及严格硬件限制下的系统性能之间取得艰难的平衡。尽管许多底层设计原则已经隐含地告知了整个系统架构、访问控制机制和缓解技术，但 Android 安全模型之前并未正式发布。本文旨在记录抽象模型并讨论其含义。基于对威胁模型及其运行所在的 Android 生态系统环境的定义，我们分析了过去和当前 Android 实施中的不同安全措施如何协同工作以减轻这些威胁。应用安全模型有一些特殊情况，我们讨论这种与抽象模型的故意偏差。