[C-0-1] MUST support the Android file access permissions model as defined in the
Security and Permissions reference
.
9.4. Alternate Execution Environments
Device implementations MUST keep consistency of the Android security and permission model, even
if they include runtime environments that execute applications using some other software or
technology than the Dalvik Executable Format or native code. In other words:
[C-0-1] Alternate runtimes MUST themselves be Android applications, and abide by the
standard Android security model, as described elsewhere in
section 9
.
[C-0-2] Alternate runtimes MUST NOT be granted access to resources protected by
permissions not requested in the runtime’s
AndroidManifest.xml
file via the <
uses-permission
>
mechanism.
[C-0-3] Alternate runtimes MUST NOT permit applications to make use of features
protected by Android permissions restricted to system applications.
[C-0-4] Alternate runtimes MUST abide by the Android sandbox model and installed
applications using an alternate runtime MUST NOT reuse the sandbox of any other app
installed on the device, except through the standard Android mechanisms of shared user
ID and signing certificate.
[C-0-5] Alternate runtimes MUST NOT launch with, grant, or be granted access to the
sandboxes corresponding to other Android applications.
[C-0-6] Alternate runtimes MUST NOT be launched with, be granted, or grant to other
applications any privileges of the superuser (root), or of any other user ID.
[C-0-7] When the
.apk
files of alternate runtimes are included in the system image of
device implementations, it MUST be signed with a key distinct from the key used to sign
other applications included with the device implementations.
[C-0-8] When installing applications, alternate runtimes MUST obtain user consent for the
Android permissions used by the application.
[C-0-9] When an application needs to make use of a device resource for which there is a
corresponding Android permission (such as Camera, GPS, etc.), the alternate runtime
MUST inform the user that the application will be able to access that resource.
[C-0-10] When the runtime environment does not record application capabilities in this
manner, the runtime environment MUST list all permissions held by the runtime itself
when installing any application using that runtime.
Alternate runtimes SHOULD install apps via the
PackageManager
into separate Android
sandboxes (Linux user IDs, etc.).
Alternate runtimes MAY provide a single Android sandbox shared by all applications using
the alternate runtime.
9.5. Multi-User Support
Android includes
support for multiple users
and provides support for full user isolation.
Device implementations MAY but SHOULD NOT enable multi-user if they use
removable
media
for primary external storage.
If device implementations include multiple users, they:
Page 116 of 132