What is new in Android security (M and N Version) - Google I/O 2016 翻译
2016-10-09 16:21
513 查看
截至发博,字幕还在后期中,应该快了吧。
YouTube视频链接:https://www.youtube.com/watch?v=XZzLjllizYs
字幕翻译:
1
00:00:01,820 –> 00:00:04,920
他们告诉我计时已经开始了
They pointed at me and the clock started moving.
2
00:00:04,920 –> 00:00:08,640
我们有44分钟外加56秒来讨论安全问题
We have 44 minutes and 56 seconds to talk about security.
3
00:00:08,640 –> 00:00:10,090
早上好
Good morning.
4
00:00:10,090 –> 00:00:12,270
现在是早上9点
It’s 9:00 AM.
5
00:00:12,270 –> 00:00:14,580
我今早6点就坐公交车从旧金山过来
I caught the bus down from San Francisco at 6:00 AM
6
00:00:14,580 –> 00:00:17,160
然后在公交车上修改了幻灯片的
this morning to clean up some last little details
7
00:00:17,160 –> 00:00:18,890
最后一点细节
of my slides on the bus.
8
00:00:18,890 –> 00:00:22,040
大家都吃早饭了吗
Did everybody find coffee and breakfast?
9
00:00:22,040 –> 00:00:23,420
如果还没,去吃吧
If not, go find it.
10
00:00:23,420 –> 00:00:24,110
然后再回来
Come back.
11
00:00:24,110 –> 00:00:26,380
我们会在这等一小会
We’ll be here for a little bit.
12
00:00:26,380 –> 00:00:28,560
我的名字叫 Adrian Ludwig
My name is Adrian Ludwig.
13
00:00:28,560 –> 00:00:30,730
我带领的 Android 安全团队
I head up the Android Security team
14
00:00:30,730 –> 00:00:34,539
在那个方向有至少3个展区
here at Google, or at least three blocks over that way at Google.
15
00:00:34,539 –> 00:00:38,310
我们负责 Android 平台的安全事务
We’re responsible for the security of the Android platform.
16
00:00:38,310 –> 00:00:41,190
这个平台具有多样性并且变化迅速
The platform is a broad, diverse, growing kind
17
00:00:41,190 –> 00:00:43,390
像你们知道的那样
of incredible thing, as many of you know.
18
00:00:43,390 –> 00:00:50,070
所以我们的工作范围也具有多样性而且变化迅速
So the scope of what we do is also broad, diverse, and growing.
19
00:00:50,070 –> 00:00:52,580
你已经看到了
You saw a couple things that were mentioned yesterday
20
00:00:52,580 –> 00:00:56,260
昨天提出的一些 Android N 的新特性
in the keynote that are new features that were introduced
21
00:00:56,260 –> 00:00:58,340
我们正致力于
in Android N that we’ve been working
22
00:00:58,340 –> 00:01:00,500
和其他的 Android 团队一起
with the rest of the Android team to enable,
23
00:01:00,500 –> 00:01:02,440
把类似文件基础加密 媒体服务器强化
things like File Based Encryption,
24
00:01:02,440 –> 00:01:04,640
以及自动更新等功能付诸实践
Media Server Hardening, and Automatic Updates.
25
00:01:04,640 –> 00:01:06,570
有一些核心改变在 Android N 的介绍中
These are some of the core changes that
26
00:01:06,570 –> 00:01:11,580
已经提到过了 那些建立在安全模型上的技术
have been introduced in Android N. Those of course
27
00:01:11,580 –> 00:01:17,010
现在已经扩展到 Android 平台中了
build on a security model that extends deep into the platform.
28
00:01:17,010 –> 00:01:19,160
这不是遥不可及的未来 它触手可及
It’s not just a future here, a future there.
29
00:01:19,160 –> 00:01:22,090
这些是关于我们如何把应用分段
It’s about how we have segmented applications.
30
00:01:22,090 –> 00:01:24,430
我们如何在 Android 平台中把权限独立出来
How we have isolated capabilities
31
00:01:24,430 –> 00:01:26,630
以及我们用来实现
in the platform and the underlying technologies
32
00:01:26,630 –> 00:01:29,540
这些安全功能的底层技术
that we’re using to deliver those security features.
33
00:01:29,540 –> 00:01:34,410
不过这并不仅仅限于 Android 自身
It’s not limited just to Android itself though.
34
00:01:34,410 –> 00:01:37,060
我们在 Android 操作系统
The work that we do in securing the Android operating
35
00:01:37,060 –> 00:01:39,660
Android 平台与 Android 生态系统中
system, the Android platform, and the Android ecosystem
36
00:01:39,660 –> 00:01:42,140
所做的安全工作已经被
extends to a broad range of applications
37
00:01:42,140 –> 00:01:46,210
扩展到了 Google 的安全服务范畴中
that we deliver that we talk about as the Google Security Services.
38
00:01:46,210 –> 00:01:49,290
这些在昨天的主题分享中
Those also got a very brief mention yesterday
39
00:01:49,290 –> 00:01:51,570
也提到过了
in the keynote that I wanted to flag,
40
00:01:51,570 –> 00:01:56,650
目前我们每天的扫描次数超过十亿次
which is that at present we’re doing over a billion scans per day.
41
00:01:56,650 –> 00:01:58,605
我们称之为“检测” 因为不做安全工作的人
We say checks, because non-security people are
42
00:01:58,605 –> 00:02:01,530
觉得相比扫描一词 检测听起来更让人舒服一点
more comfortable with the idea of doing a checkup than doing a scan.
43
00:02:01,530 –> 00:02:04,300
但是我们现在正在做的事就是
But what we’re doing is looking at security characteristics
44
00:02:04,300 –> 00:02:06,300
寻找设备上不那么安全的地方
on the devices that are out there in the world
45
00:02:06,300 –> 00:02:08,206
然后把它变得安全
to make sure that we’re keeping them safe.
46
00:02:08,206 –> 00:02:09,580
其中我们关注的一件事就是数字
One of the things that we look at
47
00:02:09,580 –> 00:02:12,660
即被安装到设备上的
is the number, the broad range of applications that have been
48
00:02:12,660 –> 00:02:13,910
应用数量
installed on these devices.
49
00:02:13,910 –> 00:02:16,530
所以我们每天检测应用的数量超过80亿
So we check over 8 billion applications
50
00:02:16,530 –> 00:02:19,770
来保证你的全方位安全
every single day, to give you a sense of the overall scope.
51
00:02:19,770 –> 00:02:23,000
Dave 无法知道的其中一件事就是
One of the things that Dave wasn’t able to get into
52
00:02:23,000 –> 00:02:26,550
他不知道这究竟意味着什么
was what exactly these things mean.
53
00:02:26,550 –> 00:02:28,740
大概三个还是四个星期前我们推出了
About three or four weeks ago we published
54
00:02:28,740 –> 00:02:32,250
一个名叫“安全检查年”的活动
something called the “Annual Security Year in Review,” where
55
00:02:32,250 –> 00:02:34,170
我们在这些安全服务中
we went into a lot of the work that we’ve
56
00:02:34,170 –> 00:02:36,910
做了大量的工作
been doing investing in these security services,
57
00:02:36,910 –> 00:02:40,520
使得已经投入使用的 Google 后台技术
making them more capable, using the technology
58
00:02:40,520 –> 00:02:43,540
能够进行更加复杂的分析
that Google has in our back end to deliver
59
00:02:43,540 –> 00:02:46,062
并理解现在的 Android 生态系统中
more and more sophisticated analysis of applications,
60
00:02:46,062 –> 00:02:47,770
正在
more and more sophisticated understanding
61
00:02:47,770 –> 00:02:50,090
发生着什么
of what it is that’s going on in the Android ecosystem
62
00:02:50,090 –> 00:02:52,890
以便我们能更好的保护用户
so that we can better protect users.
63
00:02:52,890 –> 00:02:55,650
这张图其实意味着50页的文件
That 50-page document included this diagram.
64
00:02:55,650 –> 00:02:57,850
当然我不打算在这里展开说
I’m not going to go into a lot of detail here.
65
00:02:57,850 –> 00:03:04,070
但我想强调的是我们关注
But I wanted to emphasize that the vast majority of our focus
66
00:03:04,070 –> 00:03:06,530
每一件能够保护用户的事情
is on everything that we can do to protect users.
67
00:03:06,530 –> 00:03:10,630
所以无论从硬件的更新与安全
So that ranges from hardware updates and hardware security,
68
00:03:10,630 –> 00:03:13,320
还是平台的更新与安全还是服务
to platform updates and platform security features,
69
00:03:13,320 –> 00:03:14,872
都是我们所关心的范围
to services as well.
70
00:03:14,872 –> 00:03:16,830
而且我们正致力于安全的每一层
And we’re investing at every layer in the stack
71
00:03:16,830 –> 00:03:19,380
从而最大程度的保护用户
to try to protect users as best we can.
72
00:03:19,380 –> 00:03:23,000
现在我将详细解释
Now for today, I’m going to hone in on a handful
73
00:03:23,000 –> 00:03:25,010
Android M 和 N
of specific new capabilities that
74
00:03:25,010 –> 00:03:29,170
中的新特性
were introduced in Android M and Android N. M
75
00:03:29,170 –> 00:03:31,760
让我们从实际情况来看一下 Android M
because, let’s be realistic.
76
00:03:31,760 –> 00:03:34,170
它目前还没有被广泛的使用
It hasn’t gotten to a point where it has broad based adoption.
77
00:03:34,170 –> 00:03:35,700
所以如果你还没有花费很长时间思考
So it’s not terribly surprising if you
78
00:03:35,700 –> 00:03:37,070
怎样利用 Android M 中的特性
haven’t been spending a lot of time thinking
79
00:03:37,070 –> 00:03:39,070
那你是不会被震惊到的
about how to take advantage of the features that
80
00:03:39,070 –> 00:03:41,950
而且因为 Android N 现在比较火热
were introduced in M. And Android N because that’s the new hotness.
81
00:03:41,950 –> 00:03:44,970
而且它也推出
Or at least it will be as soon as it begins to roll out
82
00:03:44,970 –> 00:03:47,930
有几个月了
a couple of months from now.
83
00:03:47,930 –> 00:03:51,540
所以我想强调的是
So I wanted to emphasize though that this is just
84
00:03:51,540 –> 00:03:55,485
这只是我们所有工作的一部分
part of the overall sort of set of capabilities that we have.
85
00:03:55,485 –> 00:03:57,610
我们想为应用的开发人员做些事情
We want to build things for application developers.
86
00:03:57,610 –> 00:03:59,184
我们想为用户做些事情
We want to build things for users.
87
00:03:59,184 –> 00:04:01,100
而且我们也想为设备制造商做些事情
And we want to build things for device makers.
88
00:04:01,100 –> 00:04:04,569
而我认为目前 用户是最重要的
I think on the main stage, the focus was on users.
89
00:04:04,569 –> 00:04:06,110
当然我们也把很多时间
Elsewhere in the world we spend a lot
90
00:04:06,110 –> 00:04:07,790
用在了与设备制造商交流上
of time talking about device makers.
91
00:04:07,790 –> 00:04:09,170
但是今天 我们想要谈谈
But today, we’re going to talk about what
92
00:04:09,170 –> 00:04:10,628
我们正在做的新事情
are the new things that we’re doing
93
00:04:10,628 –> 00:04:12,530
为什么对开发者而言
to make your life as an application developer
94
00:04:12,530 –> 00:04:15,478
在 Android M 和 N 上开发软件更爽
better on Android M and N.
95
00:04:15,478 –> 00:04:17,760
所以这就是我主要想讲的几点
So these are some of the key features that I’m going to talk about.
96
00:04:17,760 –> 00:04:19,222
一共有七点
There are seven of them up here.
97
00:04:19,222 –> 00:04:21,180
我将一个一个的说
I’m just going to walk through them one by one.
98
00:04:21,180 –> 00:04:24,174
我们将逐一介绍
We’ll talk about what it is that was introduced,
99
00:04:24,174 –> 00:04:26,590
并且看一看部分源码
take a look at some source code so that you can understand
100
00:04:26,590 –> 00:04:28,440
以便你能更好的在你的应用中使用它
how you might incorporate it into your application
101
00:04:28,440 –> 00:04:29,800
而且还能增长开发经验
and your development experience.
102
00:04:29,800 –> 00:04:31,360
然后我们将讨论一下
And then talk about some of the best practices
103
00:04:31,360 –> 00:04:32,710
我们认为的
that we’ve been thinking about for how
104
00:04:32,710 –> 00:04:34,440
你将如何运用在你程序中的
we think it is that you’d want to be incorporating
105
00:04:34,440 –> 00:04:36,940
最佳范例
these new technologies into your application development.
106
00:04:36,940 –> 00:04:37,440
如何
Right?
107
00:04:37,440 –> 00:04:38,450
很直观吧
Pretty straightforward.
108
00:04:38,450 –> 00:04:41,450
嘣嘣嘣 然后跳到下一个 嘣嘣嘣
Boom, boom, boom, move to the next one, boom, boom, boom.
109
00:04:41,450 –> 00:04:44,225
没有绚丽的图标 只有一些代码
No fancy diagrams, just a little bit of code here and there.
110
00:04:44,225 –> 00:04:47,315
所以权限是我们将要讨论的第一个话题
So permissions is the first thing we’re going to talk about.
111
00:04:47,315 –> 00:04:50,400
你也许记得
You may remember, or you may know,
112
00:04:50,400 –> 00:04:53,020
如果你在装有 Android M 的 Nexus 设备上
if you’re running on Android M right now on Nexus device
113
00:04:53,020 –> 00:04:55,480
或是其他装有 Android M 的其他设备上运行程序
or one of the other devices that’s started to receive it,
114
00:04:55,480 –> 00:04:58,310
其中用户体验的一个主要变化就是
that one of the major changes in the user experience that
115
00:04:58,310 –> 00:05:02,270
运行时权限
was introduced with Marshmallow was runtime permissions,
116
00:05:02,270 –> 00:05:05,500
意思就是只有在程序运行过程中
the idea that an application can defer
117
00:05:05,500 –> 00:05:09,920
真正需要使用到相应权限时才进行申请
requesting the use of permissions until it really needs them.
118
00:05:09,920 –> 00:05:11,445
因此用户就有了
And that the user has the ability
119
00:05:11,445 –> 00:05:13,040
决定是否给予权限
to decide whether the application gets
120
00:05:13,040 –> 00:05:15,340
的权利
that specific permission or not.
121
00:05:15,340 –> 00:05:18,374
这是 Android M 中
Really a fundamental change in the way that applications
122
00:05:18,374 –> 00:05:20,790
申请敏感权限的
are going to request access to more sensitive capabilities
123
00:05:20,790 –> 00:05:22,632
一个根本性变化
on the device introduced with Marshmallow.
124
00:05:25,530 –> 00:05:27,500
从应用开发者的立场来说
From an application developer’s standpoint,
125
00:05:27,500 –> 00:05:29,680
这是一件很值得考虑的事情
it’s a really powerful thing for you to think about.
126
00:05:29,680 –> 00:05:32,080
它给了你简化安装应用过程
It gives you the ability to simplify the installation
127
00:05:32,080 –> 00:05:33,334
的能力
process for your application.
128
00:05:33,334 –> 00:05:36,460
因为你不需要提前申请所有的权限了
Because you don’t have to request all of those permissions up front.
129
00:05:36,460 –> 00:05:39,030
它也不需要
It gives you the ability to upgrade
130
00:05:39,030 –> 00:05:42,410
在用户确认升级之后
without having the user have to confirm that that upgrade is
131
00:05:42,410 –> 00:05:45,720
再升级
necessary for applications being delivered through, for example,
132
00:05:45,720 –> 00:05:46,830
比如说从 Google Play 上
through Google Play.
133
00:05:46,830 –> 00:05:49,090
因为这在安全性上
Because there’s no increase in the capabilities
134
00:05:49,090 –> 00:05:50,870
没有任何的变化
of the application in the security model.
135
00:05:50,870 –> 00:05:53,010
因此也没有让用户确认的必要
And so there’s no need for the user to affirm that.
136
00:05:53,010 –> 00:05:54,850
所以这真的可以提高
So this can really accelerate the rate
137
00:05:54,850 –> 00:05:56,766
你的应用的升级比例
at which your applications are being upgraded,
138
00:05:56,766 –> 00:06:00,590
如果你能在新平台上运用好运行时权限的话
if you take advantage of runtime permissions on these newer platforms.
139
00:06:00,590 –> 00:06:03,264
而且我认为 就我十分担心的问题
And from my perspective, when I think about security,
140
00:06:03,264 –> 00:06:05,180
安全性考虑而言
one of the things I worry about is making sure
141
00:06:05,180 –> 00:06:07,490
这可以确保用户知道应用中都在发生着什么
that users understand what it is that’s going on.
142
00:06:07,490 –> 00:06:10,250
而且我们也发现运行时权限对用户来说
And we found that runtime permissions are fundamentally
143
00:06:10,250 –> 00:06:12,172
是更加能够接受的
more understandable for users.
144
00:06:12,172 –> 00:06:13,630
这使得开发者可以
They give the application developer
145
00:06:13,630 –> 00:06:16,340
在更恰当的时候申请权限
the ability to provide context, and the user
146
00:06:16,340 –> 00:06:18,539
而用户也更好的理解
to understand how that capability is
147
00:06:18,539 –> 00:06:22,800
所申请的权限用在了什么地方
going to be associated with the application that they’re employing.
148
00:06:22,800 –> 00:06:24,550
如何
So what does it look like?
149
00:06:24,550 –> 00:06:26,342
这很直观吧
It’s pretty straightforward.
150
00:06:26,342 –> 00:06:29,216
你需要做的第一件事就是
The first thing that you want to do in the context of your application
151
00:06:29,216 –> 00:06:33,250
调用当时的局部环境并且检查自身的权限
is invoke the local environment and check self permission.
152
00:06:33,250 –> 00:06:36,890
我已经有这个权限了吗
Do I already have this permission?
153
00:06:36,890 –> 00:06:39,090
如果没有 那你可能需要
If you don’t, then you want to explain,
154
00:06:39,090 –> 00:06:40,815
向你的用户解释一下
probably provide some context to the user
155
00:06:40,815 –> 00:06:43,010
为何你要在此处申请权限
about why it is that you’re going to request that permission.
156
00:06:43,010 –> 00:06:45,640
在这个例子中申请的是读取联系人权限
In this particular instance it’s the use of read contacts.
157
00:06:45,640 –> 00:06:47,390
你可能说 我需要发邮件
So you might say, I want to send an email.
158
00:06:47,390 –> 00:06:48,973
如果我能够看到在你的联系人中
And it would be really nice if I could
159
00:06:48,973 –> 00:06:52,120
谁已经是你的好友了
see who you’re already friends with inside your contact
160
00:06:52,120 –> 00:06:54,740
这样会非常方便
environment, or make a call, or any number
161
00:06:54,740 –> 00:06:57,620
当然也可以是打电话或其他功能
of other types of functionality it might want to expose.
162
00:06:57,620 –> 00:06:59,934
如果你还没有读取过的话
If you do not have the capability already,
163
00:06:59,934 –> 00:07:01,600
那么你就需要申请权限了
then you’re going to need to request it.
164
00:07:01,600 –> 00:07:04,200
而且 API 也相当的简单 “Request Permission”
And there’s a simple API, “Request Permission.”
165
00:07:04,200 –> 00:07:06,520
然后你就可以请求权限了
And you can go ahead make that request.
166
00:07:06,520 –> 00:07:10,267
现在也许你已经申请到权限了 也许没有
And at that point, you now have that permission, or not.
167
00:07:10,267 –> 00:07:12,600
下面我们来演示一下
Let’s talk a little bit about some of the best practices
168
00:07:12,600 –> 00:07:14,774
确保你能申请到权限的最佳范例
to make sure that you actually get that permission.
169
00:07:14,774 –> 00:07:17,190
因为我们也要考虑到用户
Because that’s one of the things that people are concerned
170
00:07:17,190 –> 00:07:21,290
不一定总是会同意
about with runtime permissions is that they maybe don’t always
171
00:07:21,290 –> 00:07:22,012
申请权限的
say yes.
172
00:07:22,012 –> 00:07:24,886
所以你也需要考虑到
So you’re going to need to consider in the context of your application
173
00:07:24,886 –> 00:07:27,415
用户不同意的情况
that the user might say no.
174
00:07:27,415 –> 00:07:28,790
而且你也同样要考虑
And you’re going to want to think
175
00:07:28,790 –> 00:07:31,350
怎样做才能让更多的用户
about how it is that you can increase the likelihood
176
00:07:31,350 –> 00:07:32,730
通过权限申请
that the user will say yes.
177
00:07:32,730 –> 00:07:35,977
所以我们提供了一些设计准则
So one of the things that we did is provide some design guidelines.
178
00:07:35,977 –> 00:07:37,060
准则已经推出了
Those have been published.
179
00:07:37,060 –> 00:07:40,270
你可以在 developer.android.com
You can find them up on developer.android.com
180
00:07:40,270 –> 00:07:42,686
上找到一些最佳范例
that describe some of the best practices.
181
00:07:42,686 –> 00:07:45,740
最重要的是告诉用户
One of the most important ones is to provide some context for why it
182
00:07:45,740 –> 00:07:47,230
你将要用它来做什么
is that you’re going to do it.
183
00:07:47,230 –> 00:07:50,214
以 Hangouts 中的短信为例
So for example, in the case of SMS,
184
00:07:50,214 –> 00:07:51,880
如果你想在
in the case of the Hangouts application,
185
00:07:51,880 –> 00:07:53,310
应用中接收到
explaining hey, if you want to receive
186
00:07:53,310 –> 00:07:54,900
短信里的内容
SMS in the context of this application,
187
00:07:54,900 –> 00:07:56,608
那我们就需要读取短信的权限
we’re going to need to have access to it.
188
00:07:56,608 –> 00:07:58,152
我现在要请求权限了
And I’m going to request it now, then
189
00:07:58,152 –> 00:08:00,610
这有助于提高申请权限的成功率
makes it possible for you to request it and really increase
190
00:08:00,610 –> 00:08:03,800
用户觉得这对我确实有意义
the rate at which user say, OK, makes sense to me.
191
00:08:03,800 –> 00:08:05,460
接受吧
Go ahead and grant it.
192
00:08:05,460 –> 00:08:07,350
在加入了权限解释的 Google 应用中
Within the context of Google applications,
193
00:08:07,350 –> 00:08:11,220
我们发现85%的用户同意了权限申请
we found that about 85% of the time users do say yes.
194
00:08:11,220 –> 00:08:13,550
相比那些不加权限解释的应用
That’s better than the average that we’ve
195
00:08:13,550 –> 00:08:16,400
加了权限解释的应用权限申请通过率
seen for other applications that are sort of broadly distributed
196
00:08:16,400 –> 00:08:17,810
更高
on the Android platform.
197
00:08:17,810 –> 00:08:20,750
这是一个通过率提高了的例子
Just to give you some examples of how much better it is,
198
00:08:20,750 –> 00:08:25,180
大约15.8%的用户在第一次提示时拒绝了权限申请
about 15.8% of the time when we prompt a user, they say no.
199
00:08:25,180 –> 00:08:27,970
这比之前降低了40%
That’s about 40% lower.
200
00:08:27,970 –> 00:08:30,900
而其他应用的拒绝率
So for other applications, the failure rate on that request
201
00:08:30,900 –> 00:08:33,080
大概在20%到25%之间
is going to be about 20% to 25%.
202
00:08:33,080 –> 00:08:35,520
这其中差了40%
So about 40% difference between those.
203
00:08:35,520 –> 00:08:39,940
如果你不停的申请权限而用户又不停的拒绝申请
If you ask too many times and the user says no repeatedly,
204
00:08:39,940 –> 00:08:42,870
我觉得在三次之后
eventually, after I think three times,
205
00:08:42,870 –> 00:08:46,490
用户就有权利选择不要再申请了
the user has the option to say stop asking me.
206
00:08:46,490 –> 00:08:48,289
而且我们发现在 Google 应用中
And so we found that the stop asking me,
207
00:08:48,289 –> 00:08:51,470
拒绝再次申请的概率大约是3%
don’t ever ask me again rate for Google applications is about 3%.
208
00:08:51,470 –> 00:08:53,324
所以我们要在合适的时候申请权限
So effectively we prompt a couple of times
209
00:08:53,324 –> 00:08:54,740
这样用户
in order to get to the point where
210
00:08:54,740 –> 00:08:56,614
才不会觉得不舒服
the user is comfortable with the application.
211
00:08:56,614 –> 00:08:59,490
大约97%的用户
And we find about 97% of the time users
212
00:08:59,490 –> 00:09:02,360
通过了申请的权限
accept the permission ask that we’re making.
213
00:09:02,360 –> 00:09:05,209
上述就是你需要考虑的最佳范例
So those are the best practices that you want to think about.
214
00:09:05,209 –> 00:09:06,750
我们还做了
There’s another capability that we’ve
215
00:09:06,750 –> 00:09:08,530
一件大事
been expanding dramatically, which
216
00:09:08,530 –> 00:09:12,060
就是密钥材料的保护
is a protection of key material, cryptographic keys
217
00:09:12,060 –> 00:09:13,220
尤其是 Android 上的密钥
specifically on Androids.
218
00:09:13,220 –> 00:09:16,340
所以我们来讨论一下 Android 密钥库
So we’ll talk about the Android Keystore.
219
00:09:16,340 –> 00:09:18,990
密钥库广泛的应用在
The Keystore leverages hardware that
220
00:09:18,990 –> 00:09:22,545
Android 设备中
exists on the vast majority of Android devices.
221
00:09:22,545 –> 00:09:25,170
作为一名安全从业者
As a security practitioner, it’s always been really interesting
222
00:09:25,170 –> 00:09:28,750
我对那些带有 TrustZone 的设备十分感兴趣
to me that most devices, literally about 80% to 90%
223
00:09:28,750 –> 00:09:31,230
这些设备大概占到80%到90%
of devices have something called TrustZone on them.
224
00:09:31,230 –> 00:09:33,170
他们都有一个 TEE
They have a TEE that’s been put in place.
225
00:09:33,170 –> 00:09:37,300
它提供了一套可以访问 DRM 保护内容的机制
It was there to enable access to DRM protected content.
226
00:09:37,300 –> 00:09:39,410
我们这几年正在做的就是
What we’ve been doing over the last several years
227
00:09:39,410 –> 00:09:41,626
让开发者保护
is making that available to you as an application
228
00:09:41,626 –> 00:09:43,250
用户设备中的敏感功能与
developer as a means for you to protect
229
00:09:43,250 –> 00:09:46,660
密钥成为可能
the most sensitive capabilities and keys in your device.
230
00:09:46,660 –> 00:09:52,000
让我们从 jb-mr2 开始说起吧
So starting in jb-mr2.
231
00:09:52,000 –> 00:09:55,140
大概在四年前
So almost four years ago, we began implementing API
232
00:09:55,140 –> 00:09:56,830
我们开始不断的继承 API
after API after API.
233
00:09:56,830 –> 00:10:02,820
从 Android L 开始 陆续可以使用 RSA 和椭圆曲线数字签名算法
As of Android L, the ability to use RSA, elliptic curve DSA,
234
00:10:02,820 –> 00:10:07,620
即ECDSA 或是像 AES 这样的对称算法 还有 HMAC
so ECDSA, symmetric algorithms like AES, and then also HMAC,
235
00:10:07,620 –> 00:10:10,820
这些密钥都被内置在 TrustZone 中
where those keys are held inside of TrustZone and cannot be
236
00:10:10,820 –> 00:10:13,900
而没有展现在普通用户面前
exposed to the kernel or to anybody else on the device is
237
00:10:13,900 –> 00:10:18,630
但这些功能确实是设备的核心功能
one of the core capabilities that we’ve been enabled.
238
00:10:18,630 –> 00:10:20,540
其中一件非常重要的事就是
One of the really important things to do
239
00:10:20,540 –> 00:10:22,720
把它从大多数设备
is to transition from it being on most devices
240
00:10:22,720 –> 00:10:23,900
过渡到所有的设备
to being on all devices.
241
00:10:23,900 –> 00:10:27,340
因此这就变成了 Android N 的任务
So this became required as of the Android N release.
242
00:10:27,340 –> 00:10:29,230
我们从现在起将会看到
So we’re going to see, from here on out,
243
00:10:29,230 –> 00:10:32,150
所有的新设备都将装载它
all new devices are going to definitely have it on board.
244
00:10:32,150 –> 00:10:33,812
而且就在现在 绝大多数的
As it is right now, the vast majority
245
00:10:33,812 –> 00:10:38,620
高端或是中端设备都已经有 Keystore 了
of higher end and mid-range devices already have Keystore in place.
246
00:10:38,620 –> 00:10:42,490
所以 Android N 中的一个新特性
So one of the new features that was introduced with Android N
247
00:10:42,490 –> 00:10:44,280
就是密钥认证
was what we call attestation.
248
00:10:44,280 –> 00:10:47,020
关于密钥认证我们所做的就是把密钥
What we do with attestation is bake a key
249
00:10:47,020 –> 00:10:49,857
加进 TrustZone 中的固件中
into the firmware inside of TrustZone.
250
00:10:49,857 –> 00:10:51,940
这样你就可以验证
So it is possible for you to validate that this is
251
00:10:51,940 –> 00:10:53,231
硬件的合法性了
a legitimate piece of hardware.
252
00:10:53,231 –> 00:10:55,580
你可以通过创建一个密钥
And you can check that by creating a key
253
00:10:55,580 –> 00:10:57,700
然后检测绑定到
and then checking the search chain to tie it
254
00:10:57,700 –> 00:11:00,510
需要进行 CTS 测试的硬件搜索链
back to a piece of hardware that’s gone through CTS testing.
255
00:11:00,510 –> 00:11:02,260
我将用几秒钟的时间
And I’ll sort of talk through how
256
00:11:02,260 –> 00:11:04,444
稍微讨论一下你应该如何做
it is that you can do that in just a second.
257
00:11:04,444 –> 00:11:06,860
这是一个源码的
So here’s an example of what that looks like from a source
258
00:11:06,860 –> 00:11:08,370
例子
code standpoint.
259
00:11:08,370 –> 00:11:09,350
你需要做什么
What do you need to do?
260
00:11:09,350 –> 00:11:12,490
你需要从创建一个 KeyPair 开始
Well, you can start off by creating a key pair.
261
00:11:12,490 –> 00:11:16,050
你创建了一个 Android Keystore 的实例
So you create an instance of Android Keystore.
262
00:11:16,050 –> 00:11:18,760
在这个例子中 我们用的是椭圆曲线
In this instance, we’re using elliptic curves,
263
00:11:18,760 –> 00:11:21,120
所以你需要把它加入到你的算法中
so you specify that to your algorithm.
264
00:11:21,120 –> 00:11:23,410
我将要介绍一件在 Android M
One of the more interesting new capabilities
265
00:11:23,410 –> 00:11:25,440
中更有趣的特性
that was introduced actually in Android M
266
00:11:25,440 –> 00:11:27,240
那就是这个密钥只有刚被验证过的
was the ability to say this key can only
267
00:11:27,240 –> 00:11:31,069
用户才可以使用
be used if the user has recently authenticated.
268
00:11:31,069 –> 00:11:32,860
我再用几秒钟多说一点
I’ll talk more about that in just a second.
269
00:11:32,860 –> 00:11:34,710
这是一个很有力的声明
But that’s a really powerful statement that you can make.
270
00:11:34,710 –> 00:11:36,640
那就是你能知道有一个真真切切的用户
So that you know that there’s a real user that’s
271
00:11:36,640 –> 00:11:38,431
在与设备进行着交互
been interacting with the device right now.
272
00:11:38,431 –> 00:11:40,950
当然这也是被内置于 TrustZone 中的
And that’s been validated inside of TrustZone.
273
00:11:40,950 –> 00:11:42,745
所以你可以保护你的密钥
So you can protect your keys.
274
00:11:42,745 –> 00:11:44,370
然后你可以做的最后一件事就是
And then the last thing that you can do
275
00:11:44,370 –> 00:11:46,867
你能够获得与密钥相关的
is you can actually get the certificate chain associated
276
00:11:46,867 –> 00:11:47,450
证书
with that key.
277
00:11:47,450 –> 00:11:52,370
所以这密钥是绑定到设备上的
So that key is one that has been bound to a particular device.
278
00:11:52,370 –> 00:11:54,452
而且它不能转移到其他设备上
And it can’t move to some other device.
279
00:11:54,452 –> 00:11:56,910
然后你就可以通过看证书链
Then you can actually confirm by looking at the certificate
280
00:11:56,910 –> 00:12:00,450
确定这是一个已经通过 CTS 测试的正常设备
chain that it’s a device that legitimately went through CTS testing.
281
00:12:00,450 –> 00:12:02,790
它已经经过确认了
It’s gone through that kind of validation.
282
00:12:02,790 –> 00:12:06,740
所以我认为这种类型的功能是非常重要的
So I think this type of capability is really important for enhancing
283
00:12:06,740 –> 00:12:09,240
尤其是对通过 Google 检验的
the trust in those devices that have gone through the Google
284
00:12:09,240 –> 00:12:14,260
Android 测试设备信任度的增加
validation process and are valid, Android tested devices.
285
00:12:14,260 –> 00:12:18,522
所以你需要认真想一想
So some best practices, think for a moment
286
00:12:18,522 –> 00:12:20,730
你的应用中是否需要加上
whether there’s a case for you to be using encryption
287
00:12:20,730 –> 00:12:22,840
最佳范例中的加密功能
in the context of your application.
288
00:12:22,840 –> 00:12:25,340
如果是的话 那么 Keystore 对于你来说
And if so, then Keystore is a great place for you
289
00:12:25,340 –> 00:12:27,380
就是保存密钥最好的地方
to be storing those keys.
290
00:12:27,380 –> 00:12:28,170
它可供使用
It’s available.
291
00:12:28,170 –> 00:12:29,850
而且很直观
It’s very straightforward.
292
00:12:29,850 –> 00:12:32,060
而且它的优点在于
And it has the advantage of the key
293
00:12:32,060 –> 00:12:34,560
即使设备中的其他东西被破解了
not being exposed in the event of compromise of other things
294
00:12:34,560 –> 00:12:36,300
密钥也不会被暴露出来
on the device.
295
00:12:36,300 –> 00:12:39,590
你也可以用这个从 Android N 开始的密钥
You can also use the key, starting with Android N,
296
00:12:39,590 –> 00:12:42,100
来验证这是否是一个合法的 Android 设备
as a mechanism to validate that this is a legitimate Android
297
00:12:42,100 –> 00:12:47,270
而非一个不兼容的设备
device and not one that’s been created outside the compatibility.
298
00:12:47,270 –> 00:12:48,766
这就给了你进一步校验
And so that gives you the ability
299
00:12:48,766 –> 00:12:50,390
设备的能力
to do further validation of the device.
300
00:12:53,140 –> 00:12:54,600
我之前提到了验证
I hinted at authentication.
301
00:12:54,600 –> 00:12:56,190
让我们来谈论一些
So let’s talk a little bit about some of the changes
302
00:12:56,190 –> 00:12:58,023
关于验证方面的改变
that have gone into authentication recently.
303
00:13:00,872 –> 00:13:02,580
在加强验证方面
So there’s two different goals that we’re
304
00:13:02,580 –> 00:13:06,530
我们有两个不同的目标
striving for as we’re enhancing authentication.
305
00:13:06,530 –> 00:13:12,370
第一个就是 坦率地说
The first one is, well, let’s be frank,
306
00:13:12,370 –> 00:13:14,590
用户根本不喜欢验证
users don’t like authenticating.
307
00:13:14,590 –> 00:13:17,372
验证是很令人厌烦的
It’s annoying.
308
00:13:17,372 –> 00:13:18,580
我拿出我的设备
I want to take out my device.
309
00:13:18,580 –> 00:13:20,000
我就想马上使用它
And I want to use it immediately.
310
00:13:20,000 –> 00:13:21,900
我就想立刻看到内容
And I want to have access to my information.
311
00:13:21,900 –> 00:13:24,170
所以我们才开始调查
And so when we began looking into why
312
00:13:24,170 –> 00:13:26,654
为什么用户不在他们的设备上使用屏幕锁
it is that users didn’t have lock screens on their device.
313
00:13:26,654 –> 00:13:28,070
这就是为什么用户不喜欢
And why they didn’t use what seems
314
00:13:28,070 –> 00:13:31,680
使用这最基本的安全保护方式
to be the most fundamental security protection,
315
00:13:31,680 –> 00:13:34,830
答案就是 它们出现的太频繁了
the answer is, it just comes up too often.
316
00:13:34,830 –> 00:13:37,770
因此接近半数的用户
And almost half of Android users have
317
00:13:37,770 –> 00:13:40,330
决定不使用屏幕锁
decided that they don’t want a secure lock screen.
318
00:13:40,330 –> 00:13:42,220
所以我们尽力做的事情就是
So one of the things that we’re trying to do
319
00:13:42,220 –> 00:13:44,410
实现用户的愿望
is find ways to encourage that.
320
00:13:44,410 –> 00:13:48,011
如果在用户登入设备时
Because if we get to a point where the logging in mechanism
321
00:13:48,011 –> 00:13:50,010
在开始与设备交互时
is trustworthy, where authentication of the user
322
00:13:50,010 –> 00:13:51,340
就是被验证过的
at the time they start interacting with the device,
323
00:13:51,340 –> 00:13:52,850
那么你应用中的设置
then you can do a lot more and be
324
00:13:52,850 –> 00:13:55,255
其实可以更加的灵活
a lot more flexible in the set of applications that you can provide.
325
00:13:55,255 –> 00:13:57,440
所以 Android Pay 就是一个很好的例子
So Android Pay is a good example where,
326
00:13:57,440 –> 00:14:01,410
因为用户是已经被验证过的 他们就可以使用 Android Pay
because users are authenticated, they can have access to Android Pay.
327
00:14:01,410 –> 00:14:05,300
所以我们结合了这两种想法
So we actually bind those two ideas together.
328
00:14:05,300 –> 00:14:08,164
因此在介绍指纹解锁时就更容易了
So to make things easier we introduced fingerprints.
329
00:14:08,164 –> 00:14:10,080
这些我们之前都已经介绍过了
That was one of the things that was introduced
330
00:14:10,080 –> 00:14:12,220
包括 Nexus 手机上的 Android M
with Android M on Nexus phones and an API for you
331
00:14:12,220 –> 00:14:14,290
以及开发者所使用的API
to interact with it as an application developer.
332
00:14:14,290 –> 00:14:17,380
我们可以看到在 Nexus 设备上
On Nexus devices we’ve seen adoption of secure lock screen
333
00:14:17,380 –> 00:14:20,836
一旦加入了指纹解锁
go from about 50% to over 90% on devices
334
00:14:20,836 –> 00:14:22,210
屏幕锁的使用数量就从50%上升到了90%
where a fingerprint is available.
335
00:14:22,210 –> 00:14:25,324
因为这实在是太简单方便了
Because it’s just so much easier.
336
00:14:25,324 –> 00:14:27,240
我们也为那些没有指纹识别传感器的设备
We’ve also made changes for those devices that
337
00:14:27,240 –> 00:14:29,030
提供了另一种解决方案
don’t have access to fingerprint,
338
00:14:29,030 –> 00:14:32,610
比如说智能解锁
for one reason or another, through things like Smart Lock.
339
00:14:32,610 –> 00:14:34,870
其中智能解锁提供的一个功能
One of the capabilities that Smart Lock provides
340
00:14:34,870 –> 00:14:38,365
我们称之为身体探测
is what we call on body detection, where we monitor how the device is
341
00:14:38,365 –> 00:14:40,240
我们可以监测出与设备交互的周围环境
interacting with the environment around them.
342
00:14:40,240 –> 00:14:41,170
它是否在口袋里
Is it in their pocket?
343
00:14:41,170 –> 00:14:43,461
它是不是还在初次解锁它的人
Do we think it’s still in control of the individual who
344
00:14:43,461 –> 00:14:44,770
手里
first unlocked it?
345
00:14:44,770 –> 00:14:47,360
这个功能可以使
The use of that alone can reduce the frequency
346
00:14:47,360 –> 00:14:50,560
验证频率减少50%
with which users need to authenticate by over 50%.
347
00:14:50,560 –> 00:14:52,180
在我们的经验中能够看到这一点
We’ve seen that in our experience.
348
00:14:52,180 –> 00:14:56,640
在把验证变得简单这件事上我们已经取得很大的进展了
So we’ve got good progress on making authentication easier for users.
349
00:14:56,640 –> 00:14:59,180
这也是我们一直在努力的事情
So that’s one of the things that we’re striving for.
350
00:14:59,180 –> 00:15:00,830
我们还尽力把
The other thing that we’re trying to do
351
00:15:00,830 –> 00:15:03,330
验证变得更强大
is make authentication stronger.
352
00:15:03,330 –> 00:15:05,340
这同样也带来一些改变
So there are some changes there as well.
353
00:15:05,340 –> 00:15:08,860
其中之一就是允许
One of them was to allow applications
354
00:15:08,860 –> 00:15:11,380
应用把私密数据绑定到验证上
to tie their secrets to authentication.
355
00:15:11,380 –> 00:15:14,000
你可以确保应用中的某些功能
So you can make sure that your application will only
356
00:15:14,000 –> 00:15:17,050
是只有被验证过的
function if the user has a secure lock screen
357
00:15:17,050 –> 00:15:19,100
用户才可以使用的
and they have been recently authenticated.
358
00:15:19,100 –> 00:15:21,220
这是一个非常重要的改变
So that’s an important change that you can make.
359
00:15:21,220 –> 00:15:23,345
有一类事情是应用需要特别担心的
One of the types of things that an application that
360
00:15:23,345 –> 00:15:25,110
即财务系统
worries about, say financial systems
361
00:15:25,110 –> 00:15:27,830
或是访问敏感数据
or access to sensitive data, would want to do.
362
00:15:27,830 –> 00:15:30,780
我们做的另一件事就是
Another thing that we’ve done is to move the authentication
363
00:15:30,780 –> 00:15:32,660
把验证挪进了 TrustZone
actually into TrustZone.
364
00:15:32,660 –> 00:15:34,860
所以即使
So that even if the overall operating system
365
00:15:34,860 –> 00:15:37,680
操作系统都被攻陷了
has been compromised, there is no mechanism
366
00:15:37,680 –> 00:15:41,850
根据现有的机制
available for the device to leak the credential,
367
00:15:41,850 –> 00:15:45,900
证书 指纹或是
the fingerprint, for example, or the user’s lock screen password
368
00:15:45,900 –> 00:15:48,310
用户的解锁密码
into a place that it could do and exhaust
369
00:15:48,310 –> 00:15:50,280
也不会泄露
over the strength of that credential.
370
00:15:54,060 –> 00:15:57,181
因此你需要思考的就是如何利用好验证
So you want to think about how to use authentication.
371
00:15:57,181 –> 00:15:59,430
我们提供了一些指纹的 API
We’ve provided some APIs so that it’s possible for you
372
00:15:59,430 –> 00:16:01,860
你可以直接调用
to directly invoke the fingerprint APIs.
373
00:16:01,860 –> 00:16:05,770
我们也提供了一些 API 让你可以控制
We’ve also provided APIs that allow you to control the user
374
00:16:05,770 –> 00:16:06,940
相关的用户体验
experience around that.
375
00:16:06,940 –> 00:16:09,550
你不一定必须描述
So you’re not constrained in how you would represent
376
00:16:09,550 –> 00:16:10,830
你将用验证来干什么
what it means to authenticate.
377
00:16:10,830 –> 00:16:13,530
但我们还是建议你提供
This is again, you get to offer context
378
00:16:13,530 –> 00:16:16,060
说明来解释你为什么需要验证
for why it is that you’re requesting authentication.
379
00:16:16,060 –> 00:16:17,250
因为我们认为应用体验中
We think that’s a really important part
380
00:16:17,250 –> 00:16:19,680
一个非常重要的部分
of the application experience is that you are effectively
381
00:16:19,680 –> 00:16:22,490
就是你以何种方式告诉用户
in control over how it is that you represent to the user what
382
00:16:22,490 –> 00:16:23,710
你将要干什么
you’re going to do.
383
00:16:23,710 –> 00:16:26,860
所以在这个实例中 UI 描述出了
So in this instance, that UI describing
384
00:16:26,860 –> 00:16:31,000
Google Play 如何使用指纹识别
how fingerprint is taken place is being drawn entirely by Google Play.
385
00:16:31,000 –> 00:16:32,875
他们需要描述接下来要做的事情
They get to describe, we’re going to do this.
386
00:16:32,875 –> 00:16:35,590
这就是我们如何使用它的做法 如果你也想这样
And here’s how we’re going to use it, if they want to do that.
387
00:16:35,590 –> 00:16:37,589
你也可以在你的应用中这样做
And you can do that in your application as well.
388
00:16:39,880 –> 00:16:43,740
这里提供一个快速示例 非常直观的
Just to give a quick example, very, very straightforward how
389
00:16:43,740 –> 00:16:51,340
展示如何把应用与指纹绑定
you create a key in this instance and then bind that to a fingerprint.
390
00:16:51,340 –> 00:16:53,590
在这个实例中 我想特意强调的是
In this instance, the thing that I wanted to highlight
391
00:16:53,590 –> 00:16:57,836
你事实上创建了一个回调
is that you’re actually creating a callback, a wrap based
392
00:16:57,836 –> 00:16:59,210
一个基于密钥的包装
on the key, and you’re only going
393
00:16:59,210 –> 00:17:02,884
如果用户验证成功了你只需要解密就行了
to do the decryption if the user has successfully authenticated.
394
00:17:02,884 –> 00:17:04,550
所以你现在知道与你应用
So you now know that the data associated
395
00:17:04,550 –> 00:17:06,630
相关的数据都是包装在密钥中的
with your application that’s been wrapped in that key
396
00:17:06,630 –> 00:17:09,254
只有通过验证的用户
simply doesn’t exist and is not accessible until after the user
397
00:17:09,254 –> 00:17:10,690
才能够访问这些数据
is authenticated.
398
00:17:10,690 –> 00:17:15,945
我再花几分钟时间说一下直接启动
I’ll talk in a couple of minutes about how we’re doing direct to boot.
399
00:17:15,945 –> 00:17:18,690
它有一个相似的模块 就是应用数据
And it has a similar model, where application data is not
400
00:17:18,690 –> 00:17:22,880
只有在用户已经被验证过了之后才能被获取
available until the user has already been authenticated.
401
00:17:22,880 –> 00:17:26,079
最佳范例
So a couple of best practices, I think
402
00:17:26,079 –> 00:17:30,680
我认为这对于
that there’s a real opportunity to auth-bound keys
403
00:17:30,680 –> 00:17:36,100
验证密钥锁屏和安全锁屏的使用
to drive both adoption of the use of authentication
404
00:17:36,100 –> 00:17:38,030
来说是一个真正的机会
on the lock screen and secure lock screen.
405
00:17:38,030 –> 00:17:40,010
同时也简化了用户与
And also to simplify the way that the user
406
00:17:40,010 –> 00:17:42,051
应用之间的交互方式
is going to be interacting with your application.
407
00:17:42,051 –> 00:17:44,720
因此当用户使用你的应用时
Then you don’t need to have a check for pin or password
408
00:17:44,720 –> 00:17:45,930
你就没有必要再让用户做出 pin 码或是密码检查了
when a user comes in to your application,
409
00:17:45,930 –> 00:17:46,830
即使应用中包含很多敏感数据
no matter how sensitive it is.
410
00:17:46,830 –> 00:17:49,455
因为你知道他们在解锁屏幕时
Because you know that they very recently have gone through that
411
00:17:49,455 –> 00:17:51,310
已经验证过身份了
authentication already at the lock screen.
412
00:17:51,310 –> 00:17:53,770
所以我是明确鼓励使用上述机制的
So I would definitely encourage using that mechanism.
413
00:17:53,770 –> 00:17:55,140
你可以设定一个时间上限
You can time bound it and say, if they’ve
414
00:17:55,140 –> 00:17:57,310
可以是一分钟 五分钟 十分钟
logged in the last minute, the last five minutes, the last 10
415
00:17:57,310 –> 00:17:59,610
只要是符合你应用的
minutes, whatever’s appropriate for your application
416
00:17:59,610 –> 00:18:03,891
安全规范就好
to drive good security practices consistent with your application.
417
00:18:03,891 –> 00:18:05,890
另一件我鼓励的事
The other thing that I would encourage you to do
418
00:18:05,890 –> 00:18:09,710
当然就是指纹解锁了
is certainly favor fingerprint.
419
00:18:09,710 –> 00:18:12,830
如果设备上有一个
You know the evidence seems to be that a fingerprint
420
00:18:12,830 –> 00:18:14,040
指纹识别器
readers exist on a device.
421
00:18:14,040 –> 00:18:16,130
那么用户总是倾向于使用它的
That’s going to be the mechanism that users are going to want to use.
422
00:18:16,130 –> 00:18:18,379
所以我也鼓励你
So I would encourage you to use that as your mechanism
423
00:18:18,379 –> 00:18:21,850
把指纹解锁
to do binding of authentication credentials
424
00:18:21,850 –> 00:18:24,400
加进你的解锁机制里
to key material inside of Keystore.
425
00:18:24,400 –> 00:18:26,414
如果指纹解锁
If that’s not available, then falling back
426
00:18:26,414 –> 00:18:28,830
不可用的话
to doing something like create confirmed device credential
427
00:18:28,830 –> 00:18:32,624
那就做点类似创建确认设备凭据
intent as a means to bind to whatever other secure lock
428
00:18:32,624 –> 00:18:34,040
之类的事
screen they have on the devices is
429
00:18:34,040 –> 00:18:36,110
用来安全的
a perfectly reasonable fallback for those devices where
430
00:18:36,110 –> 00:18:37,276
解锁设备
fingerprint isn’t available.
431
00:18:40,146 –> 00:18:42,020
其实我们已经谈到很多了
So we’ve covered a couple of features so far.
432
00:18:42,020 –> 00:18:44,620
下面我们来说一下加密部分
We’re going to get now into the crypto section.
433
00:18:44,620 –> 00:18:48,167
我们先来讨论一下网络安全 之后是安全存储
Talk first about secure networking and then get into secure storage.
434
00:18:54,860 –> 00:19:01,400
我很好奇究竟多少的细微改变
It’s amazing to me how often simple changes can make
435
00:19:01,400 –> 00:19:04,590
才能引发一个安全方面巨大的变革
a huge difference in security.
436
00:19:04,590 –> 00:19:08,210
我们花了一分钟思考
We spent a minute thinking about users and how many of them
437
00:19:08,210 –> 00:19:11,609
为什么有些用户选择不在锁屏上加密码
choose not to have a lock screen.
438
00:19:11,609 –> 00:19:12,650
因为这很复杂
Because it’s complicated.
439
00:19:12,650 –> 00:19:15,820
而且很麻烦 同样地
Because it’s difficult. In the same way,
440
00:19:15,820 –> 00:19:17,880
我们发现部分应用的开发者
we find that application developers often
441
00:19:17,880 –> 00:19:21,320
也同样选择不使用安全的网络传输
choose not to use secure networking because a little bit
442
00:19:21,320 –> 00:19:22,746
因为它太麻烦了
too difficult.
443
00:19:22,746 –> 00:19:25,120
所以我们在最近的几个发布版本中
So what we’ve been doing over the last couple of releases
444
00:19:25,120 –> 00:19:27,780
试着让它变得简单一点
is trying to make that simpler.
445
00:19:27,780 –> 00:19:29,672
麻烦的地方在于我们发现
One of the complexities that we found
446
00:19:29,672 –> 00:19:31,130
应用的开发者
is that application developers just
447
00:19:31,130 –> 00:19:34,650
不知道他们现在使用的网络传输是否安全
don’t know whether they’re using secure traffic or not.
448
00:19:34,650 –> 00:19:37,860
一个很普遍的例子是 他们在应用中
A good example might be, they’ve incorporated an advertising
449
00:19:37,860 –> 00:19:40,190
加入了广告包
library into their application.
450
00:19:40,190 –> 00:19:44,340
为了使广告内容
Does that advertising library use HTTPS to request assets
451
00:19:44,340 –> 00:19:46,680
个性化
when it sends up device identifiers or user identifiers
452
00:19:46,680 –> 00:19:48,555
发送设备标识或是用户标识时
in order to request those advertisements that
453
00:19:48,555 –> 00:19:50,490
广告包是否用的是HTTPS请求
have been personalized for that application?
454
00:19:50,490 –> 00:19:51,856
你知道吗
Do you know?
455
00:19:51,856 –> 00:19:54,230
Android Marshmallow 的其中一个特点就是
And so one of the features that was introduced in Android
456
00:19:54,230 –> 00:19:57,040
允许应用控制网络请求
Marshmallow was the ability for an application to say,
457
00:19:57,040 –> 00:20:00,430
我可以选择使用明文通信
you know what, I want to use clear-text traffic.
458
00:20:00,430 –> 00:20:05,010
或是相反地 我不想选择明文通信
And conversely, I don’t think that I need to use clear-text traffic.
459
00:20:05,010 –> 00:20:07,319
如果你在使用一个类似 gmail 的应用
If you’re an application like gmail,
460
00:20:07,319 –> 00:20:09,610
你可以说我知道我所有的连接
you can say I know that all my connections are going up
461
00:20:09,610 –> 00:20:10,210
都将上传到 Google 服务器中
to a Google server.
462
00:20:10,210 –> 00:20:11,300
这也是一种保护的手段
And that’s the one that’s been protected.
463
00:20:11,300 –> 00:20:11,410
当然
And.
464
00:20:11,410 –> 00:20:14,280
我也可以说 嗯 我不想使用任何明文通信
I can say, whoop, I’m going to not use any clear-text traffic.
465
00:20:14,280 –> 00:20:15,290
如果你是另一个应用
If you’re a different application,
466
00:20:15,290 –> 00:20:17,498
那么你就需要知道它是否
then you need to go through the process of evaluating
467
00:20:17,498 –> 00:20:18,440
在使用明文通信
whether it’s there.
468
00:20:18,440 –> 00:20:20,690
这就是我们做的
So this is a feature that was put in place to simplify
469
00:20:20,690 –> 00:20:22,648
快速明确你的应用是否
understanding whether your application actually
470
00:20:22,648 –> 00:20:23,890
在使用明文通信
uses clear-text traffic.
471
00:20:23,890 –> 00:20:26,710
而且能让用户知道
And to give users visibility into whether you think
472
00:20:26,710 –> 00:20:29,410
他的应用是否在使用明文通信
you use clear-text traffic.
473
00:20:29,410 –> 00:20:32,600
当然 这用起来也很简单
So, it’s really straightforward, very easy to use.
474
00:20:32,600 –> 00:20:34,730
它就在你的 manifests 中
Inside your manifests, it’s very simple.
475
00:20:34,730 –> 00:20:36,120
你使用明文通信了吗
Do you use clear-text traffic?
476
00:20:36,120 –> 00:20:38,160
没有
No.
477
00:20:38,160 –> 00:20:43,060
接着是 API 例如一个 URL
And then API, such as URL– yeah,
478
00:20:43,060 –> 00:20:48,160
HTTP://URL 连接 如果它不使同 HTTPS 是不会正常工作的
HTTP://URL Connect, where it’s not using HTTPS will simply not work.
479
00:20:48,160 –> 00:20:50,140
所以这些 API 被用于
So those APIs that are known to be
480
00:20:50,140 –> 00:20:52,959
保证通过网络传输的用户数据
insecure in transmitting user data across a network simply
481
00:20:52,959 –> 00:20:53,750
的安全
no longer function.
482
00:20:53,750 –> 00:20:55,083
它们将返回一个安全错误
They’ll return a security error.
483
00:20:55,083 –> 00:20:57,090
你就可以摆脱困境了
And you can bail out.
484
00:20:57,090 –> 00:20:59,290
这多方便
So that’s great.
485
00:20:59,290 –> 00:21:01,540
只可惜这导致了大部分的应用是安全的
Except that it turns out most applications
486
00:21:01,540 –> 00:21:03,695
而一小部分是不安全的
do some stuff secure and some stuff not secure.
487
00:21:03,695 –> 00:21:05,945
所以我们知道我们需要提供更强的灵活性
So we knew that we needed to provide more flexibility.
488
00:21:05,945 –> 00:21:07,570
所以我们在 Android N 中
And so that’s one of the things that we
489
00:21:07,570 –> 00:21:10,520
致力于更加精细的控制
began focusing on in Android N is how do we
490
00:21:10,520 –> 00:21:13,930
尤其是当我们了解到
have more granular controls while recognizing
491
00:21:13,930 –> 00:21:16,810
存在于 SSL 和 TLS 栈中的粒度
that the granularity that’s existed in SSL and TLS
492
00:21:16,810 –> 00:21:20,140
已经成为了在实现部署中
Stacks and the SSL APIs has been a source
493
00:21:20,140 –> 00:21:24,370
难以置信的复杂与困难的来源
of incredible complexity and incredible difficulty in deployment.
494
00:21:24,370 –> 00:21:27,010
所以我们想在网络安全配置方面做的工作就是
And so what we want to do with network security config
495
00:21:27,010 –> 00:21:30,710
让身为应用开发者的你在使用安全传输时
is make it really easy for you, as an application developer,
496
00:21:30,710 –> 00:21:33,700
更容易
to know where you’re using secure transports.
497
00:21:33,700 –> 00:21:35,207
而且在这过程中
And then to control those transports
498
00:21:35,207 –> 00:21:37,540
不会使你的代码变得更复杂
in a way that doesn’t make your coding really difficult.
499
00:21:37,540 –> 00:21:38,970
它非常清晰
So it’s entirely declarative.
500
00:21:38,970 –> 00:21:40,300
因为它全在 manifest 里
And it’s all in the manifest.
501
00:21:40,300 –> 00:21:43,170
现在让我们谈谈一些基础功能
So let’s talk about some of the basic capabilities.
502
00:21:43,170 –> 00:21:45,520
这是一个很简单的例子
Well here’s a really simple one.
503
00:21:45,520 –> 00:21:49,110
原来 我没有在每个地方都使用安全通路
It turns out, I don’t use secure traffic everywhere.
504
00:21:49,110 –> 00:21:51,822
但是我知道我正在 secure.example.com 上使用它
But I know that I use it on secure.example.com.
505
00:21:51,822 –> 00:21:54,160
这样我就可以使用 domain-config
And so I can use a domain config.
506
00:21:54,160 –> 00:21:59,060
我把它配置在使用安全通路的地方
I set up where this domain is one that uses secure traffic.
507
00:21:59,060 –> 00:22:03,560
当我指定为 false 时 它使用明文通信
OK, so it does use clear-text traffic, specifies it as false.
508
00:22:03,560 –> 00:22:06,340
而且我没有对任何要与我的应用交互的
And I don’t make any claims about any other domains
509
00:22:06,340 –> 00:22:09,030
域名做任何的要求
that my application might be interacting with.
510
00:22:09,030 –> 00:22:11,175
这样你就可以保持
So you can keep that advertising library
511
00:22:11,175 –> 00:22:12,800
广告库的不变
that otherwise would have prevented you
512
00:22:12,800 –> 00:22:14,870
也不用担心你应用的其他功能
from being confident about the rest of the functionality
513
00:22:14,870 –> 00:22:15,703
有任何的变化
of your application.
514
00:22:19,870 –> 00:22:22,210
这仅仅
So that’s the start of the types of things
515
00:22:22,210 –> 00:22:23,610
是开端
that you’d want to be able to do.
516
00:22:23,610 –> 00:22:25,401
我们发现的另外一件事情
Another thing that we’ve found is that it’s
517
00:22:25,401 –> 00:22:28,540
就是调试困难
very difficult to do debugging.
518
00:22:28,540 –> 00:22:31,100
这种情况很常见
We see that in the context of Google on a regular basis.
519
00:22:31,100 –> 00:22:32,980
我们在调试设备上的交互方式
The way that we interact with our debug infrastructure
520
00:22:32,980 –> 00:22:35,563
与真实发布设备上的交互方式
is different from the way that we do interact with our release
521
00:22:35,563 –> 00:22:36,450
非常不同
infrastructure.
522
00:22:36,450 –> 00:22:38,074
他们的密钥材料是不一样的
We have different key material on them.
523
00:22:38,074 –> 00:22:40,552
不是所有的 Android 设备中
We might not come from a certificate authority that’s
524
00:22:40,552 –> 00:22:43,380
都有权威机构的认证
a well known certificate authority that’s on all the Android devices.
525
00:22:43,380 –> 00:22:45,046
因为这仅仅是一个测试设备
Because it’s just a test infrastructure.
526
00:22:45,046 –> 00:22:47,240
而且你也不想为复杂而又昂贵的SSL
And you don’t want to have to pay for and maintain
527
00:22:47,240 –> 00:22:50,540
付费和维护
that sort of complex or costly SSL infrastructure.
528
00:22:50,540 –> 00:22:52,670
价格虽然不是那么高
Not that it’s that costly, but that’s the mindset
529
00:22:52,670 –> 00:22:54,049
但这是很多开发者的真实想法
of a lot of developers.
530
00:22:54,049 –> 00:22:57,100
所以我们要做的就是把它变得简单点
And so one of the things that we want to do is make it really simple.
531
00:22:57,100 –> 00:22:59,730
在过去 开发者的方法是
Because in the past, the way that developers have done this,
532
00:22:59,730 –> 00:23:02,340
他们必须通过一系列的自定义代码
is they’ve had to go through a lot of custom code
533
00:23:02,340 –> 00:23:04,680
来改变 SSL 在应用中的
to change how SSL handling took place
534
00:23:04,680 –> 00:23:06,380
操作模式
inside the context of their application.
535
00:23:06,380 –> 00:23:08,140
因此我们把网络安全配置的事
So we’re going to do that all in the manifest now with network
536
00:23:08,140 –> 00:23:09,357
全都放在了 manifest 中
security config.
537
00:23:09,357 –> 00:23:11,190
这样做就与原来基于
So that should make it really, really simple
538
00:23:11,190 –> 00:23:14,640
发布设施的做法完全不同了
for you to test in a way that’s distinct from, entirely
539
00:23:14,640 –> 00:23:17,490
这将变得极为简单
independent from, your release infrastructure,
540
00:23:17,490 –> 00:23:20,380
而且你再也不用写任何的自定义代码了
but also not have to write any custom code to do that.
541
00:23:20,380 –> 00:23:22,600
感觉如何
So what does it look like?
542
00:23:22,600 –> 00:23:26,460
在 network-security-config 中可以直接修改
Here’s a pretty simple way to do it, network security config.
543
00:23:26,460 –> 00:23:28,250
你需要加上 debug-overrides
You declare debug overrides.
544
00:23:28,250 –> 00:23:30,950
当你在调试应用的时候
And you set a different set of trust anchors
545
00:23:30,950 –> 00:23:34,796
设置一个不一样的 trust-anchors
when your application is running in a debug environment.
546
00:23:34,796 –> 00:23:36,670
你指定 trust-anchors 是什么
And you specify what those trust anchors are.
547
00:23:36,670 –> 00:23:39,210
你完全可以在你的应用里这么做 像在这做的一样
You can include them in your applications, as is being done here.
548
00:23:39,210 –> 00:23:41,126
事实上它们在你的应用中
This is actually specifying that they’re going
549
00:23:41,126 –> 00:23:42,644
被具体指定了
to be in your application.
550
00:23:42,644 –> 00:23:44,560
而且当你的应用调试完成以后
And you now know that when your application is
551
00:23:44,560 –> 00:23:49,260
你不用修改任何的代码
no longer in a debug build, no change to your code at all.
552
00:23:49,260 –> 00:23:51,080
你用发布版本发布出来
You’ve released it in release mode.
553
00:23:51,080 –> 00:23:52,090
你上传它
You ship it.
554
00:23:52,090 –> 00:23:54,287
所有有关调试的重写代码
And all of the code related to this debug overrides
555
00:23:54,287 –> 00:23:56,620
都不会再展示在应用之中
is no longer going to be present inside the application.
556
00:23:56,620 –> 00:23:57,578
非常直观
Really straightforward.
557
00:24:02,414 –> 00:24:03,830
你也许想做
You may want to do things that are
558
00:24:03,830 –> 00:24:08,160
比域名等级限制更复杂的事
more sophisticated than just domain level restrictions,
559
00:24:08,160 –> 00:24:10,150
使用 certificate-authorities 中的 built
using the built in certificate authorities,
560
00:24:10,150 –> 00:24:13,929
或从调试硬件中区别出
or differentiating your debug hardware, debug
561
00:24:13,929 –> 00:24:15,970
调试设施和发布设施
infrastructure, from your release infrastructure.
562
00:24:15,970 –> 00:24:17,905
所以我们再谈论下这个问题
So let’s talk about that for just a second.
563
00:24:17,905 –> 00:24:19,280
有很多种不同的方法
Here’s a couple of different ways
564
00:24:19,280 –> 00:24:21,920
可以限制你需要与之交互的证书
that you can actually limit the set of certificates
565
00:24:21,920 –> 00:24:25,280
而且不需要写一个你自己的
that you interact with without needing to write your own SSL
566
00:24:25,280 –> 00:24:28,520
SSL 错误处理器或是 SSL 证书确认程序
error handlers and SSL certificate validation routines.
567
00:24:28,520 –> 00:24:32,240
这是一个很简单的域名
Really simple one, these are domains for which
568
00:24:32,240 –> 00:24:34,760
需要把我们应用中的
we are going to include the certificates that
569
00:24:34,760 –> 00:24:38,960
证书绑定上去
are tied to those domains in our application.
570
00:24:38,960 –> 00:24:42,870
所以我们指定了 secure.example.com 和 cdn.example.com
So we specify secure.example.com, cdn.example.com.
571
00:24:42,870 –> 00:24:45,120
而这些应用与证书
And these are apps, these are certs, that are actually
572
00:24:45,120 –> 00:24:47,230
都将直接在我的应用里
going to be directly in my app.
573
00:24:47,230 –> 00:24:49,710
所以不需要依赖系统证书
So don’t rely on the system certificates.
574
00:24:49,710 –> 00:24:53,500
我也不需要买一个证书或是别人的认证
I don’t need to go buy a certificate or validate with somebody else.
575
00:24:53,500 –> 00:24:55,970
我应用的信任凭据就在
My application’s trust is contained entirely inside
576
00:24:55,970 –> 00:24:56,830
应用里面
of that application.
577
00:24:56,830 –> 00:24:58,580
这样我就可以连接到服务器了
And then I can connect out to that server.
578
00:25:02,759 –> 00:25:04,550
另一个我们经常问到的就是
Another thing that we often get asked about
579
00:25:04,550 –> 00:25:06,990
怎样证书锁定
is, how do I do certificate pinning?
580
00:25:06,990 –> 00:25:09,050
证书锁定 如果你对
Certificate pinning, in case you’re not
581
00:25:09,050 –> 00:25:11,050
这个术语不熟悉 就是判断
familiar with the term, is to identify
582
00:25:11,050 –> 00:25:15,082
一个特定的证书 不是 CA 不是证书链
a specific certificate, not a CA, no a certificate chain,
583
00:25:15,082 –> 00:25:17,540
是一个你需要与一个特定服务器
but a specific certificate that you expect to be associated
584
00:25:17,540 –> 00:25:19,080
通信的证书
with a particular web service.
585
00:25:19,080 –> 00:25:21,320
所以我们要介绍的一个功能就是
So one of the capabilities that we introduced here
586
00:25:21,320 –> 00:25:24,500
指定 pin 当然同样是在 manifest 中
is the ability to specify a pin, again directly in the manifest,
587
00:25:24,500 –> 00:25:26,740
你不需要修改 SSL 代码
so you don’t have to manipulate the SSL code
588
00:25:26,740 –> 00:25:28,470
或是你自己的证书
or do your own certificate validation.
589
00:25:28,470 –> 00:25:31,840
如果你想的话可以迅速的做出改变
And you can very quickly make a change to that if you’d like to do so.
590
00:25:31,840 –> 00:25:36,740
我担心锁定和管理你自己的信任凭据
I would caution that pinning and managing your own trusts
591
00:25:36,740 –> 00:25:38,100
会比较棘手
can be a little bit tricky.
592
00:25:38,100 –> 00:25:40,840
所以我们明确地鼓励你使用内置插件
And so we definitely encourage you to use the built ins.
593
00:25:40,840 –> 00:25:43,390
但是我们也想保证你的
But we also wanted to make sure that you have the flexibility
594
00:25:43,390 –> 00:25:44,877
灵活性
to do things.
595
00:25:44,877 –> 00:25:46,960
如果你不想刁难自己的话
if you really want to cause yourself a little more
596
00:25:46,960 –> 00:25:50,120
你最好还是这样做
grief than you otherwise had to do.
597
00:25:50,120 –> 00:25:54,649
这是我幻灯片里想讲述的重点
So here’s how I would describe that in bullet points on a slide.
598
00:25:54,649 –> 00:25:57,190
我们在网络安全配置方面
There’s a bunch of changes that we made with network security
599
00:25:57,190 –> 00:25:59,590
做了很多的改变 而且我们认为这些改变
config and some best practices that we
600
00:25:59,590 –> 00:26:03,240
几乎适用于每个人
think are appropriate for nearly everyone.
601
00:26:03,240 –> 00:26:05,330
一个很好的例子就是
A good example of that is identifying
602
00:26:05,330 –> 00:26:06,920
在所有域名中识别出
what are the domains that you expect
603
00:26:06,920 –> 00:26:10,210
你想要确保安全的那些域名
all of the traffic on those domains to be secure.
604
00:26:10,210 –> 00:26:11,340
然后着重保证它的安全
And actually specify that.
605
00:26:11,340 –> 00:26:14,442
如果它用明文通信 那就把它设置为 false
Say it uses clear-text traffic and set it to false.
606
00:26:14,442 –> 00:26:16,650
这样你就能确保不会意外地
So that you can make sure that you don’t accidentally
607
00:26:16,650 –> 00:26:19,220
通过这些网络发送任何不安全的数据
send any insecure data over those networks.
608
00:26:19,220 –> 00:26:22,451
理想状况是 我们希望你把它用在每一个地方
Ideally, we would like you to do it for everything.
609
00:26:22,451 –> 00:26:23,700
当然我们现在还不是很完美
But we’re not there quite yet.
610
00:26:23,700 –> 00:26:24,366
我们知道
We realize that.
611
00:26:24,366 –> 00:26:25,492
这是一个递进的过程
So this is incremental.
612
00:26:25,492 –> 00:26:26,950
最后我们将在整个
And eventually we’ll get to a point
613
00:26:26,950 –> 00:26:28,408
Android 生态系统中
where it can be done for everything
614
00:26:28,408 –> 00:26:30,550
的每一点网络访问上
across the entire Android ecosystem
615
00:26:30,550 –> 00:26:33,380
都用上这个技术
as we are pushing to do the same across the broader web.
616
00:26:36,020 –> 00:26:38,420
另一个我们做出的重要改变是
Another important change that was made
617
00:26:38,420 –> 00:26:41,380
用户的安装证书不再是默认的了
was that user installed certificates are no longer
618
00:26:41,380 –> 00:26:43,590
之前使用此设备的用户
trusted by default. The user on a device
619
00:26:43,590 –> 00:26:46,377
有权利在
has the ability to go in, add a certificate,
620
00:26:46,377 –> 00:26:48,210
应用与服务器
and, previously, had the ability to then man
621
00:26:48,210 –> 00:26:50,410
中间
in the middle, traffic between your application
622
00:26:50,410 –> 00:26:52,150
添加一个证书
and your server infrastructure.
623
00:26:52,150 –> 00:26:54,690
他们想那么做的原因有很多
There’s a lot of reasons why they might want to do that.
624
00:26:54,690 –> 00:26:56,231
同样地 你也有相当多的理由
And there’s a lot of reasons that you
625
00:26:56,231 –> 00:26:58,400
把这功能放到你的应用中
might want to enable it in your application as well.
626
00:26:58,400 –> 00:27:01,522
另一方面 我们发现在
On the other hand, we thought and we found in conversations
627
00:27:01,522 –> 00:27:03,730
开发者的对话中 绝大多数的开发者
with developers, that the vast majority of developers
628
00:27:03,730 –> 00:27:05,150
就这个没什么预期
don’t anticipate that.
629
00:27:05,150 –> 00:27:06,800
如果他们能连接到自己的服务器
And if they’re connecting to their own infrastructure
630
00:27:06,800 –> 00:27:09,091
又连接不到别的地方 那么他们就没有什么特殊的理由
and to nowhere else, they don’t see a particular reason
631
00:27:09,091 –> 00:27:10,020
这样做了
to enable that.
632
00:27:10,020 –> 00:27:12,994
所以这就有了用户在无意中
And so there was a risk of users unintentionally
633
00:27:12,994 –> 00:27:15,990
安装了有可能导致中间人攻击的证书
installing certificates that could allow for a man in the middle.
634
00:27:15,990 –> 00:27:19,530
所以我们改变了这种默认的安装方式
And so we’ve changed the default to no longer have
635
00:27:19,530 –> 00:27:22,160
在默认情况下 允许在
user certificates be, by default,
636
00:27:22,160 –> 00:27:26,002
应用与终端之间拦截通信
able to intercept traffic between your application and your endpoint.
637
00:27:26,002 –> 00:27:27,460
如果你愿意的话你也可以做出改变
You can change that if you want to.
638
00:27:27,460 –> 00:27:28,924
可能在你应用中的某些情况下
There may be situations where it’s
639
00:27:28,924 –> 00:27:31,340
是适用的
appropriate to do that in the context of your application.
640
00:27:31,340 –> 00:27:31,780
有些则不适用
There may not.
641
00:27:31,780 –> 00:27:35,630
这取决于你
It’s something for you to take a look at and make a determination for.
642
00:27:35,630 –> 00:27:38,840
我们致力的另一件事就是简化调试
The other thing that we’ve tried to do is simplify debugging.
643
00:27:38,840 –> 00:27:41,230
我们建议你可以试一试
So I would encourage you to go look at your application.
644
00:27:41,230 –> 00:27:45,170
如果你使用了任何的 SSL 操作
If you have any SSL handling that you’ve implemented
645
00:27:45,170 –> 00:27:48,300
比如说自定义操作 自定义认证 或其他自定义的 SSL 操作
that’s custom handling, custom cert verification, custom SSL
646
00:27:48,300 –> 00:27:52,110
你可以用网络安全配置替换之
handlers, you probably can replace that with network security config
647
00:27:52,110 –> 00:27:53,630
这样做将更简单
and make it much easier to make sure that you
648
00:27:53,630 –> 00:27:54,838
而且不容易出错
don’t make a mistake in that.
649
00:27:58,950 –> 00:28:01,760
如果你还想做的更多
If you want to do something and you
650
00:28:01,760 –> 00:28:04,460
而且你觉得有信心
feel confident in your ability to manage
651
00:28:04,460 –> 00:28:06,414
管理你自己的证书 我们同样
your own certificates, we’ve provided that
652
00:28:06,414 –> 00:28:08,830
提供更简单的做法
and try to make that a little bit simpler for you as well.
653
00:28:08,830 –> 00:28:13,094
不过就像我刚才说的 这么做可能更复杂
But as I mentioned, this is a little bit more difficult
654
00:28:13,094 –> 00:28:14,510
而且更容易出错
and a little bit more error prone.
655
00:28:14,510 –> 00:28:16,635
这是你需要想清楚的地方
So it’s something that you’d want to think through.
656
00:28:20,870 –> 00:28:22,930
上述就是网络相关的内容
So we talked about networking.
657
00:28:22,930 –> 00:28:25,370
下面我们来聊聊我们经常提到的加密技术
Now let’s get into the thing that we so often just refer
658
00:28:25,370 –> 00:28:30,980
2016年的大型加密讨论
to as encryption, the big encryption debates of 2016.
659
00:28:30,980 –> 00:28:32,920
我花费了很多时间来谈论
I’ve been spending a lot of my time talking
660
00:28:32,920 –> 00:28:35,390
为什么存储加密对
about why it is that storage encryption is
661
00:28:35,390 –> 00:28:38,060
用户数据的保护如此的重要
so important for protecting user data.
662
00:28:38,060 –> 00:28:41,320
我们用类似 Android Pay 这样的应用
The benefits that it has accrued on the ecosystem where we’re
663
00:28:41,320 –> 00:28:44,350
让开发者能够在 Android 生态系统中获得收益
now able to deliver applications like Android Pay, where it’s
664
00:28:44,350 –> 00:28:47,560
因此对开发者来说 设备信息的
possible for a developer to rely on the integrity
665
00:28:47,560 –> 00:28:49,530
完整性和机密性
and the confidentiality of information
666
00:28:49,530 –> 00:28:51,890
是相当关键的
that’s critical to the application on the device.
667
00:28:51,890 –> 00:28:54,430
这就是我们在所有装载有 Marshmallow
That’s one of the reasons among many
668
00:28:54,430 –> 00:28:58,690
系统的设备上开始推广加密技术
that we’ve moved towards requiring encryption on all capable devices
669
00:28:58,690 –> 00:29:00,170
的原因
starting with Marshmallow.
670
00:29:00,170 –> 00:29:02,010
这是强制执行的
We made that mandatory.
671
00:29:02,010 –> 00:29:04,980
我们会把它变得越来越健壮
And we’ve been making that more and more robust.
672
00:29:04,980 –> 00:29:07,522
因为我们认为直接对用户设备的物理威胁
Because we think direct physical threats to the user’s device
673
00:29:07,522 –> 00:29:09,896
也是我们需要考虑的事情
are one of the things that we need to be concerned about.
674
00:29:09,896 –> 00:29:12,350
这就是我们开始推广的设备名单
These are devices that we move around in the world with.
675
00:29:12,350 –> 00:29:14,520
这也包括手环之类的设备
They are sometimes attached to your wrist.
676
00:29:14,520 –> 00:29:16,400
也包括你车中的设备
They’re sometimes in your car.
677
00:29:16,400 –> 00:29:19,610
有多种强存储加密方式
There’s a lot of different ways that having strong storage
678
00:29:19,610 –> 00:29:22,540
对 Android 的安全来说是非常重要的
encryption is really fundamental to Android security.
679
00:29:22,540 –> 00:29:24,850
但这不意味着我们不能把它变得更好
But that doesn’t mean we can’t make it better.
680
00:29:24,850 –> 00:29:26,370
也不意味着我们不能在用户体验的角度上
It doesn’t mean that we can’t improve it from a user
681
00:29:26,370 –> 00:29:27,360
把它变得更好
experience standpoint.
682
00:29:27,360 –> 00:29:29,360
Android N 的一个重大变化就是
And so one of the big changes with the Android N
683
00:29:29,360 –> 00:29:31,950
直接启动
is what we refer to as Direct Boot.
684
00:29:31,950 –> 00:29:34,140
我将分别从用户和开发者的角度说
I’ll talk about it both from a user perspective
685
00:29:34,140 –> 00:29:37,730
不过在开发者的角度上会多说一点
and then I’ll get into it a little bit from a developer’s perspective.
686
00:29:37,730 –> 00:29:40,020
从用户的角度来说 直接启动
From a user perspective, direct boot basically
687
00:29:40,020 –> 00:29:44,700
意味着我不需要重复的输入密码了
means I don’t go through two times putting in my user’s password.
688
00:29:44,700 –> 00:29:46,330
我不必输入两次
I don’t have to double enter that.
689
00:29:46,330 –> 00:29:49,205
因为在设备开启的时候
Because currently, the first time the device comes up,
690
00:29:49,205 –> 00:29:50,080
就已经输入过了
you have to enter it.
691
00:29:50,080 –> 00:29:51,430
然后设备就被解锁了
The device is then decrypted.
692
00:29:51,430 –> 00:29:54,650
然后你就可以与应用交互了
And then you get it again as you’re interacting with it.
693
00:29:54,650 –> 00:29:56,110
这也意味着在你第一次进入之后
It also means that all of the data
694
00:29:56,110 –> 00:29:58,276
所有的数据都被解锁了
is decrypted after you’ve entered it the first time.
695
00:29:58,276 –> 00:30:00,620
我再简单说两句
So we’ll talk about that more in just a second.
696
00:30:00,620 –> 00:30:04,440
全盘加密的另一个挑战就是
Another challenge that exists with full disk encryption
697
00:30:04,440 –> 00:30:09,460
所有的数据都一直处于保护之中
is it means that, yes, all the data is protected all the time.
698
00:30:09,460 –> 00:30:15,460
直到用户输入了他们的密码 你就完蛋了
But until the user has entered their password, you’re stuck.
699
00:30:15,460 –> 00:30:18,090
因为没有应用能访问数据
No application has the ability to access data.
700
00:30:18,090 –> 00:30:22,272
所以其中一个重要的改变就是设备现在就被启动了
And so one of the important changes is the device will now come up.
701
00:30:22,272 –> 00:30:24,480
还有运行在后台的东西
And things that are running in the background, things
702
00:30:24,480 –> 00:30:30,479
像是来电 短信
like inbound calls, inbound SMS, your alarm
703
00:30:30,479 –> 00:30:32,020
你要早起赶上
clock in the morning for those of you
704
00:30:32,020 –> 00:30:34,270
6点从旧金山
who had to get up earlier than the six o’clock shuttle
705
00:30:34,270 –> 00:30:36,432
开来的公交车
coming down from San Francisco, who
706
00:30:36,432 –> 00:30:38,890
别人都不像我运气这么好
didn’t have the fortune that I did of having a two-year-old
707
00:30:38,890 –> 00:30:42,430
因为我在三点就醒了 而这种情况持续了两年
wake you up at 3:00 so you were already awake.
708
00:30:42,430 –> 00:30:43,980
你依赖你的闹钟吗
You rely on your alarm clock?
709
00:30:43,980 –> 00:30:48,350
我已经超过六个月没这么做了
I don’t have to do that for another six or so months.
710
00:30:48,350 –> 00:30:51,240
所以我们开始了这项工作
And so we move towards making that work,
711
00:30:51,240 –> 00:30:53,694
即使用户还没有把它们放进凭据里
even if the user hasn’t put in their credential.
712
00:30:53,694 –> 00:30:55,860
以上就是站在用户角度上的讨论
So that’s what it looks like from a user standpoint.
713
00:30:55,860 –> 00:30:57,630
那从开发者的角度来说呢
What’s it look like from a developer standpoint?
714
00:30:57,630 –> 00:31:01,340
我们介绍关于存储加密的两种不同观念
We introduced two different concepts in terms of storage encryption.
715
00:31:01,340 –> 00:31:04,020
第一种就是你最熟悉的
The first is the one that’s most familiar to you
716
00:31:04,020 –> 00:31:06,750
凭据加密
right now, credential encryption.
717
00:31:06,750 –> 00:31:10,660
这意味着只有用户进入了他们的凭据之后
That means this data is only available after the user has
718
00:31:10,660 –> 00:31:12,940
才能访问数据
entered their credential.
719
00:31:12,940 –> 00:31:16,070
还有一种就是我们刚才提到的设备加密数据
We also have what we refer to as device encrypted data.
720
00:31:16,070 –> 00:31:21,720
这种数据只有用 TrustZone 中存储的密钥才能访问
This is data that’s available with a key that’s stored in TrustZone.
721
00:31:21,720 –> 00:31:24,740
这就是防止数据泄露的
So it’s protected in a variety of different mechanisms
722
00:31:24,740 –> 00:31:25,820
各种手段
against extractions.
723
00:31:25,820 –> 00:31:27,560
数据仍然是被加密的
The data is still encrypted, but it’s
724
00:31:27,560 –> 00:31:30,810
不过是被与设备相关联的密钥加密了
encrypted with a key that’s only tied to the device.
725
00:31:30,810 –> 00:31:32,880
默认情况下 应用还是运行在
Applications by default are going
726
00:31:32,880 –> 00:31:34,700
凭据加密环境下
to run in credential encrypted environment.
727
00:31:34,700 –> 00:31:37,328
所以如果你不做出任何改变 你所要做的就是
So if you don’t change anything, the behavior you have is going
728
00:31:37,328 –> 00:31:39,240
弄懂你的应用是如何工作的
to be exactly the way your application works now,
729
00:31:39,240 –> 00:31:41,590
用户一旦登入设备
which is once the user logs in, you can access the data
730
00:31:41,590 –> 00:31:43,860
你就可以用上述方式访问数据了
and you can kind of proceed along your way.
731
00:31:43,860 –> 00:31:48,030
但是如果你的应用在用户解锁设备之前
But if you have an application that requires access
732
00:31:48,030 –> 00:31:50,800
就需要访问数据的话
to information potentially before the user had entered
733
00:31:50,800 –> 00:31:54,220
你可以把你的应用标记为直接启动感知
their credentials, you can declare yourself to be direct boot aware.
734
00:31:54,220 –> 00:31:56,705
这样你在被声明为
And then you have access to the data
735
00:31:56,705 –> 00:31:58,830
直接启动感知的 activity 中
in the context of the activity that’s been declared
736
00:31:58,830 –> 00:31:59,947
就可以直接访问数据了
to be direct boot aware.
737
00:31:59,947 –> 00:32:01,530
当然你也可以直接与之交互
And you can actually interact with it.
738
00:32:01,530 –> 00:32:03,080
这就是 TalkBack 的工作原理
So that’s how TalkBacks works.
739
00:32:03,080 –> 00:32:04,880
这就是短信的工作原理
That’s how a SMS’ works.
740
00:32:04,880 –> 00:32:07,890
这就是闹钟
That’s how alarms store, this is an alarm,
741
00:32:07,890 –> 00:32:09,510
尤其是在重启后
and immediately upon reboot, I want
742
00:32:09,510 –> 00:32:11,010
的工作原理
to be able to execute on that alarm.
743
00:32:13,979 –> 00:32:16,810
怎样声明直接启动感知呢
What does it mean to declare yourself to be direct boot aware?
744
00:32:16,810 –> 00:32:18,184
非常直观
Pretty straightforward.
745
00:32:18,184 –> 00:32:19,850
上半部分在 manifest 里
The top half of this is in the manifest.
746
00:32:19,850 –> 00:32:22,000
你只需要说 我是直接启动感知就行了
You just say, I’m direct boot aware.
747
00:32:22,000 –> 00:32:25,890
然后 receiver 就被触发了
OK, and then that receiver can be triggered.
748
00:32:25,890 –> 00:32:29,270
这样一个 intent 就被触发了
In the event that a particular intent is fired like,
749
00:32:29,270 –> 00:32:32,566
也许是叫 boot complete 吧
I don’t know, boot complete, then your application
750
00:32:32,566 –> 00:32:36,470
然后你的应用就会根据特定的 receiver 运行
will start running in the context of that particular receiver.
751
00:32:36,470 –> 00:32:38,862
为了使用存储 你最可能干的事情
To use storage, which presumably is one of the things
752
00:32:38,862 –> 00:32:40,320
就是你需要
that you’d want to do, you’re going
753
00:32:40,320 –> 00:32:44,550
在设备保护存储中
to need to create storage that’s in the context of device
754
00:32:44,550 –> 00:32:45,330
开辟一块存储空间出来
protected storage.
755
00:32:45,330 –> 00:32:47,340
这是底部的一小段代码
And so there’s a little snippet of code down there at the bottom.
756
00:32:47,340 –> 00:32:48,530
你创建你应用的 context
You create your app context.
757
00:32:48,530 –> 00:32:49,571
你使用你应用的 context
You use your app context.
758
00:32:49,571 –> 00:32:52,480
你创建一个设备保护与存储的 context
And then you create a device protect and storage context.
759
00:32:52,480 –> 00:32:53,860
然后只需把它打开就行了
And then you just open it.
760
00:32:53,860 –> 00:32:56,330
你可以用任何你喜欢的方式与之交互
You interact with it exactly like you would any other way.
761
00:32:56,330 –> 00:32:59,920
当你按我刚才说的那么做时
When you are running in what I refer to as the device context,
762
00:32:59,920 –> 00:33:02,100
与之相反的是凭据保护
as opposed to the credential protected context,
763
00:33:02,100 –> 00:33:05,680
你仍然可以创建凭据保护的文件
you can still create files that are credential protected.
764
00:33:05,680 –> 00:33:06,770
你只是不能读取它们
You just can’t read them.
765
00:33:09,401 –> 00:33:11,400
但你仍然可以做很多事情
But there are lots of ways that could be useful.
766
00:33:11,400 –> 00:33:12,150
你可以往后附加
You can append.
767
00:33:15,030 –> 00:33:17,560
如果你收到一封邮件
So if you receive an inbound mail message.
768
00:33:17,560 –> 00:33:20,460
那你就需要转换成一个很糟糕的邮件
And you’ve got a really horrible mail storage
769
00:33:20,460 –> 00:33:22,500
存储格式 然后附加在后面
format where you just append.
770
00:33:22,500 –> 00:33:25,291
你可以仅拿到标题然后展示在锁屏界面上
You could just grab the headers and display that on the lock screen.
771
00:33:25,291 –> 00:33:27,160
然后获取真实的内容
And then take the actual content and push it
772
00:33:27,160 –> 00:33:29,197
并把它放到凭据保护存储里
into credential protected storage.
773
00:33:29,197 –> 00:33:31,280
你可能只是因为缓存才这么做
You’d probably want to do that just for the cache,
774
00:33:31,280 –> 00:33:32,857
而非针对所有的邮件
not for all of your mail.
775
00:33:32,857 –> 00:33:34,440
在需要有精致的用户体验地方
But you could do those kinds of things
776
00:33:34,440 –> 00:33:35,898
为了维护最佳的安全
where you have a sophisticated user
777
00:33:35,898 –> 00:33:38,810
你也可以这样做
experience while maintaining optimal security.
778
00:33:38,810 –> 00:33:42,020
下面我们来谈谈最佳范例
So let’s talk about some of those best practices.
779
00:33:42,020 –> 00:33:44,870
第一个我想说的就是使用默认值
The first thing I want to do is point out, just use the defaults.
780
00:33:44,870 –> 00:33:46,320
绝大部分的应用
The vast majority of applications,
781
00:33:46,320 –> 00:33:47,861
你是不希望在用户登录之前
you’re not expecting your application
782
00:33:47,861 –> 00:33:50,925
做太多事情的
to do much, if anything, prior to the user logging in.
783
00:33:50,925 –> 00:33:53,170
这就跟默认模式非常匹配了
And so it’s perfectly appropriate to use the defaults.
784
00:33:53,170 –> 00:33:55,727
从安全的角度来说这也是比较理想的
And that sort of optimal from a security standpoint.
785
00:33:55,727 –> 00:33:58,310
这也使你的开发更简单
It also makes your life a little bit simpler because you don’t
786
00:33:58,310 –> 00:34:00,880
因为你不需要想 我现在是不是要接入设备的内容啦
have to think, is this available to me now in the device context?
787
00:34:00,880 –> 00:34:02,480
我能够接入凭据吗
Am I able to access credentials?
788
00:34:02,480 –> 00:34:04,050
如果你运行起来 那么数据就在这
It’s there if you’re running.
789
00:34:04,050 –> 00:34:08,750
如果你没有直接启动感知 那就是上述这样
If you aren’t direct boot aware, everything’s there if you’re running.
790
00:34:08,750 –> 00:34:10,333
如果你是直接启动感知的
If you are direct boot aware, then you
791
00:34:10,333 –> 00:34:12,850
那你就要明确在何时
have to be direct boot aware of which things are going
792
00:34:12,850 –> 00:34:15,510
什么数据是可以被访问的
to be available at that time.
793
00:34:15,510 –> 00:34:17,630
另一个最佳实践是 仔细想想
The other best practice is, think very carefully
794
00:34:17,630 –> 00:34:19,300
如果你是直接启动感知的
about if you are direct boot aware,
795
00:34:19,300 –> 00:34:21,674
哪些东西应该放入设备加密
which things do you want to put into the device encrypted
796
00:34:21,674 –> 00:34:23,830
或是设备保护存储中
or device protected storage?
797
00:34:23,830 –> 00:34:27,601
请不要把有效时间过长的凭据放进来
Please don’t put long live credentials into that area.
798
00:34:27,601 –> 00:34:29,100
如果你不想切断
So you don’t want to have off tokens
799
00:34:29,100 –> 00:34:31,266
用于连接 service 的 token 的话
that are sitting there that could be used to connect
800
00:34:31,266 –> 00:34:34,370
即使用户还没有
to a service, even though the user hasn’t authorized that
801
00:34:34,370 –> 00:34:36,855
进入凭据给它授权
by entering their credential.
802
00:34:36,855 –> 00:34:38,730
我们需要考虑的另一件事是
One of the things that we want to think about
803
00:34:38,730 –> 00:34:41,320
你能否限制 token 的范围
is, can you limit the scope of tokens?
804
00:34:41,320 –> 00:34:44,429
如果你有一个类似邮件接收器的东西
So if you have something like a mail receiver, maybe
805
00:34:44,429 –> 00:34:45,864
可能你只是想阅读邮件
you just want to read mail.
806
00:34:45,864 –> 00:34:49,370
但那并不意味着你将要发送邮件
But that doesn’t necessarily mean that you’re going to send it.
807
00:34:49,370 –> 00:34:50,750
如果你不希望用户
If you don’t expect the user ever
808
00:34:50,750 –> 00:34:52,270
在还没有登录设备的时候
to be able to send mail when they haven’t actually
809
00:34:52,270 –> 00:34:54,120
就能发送邮件
logged onto the device, you certainly
810
00:34:54,120 –> 00:34:55,661
你应该也不希望他们 嗯 比如说
don’t expect them to be able to like,
811
00:34:55,661 –> 00:34:58,740
删除他们的账户 删除他们所有的信息
I don’t know, delete their account, delete all of their messages.
812
00:34:58,740 –> 00:35:00,156
这些都是你不希望在用户登录之前
These are not tasks that you would
813
00:35:00,156 –> 00:35:02,650
看到的景象
expect to happen before the user has logged in.
814
00:35:02,650 –> 00:35:04,510
所以你想
And so you would want to limit the scope
815
00:35:04,510 –> 00:35:05,640
通过限制 token 的能力范围
of the ability of the application
816
00:35:05,640 –> 00:35:08,014
来限制应用
to perform those behaviors by limiting the authentication
817
00:35:08,014 –> 00:35:11,310
能力的范围
tokens that it has available inside that scope.
818
00:35:11,310 –> 00:35:12,810
还有我想提醒你的是
And then the other one that I hinted
819
00:35:12,810 –> 00:35:15,018
如果你收到了一些你认为是敏感的数据
at there, which is, if you receive some data that you
820
00:35:15,018 –> 00:35:18,030
接收它 然后加密
think is sensitive, receive it, put it somewhere that’s encrypted.
821
00:35:18,030 –> 00:35:20,519
你可以用类似公钥的非对称加密
You can either encrypt it locally using
822
00:35:20,519 –> 00:35:22,810
当然前提是你有
asymmetric cryptography like public key, where you just
823
00:35:22,810 –> 00:35:25,350
设备保护存储的公钥
have the key that you have the public key
824
00:35:25,350 –> 00:35:27,520
或是用凭据保护存储中的
in device protected storage and the private key
825
00:35:27,520 –> 00:35:31,554
私钥加密
to be able to decrypt it inside of the credential protected storage.
826
00:35:31,554 –> 00:35:33,970
所以你知道读取邮件的权限
So you know that that key and the ability to read the mail
827
00:35:33,970 –> 00:35:37,150
需要用户登录他们的设备
requires the user to have entered their password.
828
00:35:37,150 –> 00:35:40,830
你可以做很多的事情
There’s a variety of things you can do there as well.
829
00:35:40,830 –> 00:35:43,110
我们也正在努力中
OK, we’re making good progress.
830
00:35:43,110 –> 00:35:44,800
我还有十分钟就要离开了
We’ve got about 10 minutes left.
831
00:35:44,800 –> 00:35:47,405
下面我们将要谈一谈 verified boot 和沙盒
We’re going to barrel through verified boot and sandboxing.
832
00:35:47,405 –> 00:35:50,552
在最后会有两到三分钟的
And I think we’ll have two or three minutes to talk questions
833
00:35:50,552 –> 00:35:51,260
问答时间
there at the end.
834
00:35:51,260 –> 00:35:52,730
我会预留出来
And I’ll hang out for a while.
835
00:35:52,730 –> 00:35:56,200
享受在旧金山没有的阳光
Enjoy the sunshine, which we don’t have up in San Francisco.
836
00:35:59,020 –> 00:36:03,780
verified boot 已经被介绍过很多次了
Verified boot was introduced over a couple of releases
837
00:36:03,780 –> 00:36:06,810
而且在 M 版本上的设备装载
and then became required on M for devices
838
00:36:06,810 –> 00:36:10,070
有能力提供 verified boot 的硬件已经是必须的了
that had hardware capable of providing verified boot, which
839
00:36:10,070 –> 00:36:12,570
这在线性加密中基本相当于
basically amounts to devices that met a performance
840
00:36:12,570 –> 00:36:16,680
每秒50兆的高级加密标准
threshold of about 50 megabits per second AES in line encryption.
841
00:36:16,680 –> 00:36:18,680
顺便说 这包括了绝大多数的设备
That’s the vast majority of devices, by the way.
842
00:36:22,020 –> 00:36:26,690
在 N 中我们把所谓的强制模式
In N we moved from what we called enforcing mode
843
00:36:26,690 –> 00:36:29,010
转换成了严格强制模式
to strictly enforcing mode.
844
00:36:29,010 –> 00:36:32,200
在 M 中警告用户然后继续启动
With M it was acceptable for a device to warn the user
845
00:36:32,200 –> 00:36:35,017
是可以接受的
and then proceed to boot, as a mechanism
846
00:36:35,017 –> 00:36:37,100
这也是我们验证实际
for us to begin to validate how frequently were we
847
00:36:37,100 –> 00:36:38,100
出错率的一种机制
seeing errors in the field?
848
00:36:38,100 –> 00:36:39,520
我们看到了什么问题
What kinds of problems were we seeing?
849
00:36:39,520 –> 00:36:41,850
并确保这里将要出问题
And making sure that there was going to be disruption.
850
00:36:41,850 –> 00:36:44,010
我认为一个很有意思的特点是
One of, I think, the more intriguing features
851
00:36:44,010 –> 00:36:47,520
错误更正
that was introduced in verified boot was error correction.
852
00:36:47,520 –> 00:36:50,590
它是在 N 中被介绍的 它可以帮我们探测出
It was introduced with Android N. This gives us the ability
853
00:36:50,590 –> 00:36:54,760
位级错误 实际上是大量的位级错误
to detect bit level errors, and actually lots of bit level errors.
854
00:36:54,760 –> 00:36:57,760
实际上它们在内核层
And they actually get corrected at the time those blocks are
855
00:36:57,760 –> 00:37:00,290
被读取的时候就被纠正了
being read at the kernel level.
856
00:37:00,290 –> 00:37:03,430
所以 当你正用低端硬件处理问题时
And so, when you’re dealing with very low-end hardware,
857
00:37:03,430 –> 00:37:06,710
位级错误就是我们会遇到的问题了
bit level errors were a problem that we might run into.
858
00:37:06,710 –> 00:37:09,000
我们至少看到了一个实例
We’ve also seen at least one instance
859
00:37:09,000 –> 00:37:12,740
测试它们做出的改变
of testing where there were actually changes made
860
00:37:12,740 –> 00:37:15,740
在设备被 root 之后
that were– after a device had been rooted,
861
00:37:15,740 –> 00:37:17,349
通过增加 SU
there were changes made to allow it
862
00:37:17,349 –> 00:37:20,170
或是其他手段等等
to continue to be rooted by adding SU and a couple of other things.
863
00:37:20,170 –> 00:37:22,790
错误更正消除了这些改变
An error correction actually erased those changes.
864
00:37:22,790 –> 00:37:25,217
所以它们仍在那 但是你不能执行他们
So they were still there, but you couldn’t actually
865
00:37:25,217 –> 00:37:26,800
这很令人震惊吧
get them to execute, which is amazing.
866
00:37:26,800 –> 00:37:30,320
这是一次意外 但也足够让人兴奋
Totally an accident, but pretty exciting.
867
00:37:30,320 –> 00:37:33,470
我们开始留意到底有多少种检查
We’re beginning to see how those kinds of checks
868
00:37:33,470 –> 00:37:36,248
可以提高安全性 并且是在我们意料之外的
could actually improve security in more than the expected ways.
869
00:37:39,530 –> 00:37:42,720
verified boot 可以让开发者的你
Verified boot is part of making it easier for you
870
00:37:42,720 –> 00:37:44,480
更容易了解到你所运行的环境
as a developer to understand that you’re
871
00:37:44,480 –> 00:37:47,600
是一个非常安全的环境
running in an environment that is a strong secure environment.
872
00:37:47,600 –> 00:37:49,690
另一件
And so there’s one other thing that we
873
00:37:49,690 –> 00:37:52,320
我们要讨论的是 SafetyNet API
want to talk about in this context, which is the safety
874
00:37:52,320 –> 00:37:54,770
和补丁程序级别字符串
net API and patch level strings, which
875
00:37:54,770 –> 00:37:56,802
都是为了让开发者
are both mechanisms designed to make it easier
876
00:37:56,802 –> 00:37:58,260
更容易的弄明白
for you as an application developer
877
00:37:58,260 –> 00:38:01,310
什么是运行设备中的
to understand what is the security context of this device
878
00:38:01,310 –> 00:38:02,619
安全背景
that I’m running on?
879
00:38:02,619 –> 00:38:04,160
SafetyNet API
So the safety net API– I’ll give you
880
00:38:04,160 –> 00:38:07,090
我将用几秒钟的时间举一个示例代码
an example code in just a second– basically looks
881
00:38:07,090 –> 00:38:10,020
它基于设备的特性 而且适配到 Jelly Bean
at the device characteristics– and this goes back all the way
882
00:38:10,020 –> 00:38:15,070
来试着说明这是否是真实的设备
to Jelly Bean– and tries to understand whether this is a real device.
883
00:38:15,070 –> 00:38:17,990
它基于大量的硬件属性
It looks at a bunch of hardware characteristics,
884
00:38:17,990 –> 00:38:20,190
包括 GPU 是怎么工作的
including like how does the GPU work?
885
00:38:20,190 –> 00:38:21,910
GPU 的编号是什么
Not what is the GPU’s serial number?
886
00:38:21,910 –> 00:38:24,837
GPU 的执行操作是什么
Not what is– but performs operations on the GPU
887
00:38:24,837 –> 00:38:26,670
用于确保它是以一种
to make sure that it’s executing in a manner
888
00:38:26,670 –> 00:38:28,830
我们认为与
that we would expect to be consistent with a piece
889
00:38:28,830 –> 00:38:30,914
正在运行的操作系统的硬件
of hardware that matches this specification that’s
890
00:38:30,914 –> 00:38:33,760
相匹配的方式运行的
being provided by the operating system that’s running on top of it.
891
00:38:33,760 –> 00:38:35,740
所以我们收集了很多数据
So we aggregate a whole bunch of that,
892
00:38:35,740 –> 00:38:37,850
分析它们 然后反馈给你 yes
analyze that, and make a statement back to you
893
00:38:37,850 –> 00:38:40,225
这看起来像是一个
that yes, this looks like a real piece of hardware that’s
894
00:38:40,225 –> 00:38:43,190
运行某版本 Android 的兼容设备
running a version of Android that is a CTS compatible,
895
00:38:43,190 –> 00:38:45,894
由 OEM 检测 然后提交到 Google
tested by OEM, and then submitted to Google
896
00:38:45,894 –> 00:38:48,310
这样我们就能确定这是一个真实的硬件
so that we can confirm that it’s a real piece of hardware.
897
00:38:48,310 –> 00:38:50,102
因此 SafetyNet API 的
So that’s one of the goals of SafetyNet API
898
00:38:50,102 –> 00:38:52,900
一个目标就是让你对这个功能充满信心
is to make it possible for you to have that kind of confidence.
899
00:38:52,900 –> 00:38:54,608
另一个我们要介绍的是
And then another thing that we introduced
900
00:38:54,608 –> 00:38:56,980
Android 补丁程序级别字符串
was called the Android patch level string.
901
00:38:56,980 –> 00:39:00,500
补丁程序级别字符串非常非常的简单
The patch level string is really, really simple.
902
00:39:00,500 –> 00:39:02,900
你可以检测它 这样你就可以看到
You can check it, and you can see
903
00:39:02,900 –> 00:39:06,480
上次设备安全更新的时间
when is the last time this device got a security update?
904
00:39:06,480 –> 00:39:11,010
如果历史可以借鉴
If history is any guide, we’ve released now
905
00:39:11,010 –> 00:39:14,590
我们发布月度安全更新的次数已经有10次了
10 monthly security updates.
906
00:39:14,590 –> 00:39:16,590
如果这个字符串已经过期一个月了
If that string is more than a month out of date,
907
00:39:16,590 –> 00:39:19,160
那说明这个设备已经有安全问题了
there are publicly known security issues that affect that device.
908
00:39:19,160 –> 00:39:20,930
所以我们和设备制造商共同努力
So we’re working with OEMs and carriers
909
00:39:20,930 –> 00:39:23,430
确保升级推送能按时推送
to make sure that they’re able to deliver updates very, very quickly.
910
00:39:23,430 –> 00:39:25,510
但是作为应用开发者的你
But you as an application developer
911
00:39:25,510 –> 00:39:28,580
可能想评估
might want to look at that and evaluate
912
00:39:28,580 –> 00:39:30,800
你对具体设备的信任程度
how much trust you have in that particular device.
913
00:39:30,800 –> 00:39:32,400
尤其在企业的环境中
Especially in an enterprise context,
914
00:39:32,400 –> 00:39:34,734
我们看到越来越多的企业有类似这样的政策
we’re seeing more and more enterprises set policies that
915
00:39:34,734 –> 00:39:36,650
如果这个设备过期超过60天了
say things like, if this device is out of date
916
00:39:36,650 –> 00:39:39,780
那就不适合我的企业环境了
more than 60 days, it’s not appropriate for my enterprise environment.
917
00:39:39,780 –> 00:39:42,113
而且我们也想把这变得简单点
And we wanted to make that a really simple thing for you
918
00:39:42,113 –> 00:39:44,850
你不用安装一大批的热修复和补丁包
have to do so you don’t have a table of hot fixes and service
919
00:39:44,850 –> 00:39:47,530
来确保设备是安全的
packs to figure out whether a device is secure.
920
00:39:47,530 –> 00:39:50,790
如果这是在 KitKat 或是更高的版本 它有一个最近的安全补丁级别
If it’s on KitKat or above, and it has a recent security patch
921
00:39:50,790 –> 00:39:52,570
你就知道该升级了
level, you know it’s up to date.
922
00:39:52,570 –> 00:39:53,600
这是非常简便的
It’s pretty simple.
923
00:39:53,600 –> 00:39:57,684
正则表达式发挥了很大作用
Regular expressions help me to make that determination.
924
00:39:57,684 –> 00:40:00,620
让我们再用几秒钟谈论一下 SafetyNet
But let’s talk about SafetyNet for just a second.
925
00:40:00,620 –> 00:40:03,030
这不是一个由平台级别提供的 API
This is an API that’s not provided at the platform level.
926
00:40:03,030 –> 00:40:06,690
它是由 Google Play 服务提供的
It’s provided by a Google Play Services.
927
00:40:06,690 –> 00:40:08,460
相对来说比较直观
Relatively straightforward.
928
00:40:08,460 –> 00:40:09,590
你创建一个回调
You create a callback.
929
00:40:09,590 –> 00:40:10,440
你调用它
You invoke that.
930
00:40:10,440 –> 00:40:12,590
然后你拿到结果
And you get back the result. This is a result
931
00:40:12,590 –> 00:40:13,732
这就是要被签名的结果
that’s going to be signed.
932
00:40:13,732 –> 00:40:15,940
你想要看一下 SafetyNet 文件
You want to go to look at the SafetyNet documentation
933
00:40:15,940 –> 00:40:18,270
来确认 key 被签名成什么样了
to see what the key is that it’s been signed with.
934
00:40:18,270 –> 00:40:20,990
我们鼓励你做离线确认
We encourage you to do offline verification of this.
935
00:40:20,990 –> 00:40:23,210
然后你就在你的应用中接收到它了
So you receive it in the context of your application,
936
00:40:23,210 –> 00:40:25,090
之后你把它上传到服务器
but then you send it up to your server.
937
00:40:25,090 –> 00:40:26,690
然后服务器作出判断
And your server makes a determination
938
00:40:26,690 –> 00:40:29,640
判别这是否是从 Google 发来的
about whether this is a legitimate, signed statement
939
00:40:29,640 –> 00:40:30,896
合法的带签名陈述
that came back from Google.
940
00:40:30,896 –> 00:40:34,140
在带签名陈述中你要寻找什么呢
What are the things that you’re looking for in that signed statement?
941
00:40:34,140 –> 00:40:36,450
第一件事就是这是一个 nonce
The first is that there’s a nonce that
942
00:40:36,450 –> 00:40:39,480
它创建于服务器 下发到客户端
was created on your server, sent down to your client,
943
00:40:39,480 –> 00:40:40,780
再返回到服务器
comes back to your server.
944
00:40:40,780 –> 00:40:43,650
这和你递交的一样
And it’s the same as the nonce that you submitted.
945
00:40:43,650 –> 00:40:45,880
所以你想确保它确实经历了相同的过程
So you want to make sure that it actually went
946
00:40:45,880 –> 00:40:48,840
并且被 Google 签名了
through that same process and was signed by Google.
947
00:40:48,840 –> 00:40:51,580
然后它告诉你是不是有什么东西需要匹配 CTS
And then it tells you is this something that matches CTS?
948
00:40:51,580 –> 00:40:53,965
那么 是否匹配 CTS 呢
So, CTS profile match true or false?
949
00:40:53,965 –> 00:40:55,340
这将告诉你
That will give you a sense for is
950
00:40:55,340 –> 00:40:58,460
这是一个真实的硬件设备
this a device, a real hardware device, that
951
00:40:58,460 –> 00:41:01,390
已经经历了完整的 CTS 确认过程
has gone through the full CTS validation process
952
00:41:01,390 –> 00:41:03,220
并且正在以最初提交的
and is continuing to operate in the manner
953
00:41:03,220 –> 00:41:04,725
方式继续运行
that it was originally submitted.
954
00:41:04,725 –> 00:41:06,350
这是一群其他的环境
There’s a bunch of other context that’s
955
00:41:06,350 –> 00:41:09,710
你可以从中辨别这是不是你想要的
provided so you can validate that these are what you’re expecting.
956
00:41:09,710 –> 00:41:12,480
是不是你的应用给服务器提交的数据
Was it your app that sent up to the server?
957
00:41:12,480 –> 00:41:14,770
类似这样
Things like that.
958
00:41:14,770 –> 00:41:18,480
我最后想说的是沙盒
The last thing that I want to talk about is sandboxing.
959
00:41:18,480 –> 00:41:21,700
我们对 Android 中的沙盒寄予希望
Sandboxing is an area that we’ve been investing in in Android.
960
00:41:21,700 –> 00:41:23,742
每一次的发布都带来新的功能
With every release we introduce new capabilities.
961
00:41:23,742 –> 00:41:25,116
有一些事情
These are some of the things that
962
00:41:25,116 –> 00:41:27,240
在 Android M 和 N 中变化非常的大
have changed pretty significantly in Android M
963
00:41:27,240 –> 00:41:30,445
对 SELinux 有相当大的改进
and N. Significant improvements to SELinux, especially
964
00:41:30,445 –> 00:41:32,070
尤其是与驱动程序的交互
in the way that interacts with drivers.
965
00:41:32,070 –> 00:41:34,377
我们现在非常关心内核安全
We’re very concerned about kernel security right now.
966
00:41:34,377 –> 00:41:37,520
所以我们改变了使用 SELinux 的 ioctl 过滤方式
So we’ve made changes to the way ioctl’s are filtered with SELinux.
967
00:41:37,520 –> 00:41:43,160
Seccomp 同样考虑到
Seccomp, which also allows for filtering of interactions
968
00:41:43,160 –> 00:41:43,907
与内核的交互过滤
with the kernel.
969
00:41:43,907 –> 00:41:46,240
我将再多花一点时间谈论 Seccomp
Seccomp I’m going to I talk about more in just a moment.
970
00:41:46,240 –> 00:41:48,020
因为作为应用开发者的你
Because you, as an application developer,
971
00:41:48,020 –> 00:41:49,706
可以自己使用它
can actually use it yourself.
972
00:41:49,706 –> 00:41:51,580
这和 SELinux 有一点不同
Which is a little bit different from SELinux,
973
00:41:51,580 –> 00:41:54,410
我们所做的全都是直接适合你的配置
where we’ve done all the configuration for you directly.
974
00:41:54,410 –> 00:41:58,090
我们在 Android N 中用了两种工具使媒体服务器强化了很多
We’ve used those two tools to do a lot of mediaserver hardening
975
00:41:58,090 –> 00:42:01,780
而且我们同样也做了许多别的改变
in Android N. And then we’ve made a number of other changes
976
00:42:01,780 –> 00:42:06,430
为的是增强沙盒的健壮性
that we think increase the strength of the sandboxing.
977
00:42:06,430 –> 00:42:07,920
我们仅仅贴出了目录
We just put out a blog post.
978
00:42:07,920 –> 00:42:08,860
我知道它字很小
I know this is tiny.
979
00:42:08,860 –> 00:42:11,920
我也不认为你能阅读它
I don’t actually think you can read it.
980
00:42:11,920 –> 00:42:13,050
好吧 确实可以看到内容
It is actually readable.
981
00:42:13,050 –> 00:42:14,500
我不确定在投影仪上
All right, I wasn’t sure if it was even
982
00:42:14,500 –> 00:42:17,314
它能否显示清楚
going have enough pixels on the projector to be able to read it.
983
00:42:17,314 –> 00:42:18,730
我们贴出的目录
The blog post that we just put out
984
00:42:18,730 –> 00:42:21,680
描述了我们怎样使用这些性能
that describes how it is that we use some of these capabilities
985
00:42:21,680 –> 00:42:26,070
增强并拆解
to strengthen and really break down
986
00:42:26,070 –> 00:42:28,050
媒体服务器中的性能
the capabilities inside of mediaserver
987
00:42:28,050 –> 00:42:30,970
然后用 Seccomp 和 SELinux 把它们隔离起来
and isolate them using Seccomp and SELinux.
988
00:42:30,970 –> 00:42:34,310
所以如果一个区域出了问题 譬如说编码解码器
So that a compromise in one area, e.g. in the codec,
989
00:42:34,310 –> 00:42:36,420
在媒体服务器的环境中
doesn’t lead to a compromise in other areas
990
00:42:36,420 –> 00:42:37,700
不会导致在其他区域出问题
in the context of mediaserver.
991
00:42:37,700 –> 00:42:39,950
在你的应用中可以做同样的事情
But you can do the same thing inside your application.
992
00:42:39,950 –> 00:42:44,000
如果你有一个很复杂的金融业务
If you have a complex financial transaction that’s
993
00:42:44,000 –> 00:42:46,030
并且其中还有图像处理
based on image processing, you might
994
00:42:46,030 –> 00:42:48,152
你可能想把这两件事情分开
want to separate those two things apart.
995
00:42:48,152 –> 00:42:49,610
我不知道你为什么要这么做
I don’t know why you would do that.
996
00:42:49,610 –> 00:42:51,540
不过同时 这也有很多
But, at the same time, there are lots
997
00:42:51,540 –> 00:42:53,484
给信用卡拍照的应用
of apps that take pictures of credit cards
998
00:42:53,484 –> 00:42:55,150
之后试着处理信息
and then try to process that information
999
00:42:55,150 –> 00:42:56,830
然后支付
and then use that as a payment.
1000
00:42:56,830 –> 00:43:01,650
这是一个应用要做的事情
So it’s actually a thing that applications do do.
1001
00:43:01,650 –> 00:43:06,250
我们也把它广泛应用到了 Chrome 硬件中
We’ve also been using this pretty extensively to harden Chrome.
1002
00:43:06,250 –> 00:43:09,510
因为这里储存了你最敏感的凭据
Because that is something that stores your most sensitive
1003
00:43:09,510 –> 00:43:12,500
而且处理了很多
credentials and does a lot of processing of data
1004
00:43:12,500 –> 00:43:14,090
从互联网来的数据
that comes from the Internet.
1005
00:43:14,090 –> 00:43:16,040
在浏览器中这两件事
It’s ironic how close those two things
1006
00:43:16,040 –> 00:43:17,546
是非常紧密的
are in the context of a web browser.
1007
00:43:17,546 –> 00:43:19,920
所以这类平台级的性能很重要
So it’s really important that these kinds of capabilities
1008
00:43:19,920 –> 00:43:21,690
为的是
exist at the platform level to make
1009
00:43:21,690 –> 00:43:25,780
能够让应用更加健壮
it easy for that application to harden itself.
1010
00:43:25,780 –> 00:43:30,000
这是用 Seccomp 的一个范例
Here’s a sample of what it looks like to use Seccomp.
1011
00:43:30,000 –> 00:43:32,500
我们在媒体服务器的环境中开发了一个库
we actually created a library in the context of mediaserver.
1012
00:43:32,500 –> 00:43:33,958
所以如果你想深挖 Android 开源项目的话
So if you would dig around in AOSP,
1013
00:43:33,958 –> 00:43:37,800
你可能会发现一个叫 Mini Jail 的东西
you’ll be able to find something that’s called Mini Jail.
1014
00:43:37,800 –> 00:43:42,080
它讲述如何放置过滤器
And it describes how we set specific filters
1015
00:43:42,080 –> 00:43:46,030
来限制 Seccomp 中的
to limit the set of capabilities that each
1016
00:43:46,030 –> 00:43:48,170
或是硬件角度上的媒体服务器中的
of the different elements inside of Seccomp
1017
00:43:48,170 –> 00:43:52,645
每一个不同元素的性能
or inside of mediaserver have access to from hardware standpoint.
1018
00:43:52,645 –> 00:43:54,520
我们还做了很多别的事情
There are a bunch of other changes that we’ve
1019
00:43:54,520 –> 00:43:57,800
比如说让设备更难被破解
made as well, that make it more difficult for a device
1020
00:43:57,800 –> 00:43:59,400
以及其他我们谈论
to be compromised, things that we
1021
00:43:59,400 –> 00:44:02,859
关于沙盒强化时的一些想法
think about when we’re talking about hardening of sandbox.
1022
00:44:02,859 –> 00:44:04,650
它们也可能会对你的应用产生影响
They may have effects on your applications.
1023
00:44:04,650 –> 00:44:07,890
我也鼓励你看看那些
So I would encourage you to take a look at those
1024
00:44:07,890 –> 00:44:10,300
将要到来的改变
and be conscious that these changes are coming.
1025
00:44:10,300 –> 00:44:14,130
在这里也同样发生很多改变
So there are a couple of these changes here.
1026
00:44:14,130 –> 00:44:16,120
这是两个其他的 API
There are two other APIs that we’ve also
1027
00:44:16,120 –> 00:44:20,780
是关于抑制权限的
been very actively looking at to restrain the capabilities.
1028
00:44:20,780 –> 00:44:23,970
因为它们与滥用权限有关
Because they’ve been associated with abuse, basically.
1029
00:44:23,970 –> 00:44:27,150
我们给了设备管理很多权力
We gave a lot of power to device administrators.
1030
00:44:27,150 –> 00:44:29,224
比如说用户正在和
And it happens that that same power
1031
00:44:29,224 –> 00:44:31,140
他们的设备交互
to manage the way that the user is interacting
1032
00:44:31,140 –> 00:44:33,362
用勒索软件
with their device can be used to harm them
1033
00:44:33,362 –> 00:44:34,570
损害用户的利益
in the context of ransomware.
1034
00:44:34,570 –> 00:44:36,697
你改变了用户的密码然后说
You change the user’s password and then you say,
1035
00:44:36,697 –> 00:44:38,780
除非你付我钱否则我是不会让你登录回设备的
I’m not going to let you log back into your device
1036
00:44:38,780 –> 00:44:41,590
这是勒索软件的
until you pay me, is sort of the most fundamental way
1037
00:44:41,590 –> 00:44:42,922
常用做法
that ransomware can work.
1038
00:44:42,922 –> 00:44:45,796
所以我们做出了一些改变
And so we’re making changes to make it more difficult for applications
1039
00:44:45,796 –> 00:44:48,330
让这种应用不那么容易的能够访问这些API
to access those APIs.
1040
00:44:48,330 –> 00:44:49,850
同时我们也限制了
And then we’ve also limited the way
1041
00:44:49,850 –> 00:44:51,750
应用通过系统警告窗口
that applications can overlay content
1042
00:44:51,750 –> 00:44:55,230
覆盖在另一个应用上的方式
onto another application through system alert windows.
1043
00:44:55,230 –> 00:44:58,164
这也是我们强化了的地方
So that’s an area that we’ve been hardening as well.
1044
00:44:58,164 –> 00:45:00,580
抱歉两分钟的提问时间已经没有了
I lied when I said I would have two minutes for questions.
1045
00:45:00,580 –> 00:45:03,080
时钟告诉我还有五秒钟
The clock now says five seconds.
1046
00:45:03,080 –> 00:45:06,130
不过我们试着覆盖了所有的要点
But we managed to cover all of these key elements.
1047
00:45:06,130 –> 00:45:08,440
我不想在这多讲其他的了
I did want to leave you with a couple of pointers
1048
00:45:08,440 –> 00:45:10,690
以免你们陷入
to some additional information that you
1049
00:45:10,690 –> 00:45:14,250
过多的细节中
can look at to try to get into some more of the details here.
1050
00:45:14,250 –> 00:45:17,947
我将出去逛逛并乐于解答
And I will hang out outside and happy to answer any questions
1051
00:45:17,947 –> 00:45:18,780
你提出的所有问题
that you might have.
1052
00:45:18,780 –> 00:45:19,613
非常感谢
Thank you very much.
1053
00:45:19,613 –> 00:45:20,990
享受今天吧
Enjoy the rest of your day.
1054
00:45:20,990 –> 00:45:28,180
[MUSIC PLAYING]
YouTube视频链接:https://www.youtube.com/watch?v=XZzLjllizYs
字幕翻译:
1
00:00:01,820 –> 00:00:04,920
他们告诉我计时已经开始了
They pointed at me and the clock started moving.
2
00:00:04,920 –> 00:00:08,640
我们有44分钟外加56秒来讨论安全问题
We have 44 minutes and 56 seconds to talk about security.
3
00:00:08,640 –> 00:00:10,090
早上好
Good morning.
4
00:00:10,090 –> 00:00:12,270
现在是早上9点
It’s 9:00 AM.
5
00:00:12,270 –> 00:00:14,580
我今早6点就坐公交车从旧金山过来
I caught the bus down from San Francisco at 6:00 AM
6
00:00:14,580 –> 00:00:17,160
然后在公交车上修改了幻灯片的
this morning to clean up some last little details
7
00:00:17,160 –> 00:00:18,890
最后一点细节
of my slides on the bus.
8
00:00:18,890 –> 00:00:22,040
大家都吃早饭了吗
Did everybody find coffee and breakfast?
9
00:00:22,040 –> 00:00:23,420
如果还没,去吃吧
If not, go find it.
10
00:00:23,420 –> 00:00:24,110
然后再回来
Come back.
11
00:00:24,110 –> 00:00:26,380
我们会在这等一小会
We’ll be here for a little bit.
12
00:00:26,380 –> 00:00:28,560
我的名字叫 Adrian Ludwig
My name is Adrian Ludwig.
13
00:00:28,560 –> 00:00:30,730
我带领的 Android 安全团队
I head up the Android Security team
14
00:00:30,730 –> 00:00:34,539
在那个方向有至少3个展区
here at Google, or at least three blocks over that way at Google.
15
00:00:34,539 –> 00:00:38,310
我们负责 Android 平台的安全事务
We’re responsible for the security of the Android platform.
16
00:00:38,310 –> 00:00:41,190
这个平台具有多样性并且变化迅速
The platform is a broad, diverse, growing kind
17
00:00:41,190 –> 00:00:43,390
像你们知道的那样
of incredible thing, as many of you know.
18
00:00:43,390 –> 00:00:50,070
所以我们的工作范围也具有多样性而且变化迅速
So the scope of what we do is also broad, diverse, and growing.
19
00:00:50,070 –> 00:00:52,580
你已经看到了
You saw a couple things that were mentioned yesterday
20
00:00:52,580 –> 00:00:56,260
昨天提出的一些 Android N 的新特性
in the keynote that are new features that were introduced
21
00:00:56,260 –> 00:00:58,340
我们正致力于
in Android N that we’ve been working
22
00:00:58,340 –> 00:01:00,500
和其他的 Android 团队一起
with the rest of the Android team to enable,
23
00:01:00,500 –> 00:01:02,440
把类似文件基础加密 媒体服务器强化
things like File Based Encryption,
24
00:01:02,440 –> 00:01:04,640
以及自动更新等功能付诸实践
Media Server Hardening, and Automatic Updates.
25
00:01:04,640 –> 00:01:06,570
有一些核心改变在 Android N 的介绍中
These are some of the core changes that
26
00:01:06,570 –> 00:01:11,580
已经提到过了 那些建立在安全模型上的技术
have been introduced in Android N. Those of course
27
00:01:11,580 –> 00:01:17,010
现在已经扩展到 Android 平台中了
build on a security model that extends deep into the platform.
28
00:01:17,010 –> 00:01:19,160
这不是遥不可及的未来 它触手可及
It’s not just a future here, a future there.
29
00:01:19,160 –> 00:01:22,090
这些是关于我们如何把应用分段
It’s about how we have segmented applications.
30
00:01:22,090 –> 00:01:24,430
我们如何在 Android 平台中把权限独立出来
How we have isolated capabilities
31
00:01:24,430 –> 00:01:26,630
以及我们用来实现
in the platform and the underlying technologies
32
00:01:26,630 –> 00:01:29,540
这些安全功能的底层技术
that we’re using to deliver those security features.
33
00:01:29,540 –> 00:01:34,410
不过这并不仅仅限于 Android 自身
It’s not limited just to Android itself though.
34
00:01:34,410 –> 00:01:37,060
我们在 Android 操作系统
The work that we do in securing the Android operating
35
00:01:37,060 –> 00:01:39,660
Android 平台与 Android 生态系统中
system, the Android platform, and the Android ecosystem
36
00:01:39,660 –> 00:01:42,140
所做的安全工作已经被
extends to a broad range of applications
37
00:01:42,140 –> 00:01:46,210
扩展到了 Google 的安全服务范畴中
that we deliver that we talk about as the Google Security Services.
38
00:01:46,210 –> 00:01:49,290
这些在昨天的主题分享中
Those also got a very brief mention yesterday
39
00:01:49,290 –> 00:01:51,570
也提到过了
in the keynote that I wanted to flag,
40
00:01:51,570 –> 00:01:56,650
目前我们每天的扫描次数超过十亿次
which is that at present we’re doing over a billion scans per day.
41
00:01:56,650 –> 00:01:58,605
我们称之为“检测” 因为不做安全工作的人
We say checks, because non-security people are
42
00:01:58,605 –> 00:02:01,530
觉得相比扫描一词 检测听起来更让人舒服一点
more comfortable with the idea of doing a checkup than doing a scan.
43
00:02:01,530 –> 00:02:04,300
但是我们现在正在做的事就是
But what we’re doing is looking at security characteristics
44
00:02:04,300 –> 00:02:06,300
寻找设备上不那么安全的地方
on the devices that are out there in the world
45
00:02:06,300 –> 00:02:08,206
然后把它变得安全
to make sure that we’re keeping them safe.
46
00:02:08,206 –> 00:02:09,580
其中我们关注的一件事就是数字
One of the things that we look at
47
00:02:09,580 –> 00:02:12,660
即被安装到设备上的
is the number, the broad range of applications that have been
48
00:02:12,660 –> 00:02:13,910
应用数量
installed on these devices.
49
00:02:13,910 –> 00:02:16,530
所以我们每天检测应用的数量超过80亿
So we check over 8 billion applications
50
00:02:16,530 –> 00:02:19,770
来保证你的全方位安全
every single day, to give you a sense of the overall scope.
51
00:02:19,770 –> 00:02:23,000
Dave 无法知道的其中一件事就是
One of the things that Dave wasn’t able to get into
52
00:02:23,000 –> 00:02:26,550
他不知道这究竟意味着什么
was what exactly these things mean.
53
00:02:26,550 –> 00:02:28,740
大概三个还是四个星期前我们推出了
About three or four weeks ago we published
54
00:02:28,740 –> 00:02:32,250
一个名叫“安全检查年”的活动
something called the “Annual Security Year in Review,” where
55
00:02:32,250 –> 00:02:34,170
我们在这些安全服务中
we went into a lot of the work that we’ve
56
00:02:34,170 –> 00:02:36,910
做了大量的工作
been doing investing in these security services,
57
00:02:36,910 –> 00:02:40,520
使得已经投入使用的 Google 后台技术
making them more capable, using the technology
58
00:02:40,520 –> 00:02:43,540
能够进行更加复杂的分析
that Google has in our back end to deliver
59
00:02:43,540 –> 00:02:46,062
并理解现在的 Android 生态系统中
more and more sophisticated analysis of applications,
60
00:02:46,062 –> 00:02:47,770
正在
more and more sophisticated understanding
61
00:02:47,770 –> 00:02:50,090
发生着什么
of what it is that’s going on in the Android ecosystem
62
00:02:50,090 –> 00:02:52,890
以便我们能更好的保护用户
so that we can better protect users.
63
00:02:52,890 –> 00:02:55,650
这张图其实意味着50页的文件
That 50-page document included this diagram.
64
00:02:55,650 –> 00:02:57,850
当然我不打算在这里展开说
I’m not going to go into a lot of detail here.
65
00:02:57,850 –> 00:03:04,070
但我想强调的是我们关注
But I wanted to emphasize that the vast majority of our focus
66
00:03:04,070 –> 00:03:06,530
每一件能够保护用户的事情
is on everything that we can do to protect users.
67
00:03:06,530 –> 00:03:10,630
所以无论从硬件的更新与安全
So that ranges from hardware updates and hardware security,
68
00:03:10,630 –> 00:03:13,320
还是平台的更新与安全还是服务
to platform updates and platform security features,
69
00:03:13,320 –> 00:03:14,872
都是我们所关心的范围
to services as well.
70
00:03:14,872 –> 00:03:16,830
而且我们正致力于安全的每一层
And we’re investing at every layer in the stack
71
00:03:16,830 –> 00:03:19,380
从而最大程度的保护用户
to try to protect users as best we can.
72
00:03:19,380 –> 00:03:23,000
现在我将详细解释
Now for today, I’m going to hone in on a handful
73
00:03:23,000 –> 00:03:25,010
Android M 和 N
of specific new capabilities that
74
00:03:25,010 –> 00:03:29,170
中的新特性
were introduced in Android M and Android N. M
75
00:03:29,170 –> 00:03:31,760
让我们从实际情况来看一下 Android M
because, let’s be realistic.
76
00:03:31,760 –> 00:03:34,170
它目前还没有被广泛的使用
It hasn’t gotten to a point where it has broad based adoption.
77
00:03:34,170 –> 00:03:35,700
所以如果你还没有花费很长时间思考
So it’s not terribly surprising if you
78
00:03:35,700 –> 00:03:37,070
怎样利用 Android M 中的特性
haven’t been spending a lot of time thinking
79
00:03:37,070 –> 00:03:39,070
那你是不会被震惊到的
about how to take advantage of the features that
80
00:03:39,070 –> 00:03:41,950
而且因为 Android N 现在比较火热
were introduced in M. And Android N because that’s the new hotness.
81
00:03:41,950 –> 00:03:44,970
而且它也推出
Or at least it will be as soon as it begins to roll out
82
00:03:44,970 –> 00:03:47,930
有几个月了
a couple of months from now.
83
00:03:47,930 –> 00:03:51,540
所以我想强调的是
So I wanted to emphasize though that this is just
84
00:03:51,540 –> 00:03:55,485
这只是我们所有工作的一部分
part of the overall sort of set of capabilities that we have.
85
00:03:55,485 –> 00:03:57,610
我们想为应用的开发人员做些事情
We want to build things for application developers.
86
00:03:57,610 –> 00:03:59,184
我们想为用户做些事情
We want to build things for users.
87
00:03:59,184 –> 00:04:01,100
而且我们也想为设备制造商做些事情
And we want to build things for device makers.
88
00:04:01,100 –> 00:04:04,569
而我认为目前 用户是最重要的
I think on the main stage, the focus was on users.
89
00:04:04,569 –> 00:04:06,110
当然我们也把很多时间
Elsewhere in the world we spend a lot
90
00:04:06,110 –> 00:04:07,790
用在了与设备制造商交流上
of time talking about device makers.
91
00:04:07,790 –> 00:04:09,170
但是今天 我们想要谈谈
But today, we’re going to talk about what
92
00:04:09,170 –> 00:04:10,628
我们正在做的新事情
are the new things that we’re doing
93
00:04:10,628 –> 00:04:12,530
为什么对开发者而言
to make your life as an application developer
94
00:04:12,530 –> 00:04:15,478
在 Android M 和 N 上开发软件更爽
better on Android M and N.
95
00:04:15,478 –> 00:04:17,760
所以这就是我主要想讲的几点
So these are some of the key features that I’m going to talk about.
96
00:04:17,760 –> 00:04:19,222
一共有七点
There are seven of them up here.
97
00:04:19,222 –> 00:04:21,180
我将一个一个的说
I’m just going to walk through them one by one.
98
00:04:21,180 –> 00:04:24,174
我们将逐一介绍
We’ll talk about what it is that was introduced,
99
00:04:24,174 –> 00:04:26,590
并且看一看部分源码
take a look at some source code so that you can understand
100
00:04:26,590 –> 00:04:28,440
以便你能更好的在你的应用中使用它
how you might incorporate it into your application
101
00:04:28,440 –> 00:04:29,800
而且还能增长开发经验
and your development experience.
102
00:04:29,800 –> 00:04:31,360
然后我们将讨论一下
And then talk about some of the best practices
103
00:04:31,360 –> 00:04:32,710
我们认为的
that we’ve been thinking about for how
104
00:04:32,710 –> 00:04:34,440
你将如何运用在你程序中的
we think it is that you’d want to be incorporating
105
00:04:34,440 –> 00:04:36,940
最佳范例
these new technologies into your application development.
106
00:04:36,940 –> 00:04:37,440
如何
Right?
107
00:04:37,440 –> 00:04:38,450
很直观吧
Pretty straightforward.
108
00:04:38,450 –> 00:04:41,450
嘣嘣嘣 然后跳到下一个 嘣嘣嘣
Boom, boom, boom, move to the next one, boom, boom, boom.
109
00:04:41,450 –> 00:04:44,225
没有绚丽的图标 只有一些代码
No fancy diagrams, just a little bit of code here and there.
110
00:04:44,225 –> 00:04:47,315
所以权限是我们将要讨论的第一个话题
So permissions is the first thing we’re going to talk about.
111
00:04:47,315 –> 00:04:50,400
你也许记得
You may remember, or you may know,
112
00:04:50,400 –> 00:04:53,020
如果你在装有 Android M 的 Nexus 设备上
if you’re running on Android M right now on Nexus device
113
00:04:53,020 –> 00:04:55,480
或是其他装有 Android M 的其他设备上运行程序
or one of the other devices that’s started to receive it,
114
00:04:55,480 –> 00:04:58,310
其中用户体验的一个主要变化就是
that one of the major changes in the user experience that
115
00:04:58,310 –> 00:05:02,270
运行时权限
was introduced with Marshmallow was runtime permissions,
116
00:05:02,270 –> 00:05:05,500
意思就是只有在程序运行过程中
the idea that an application can defer
117
00:05:05,500 –> 00:05:09,920
真正需要使用到相应权限时才进行申请
requesting the use of permissions until it really needs them.
118
00:05:09,920 –> 00:05:11,445
因此用户就有了
And that the user has the ability
119
00:05:11,445 –> 00:05:13,040
决定是否给予权限
to decide whether the application gets
120
00:05:13,040 –> 00:05:15,340
的权利
that specific permission or not.
121
00:05:15,340 –> 00:05:18,374
这是 Android M 中
Really a fundamental change in the way that applications
122
00:05:18,374 –> 00:05:20,790
申请敏感权限的
are going to request access to more sensitive capabilities
123
00:05:20,790 –> 00:05:22,632
一个根本性变化
on the device introduced with Marshmallow.
124
00:05:25,530 –> 00:05:27,500
从应用开发者的立场来说
From an application developer’s standpoint,
125
00:05:27,500 –> 00:05:29,680
这是一件很值得考虑的事情
it’s a really powerful thing for you to think about.
126
00:05:29,680 –> 00:05:32,080
它给了你简化安装应用过程
It gives you the ability to simplify the installation
127
00:05:32,080 –> 00:05:33,334
的能力
process for your application.
128
00:05:33,334 –> 00:05:36,460
因为你不需要提前申请所有的权限了
Because you don’t have to request all of those permissions up front.
129
00:05:36,460 –> 00:05:39,030
它也不需要
It gives you the ability to upgrade
130
00:05:39,030 –> 00:05:42,410
在用户确认升级之后
without having the user have to confirm that that upgrade is
131
00:05:42,410 –> 00:05:45,720
再升级
necessary for applications being delivered through, for example,
132
00:05:45,720 –> 00:05:46,830
比如说从 Google Play 上
through Google Play.
133
00:05:46,830 –> 00:05:49,090
因为这在安全性上
Because there’s no increase in the capabilities
134
00:05:49,090 –> 00:05:50,870
没有任何的变化
of the application in the security model.
135
00:05:50,870 –> 00:05:53,010
因此也没有让用户确认的必要
And so there’s no need for the user to affirm that.
136
00:05:53,010 –> 00:05:54,850
所以这真的可以提高
So this can really accelerate the rate
137
00:05:54,850 –> 00:05:56,766
你的应用的升级比例
at which your applications are being upgraded,
138
00:05:56,766 –> 00:06:00,590
如果你能在新平台上运用好运行时权限的话
if you take advantage of runtime permissions on these newer platforms.
139
00:06:00,590 –> 00:06:03,264
而且我认为 就我十分担心的问题
And from my perspective, when I think about security,
140
00:06:03,264 –> 00:06:05,180
安全性考虑而言
one of the things I worry about is making sure
141
00:06:05,180 –> 00:06:07,490
这可以确保用户知道应用中都在发生着什么
that users understand what it is that’s going on.
142
00:06:07,490 –> 00:06:10,250
而且我们也发现运行时权限对用户来说
And we found that runtime permissions are fundamentally
143
00:06:10,250 –> 00:06:12,172
是更加能够接受的
more understandable for users.
144
00:06:12,172 –> 00:06:13,630
这使得开发者可以
They give the application developer
145
00:06:13,630 –> 00:06:16,340
在更恰当的时候申请权限
the ability to provide context, and the user
146
00:06:16,340 –> 00:06:18,539
而用户也更好的理解
to understand how that capability is
147
00:06:18,539 –> 00:06:22,800
所申请的权限用在了什么地方
going to be associated with the application that they’re employing.
148
00:06:22,800 –> 00:06:24,550
如何
So what does it look like?
149
00:06:24,550 –> 00:06:26,342
这很直观吧
It’s pretty straightforward.
150
00:06:26,342 –> 00:06:29,216
你需要做的第一件事就是
The first thing that you want to do in the context of your application
151
00:06:29,216 –> 00:06:33,250
调用当时的局部环境并且检查自身的权限
is invoke the local environment and check self permission.
152
00:06:33,250 –> 00:06:36,890
我已经有这个权限了吗
Do I already have this permission?
153
00:06:36,890 –> 00:06:39,090
如果没有 那你可能需要
If you don’t, then you want to explain,
154
00:06:39,090 –> 00:06:40,815
向你的用户解释一下
probably provide some context to the user
155
00:06:40,815 –> 00:06:43,010
为何你要在此处申请权限
about why it is that you’re going to request that permission.
156
00:06:43,010 –> 00:06:45,640
在这个例子中申请的是读取联系人权限
In this particular instance it’s the use of read contacts.
157
00:06:45,640 –> 00:06:47,390
你可能说 我需要发邮件
So you might say, I want to send an email.
158
00:06:47,390 –> 00:06:48,973
如果我能够看到在你的联系人中
And it would be really nice if I could
159
00:06:48,973 –> 00:06:52,120
谁已经是你的好友了
see who you’re already friends with inside your contact
160
00:06:52,120 –> 00:06:54,740
这样会非常方便
environment, or make a call, or any number
161
00:06:54,740 –> 00:06:57,620
当然也可以是打电话或其他功能
of other types of functionality it might want to expose.
162
00:06:57,620 –> 00:06:59,934
如果你还没有读取过的话
If you do not have the capability already,
163
00:06:59,934 –> 00:07:01,600
那么你就需要申请权限了
then you’re going to need to request it.
164
00:07:01,600 –> 00:07:04,200
而且 API 也相当的简单 “Request Permission”
And there’s a simple API, “Request Permission.”
165
00:07:04,200 –> 00:07:06,520
然后你就可以请求权限了
And you can go ahead make that request.
166
00:07:06,520 –> 00:07:10,267
现在也许你已经申请到权限了 也许没有
And at that point, you now have that permission, or not.
167
00:07:10,267 –> 00:07:12,600
下面我们来演示一下
Let’s talk a little bit about some of the best practices
168
00:07:12,600 –> 00:07:14,774
确保你能申请到权限的最佳范例
to make sure that you actually get that permission.
169
00:07:14,774 –> 00:07:17,190
因为我们也要考虑到用户
Because that’s one of the things that people are concerned
170
00:07:17,190 –> 00:07:21,290
不一定总是会同意
about with runtime permissions is that they maybe don’t always
171
00:07:21,290 –> 00:07:22,012
申请权限的
say yes.
172
00:07:22,012 –> 00:07:24,886
所以你也需要考虑到
So you’re going to need to consider in the context of your application
173
00:07:24,886 –> 00:07:27,415
用户不同意的情况
that the user might say no.
174
00:07:27,415 –> 00:07:28,790
而且你也同样要考虑
And you’re going to want to think
175
00:07:28,790 –> 00:07:31,350
怎样做才能让更多的用户
about how it is that you can increase the likelihood
176
00:07:31,350 –> 00:07:32,730
通过权限申请
that the user will say yes.
177
00:07:32,730 –> 00:07:35,977
所以我们提供了一些设计准则
So one of the things that we did is provide some design guidelines.
178
00:07:35,977 –> 00:07:37,060
准则已经推出了
Those have been published.
179
00:07:37,060 –> 00:07:40,270
你可以在 developer.android.com
You can find them up on developer.android.com
180
00:07:40,270 –> 00:07:42,686
上找到一些最佳范例
that describe some of the best practices.
181
00:07:42,686 –> 00:07:45,740
最重要的是告诉用户
One of the most important ones is to provide some context for why it
182
00:07:45,740 –> 00:07:47,230
你将要用它来做什么
is that you’re going to do it.
183
00:07:47,230 –> 00:07:50,214
以 Hangouts 中的短信为例
So for example, in the case of SMS,
184
00:07:50,214 –> 00:07:51,880
如果你想在
in the case of the Hangouts application,
185
00:07:51,880 –> 00:07:53,310
应用中接收到
explaining hey, if you want to receive
186
00:07:53,310 –> 00:07:54,900
短信里的内容
SMS in the context of this application,
187
00:07:54,900 –> 00:07:56,608
那我们就需要读取短信的权限
we’re going to need to have access to it.
188
00:07:56,608 –> 00:07:58,152
我现在要请求权限了
And I’m going to request it now, then
189
00:07:58,152 –> 00:08:00,610
这有助于提高申请权限的成功率
makes it possible for you to request it and really increase
190
00:08:00,610 –> 00:08:03,800
用户觉得这对我确实有意义
the rate at which user say, OK, makes sense to me.
191
00:08:03,800 –> 00:08:05,460
接受吧
Go ahead and grant it.
192
00:08:05,460 –> 00:08:07,350
在加入了权限解释的 Google 应用中
Within the context of Google applications,
193
00:08:07,350 –> 00:08:11,220
我们发现85%的用户同意了权限申请
we found that about 85% of the time users do say yes.
194
00:08:11,220 –> 00:08:13,550
相比那些不加权限解释的应用
That’s better than the average that we’ve
195
00:08:13,550 –> 00:08:16,400
加了权限解释的应用权限申请通过率
seen for other applications that are sort of broadly distributed
196
00:08:16,400 –> 00:08:17,810
更高
on the Android platform.
197
00:08:17,810 –> 00:08:20,750
这是一个通过率提高了的例子
Just to give you some examples of how much better it is,
198
00:08:20,750 –> 00:08:25,180
大约15.8%的用户在第一次提示时拒绝了权限申请
about 15.8% of the time when we prompt a user, they say no.
199
00:08:25,180 –> 00:08:27,970
这比之前降低了40%
That’s about 40% lower.
200
00:08:27,970 –> 00:08:30,900
而其他应用的拒绝率
So for other applications, the failure rate on that request
201
00:08:30,900 –> 00:08:33,080
大概在20%到25%之间
is going to be about 20% to 25%.
202
00:08:33,080 –> 00:08:35,520
这其中差了40%
So about 40% difference between those.
203
00:08:35,520 –> 00:08:39,940
如果你不停的申请权限而用户又不停的拒绝申请
If you ask too many times and the user says no repeatedly,
204
00:08:39,940 –> 00:08:42,870
我觉得在三次之后
eventually, after I think three times,
205
00:08:42,870 –> 00:08:46,490
用户就有权利选择不要再申请了
the user has the option to say stop asking me.
206
00:08:46,490 –> 00:08:48,289
而且我们发现在 Google 应用中
And so we found that the stop asking me,
207
00:08:48,289 –> 00:08:51,470
拒绝再次申请的概率大约是3%
don’t ever ask me again rate for Google applications is about 3%.
208
00:08:51,470 –> 00:08:53,324
所以我们要在合适的时候申请权限
So effectively we prompt a couple of times
209
00:08:53,324 –> 00:08:54,740
这样用户
in order to get to the point where
210
00:08:54,740 –> 00:08:56,614
才不会觉得不舒服
the user is comfortable with the application.
211
00:08:56,614 –> 00:08:59,490
大约97%的用户
And we find about 97% of the time users
212
00:08:59,490 –> 00:09:02,360
通过了申请的权限
accept the permission ask that we’re making.
213
00:09:02,360 –> 00:09:05,209
上述就是你需要考虑的最佳范例
So those are the best practices that you want to think about.
214
00:09:05,209 –> 00:09:06,750
我们还做了
There’s another capability that we’ve
215
00:09:06,750 –> 00:09:08,530
一件大事
been expanding dramatically, which
216
00:09:08,530 –> 00:09:12,060
就是密钥材料的保护
is a protection of key material, cryptographic keys
217
00:09:12,060 –> 00:09:13,220
尤其是 Android 上的密钥
specifically on Androids.
218
00:09:13,220 –> 00:09:16,340
所以我们来讨论一下 Android 密钥库
So we’ll talk about the Android Keystore.
219
00:09:16,340 –> 00:09:18,990
密钥库广泛的应用在
The Keystore leverages hardware that
220
00:09:18,990 –> 00:09:22,545
Android 设备中
exists on the vast majority of Android devices.
221
00:09:22,545 –> 00:09:25,170
作为一名安全从业者
As a security practitioner, it’s always been really interesting
222
00:09:25,170 –> 00:09:28,750
我对那些带有 TrustZone 的设备十分感兴趣
to me that most devices, literally about 80% to 90%
223
00:09:28,750 –> 00:09:31,230
这些设备大概占到80%到90%
of devices have something called TrustZone on them.
224
00:09:31,230 –> 00:09:33,170
他们都有一个 TEE
They have a TEE that’s been put in place.
225
00:09:33,170 –> 00:09:37,300
它提供了一套可以访问 DRM 保护内容的机制
It was there to enable access to DRM protected content.
226
00:09:37,300 –> 00:09:39,410
我们这几年正在做的就是
What we’ve been doing over the last several years
227
00:09:39,410 –> 00:09:41,626
让开发者保护
is making that available to you as an application
228
00:09:41,626 –> 00:09:43,250
用户设备中的敏感功能与
developer as a means for you to protect
229
00:09:43,250 –> 00:09:46,660
密钥成为可能
the most sensitive capabilities and keys in your device.
230
00:09:46,660 –> 00:09:52,000
让我们从 jb-mr2 开始说起吧
So starting in jb-mr2.
231
00:09:52,000 –> 00:09:55,140
大概在四年前
So almost four years ago, we began implementing API
232
00:09:55,140 –> 00:09:56,830
我们开始不断的继承 API
after API after API.
233
00:09:56,830 –> 00:10:02,820
从 Android L 开始 陆续可以使用 RSA 和椭圆曲线数字签名算法
As of Android L, the ability to use RSA, elliptic curve DSA,
234
00:10:02,820 –> 00:10:07,620
即ECDSA 或是像 AES 这样的对称算法 还有 HMAC
so ECDSA, symmetric algorithms like AES, and then also HMAC,
235
00:10:07,620 –> 00:10:10,820
这些密钥都被内置在 TrustZone 中
where those keys are held inside of TrustZone and cannot be
236
00:10:10,820 –> 00:10:13,900
而没有展现在普通用户面前
exposed to the kernel or to anybody else on the device is
237
00:10:13,900 –> 00:10:18,630
但这些功能确实是设备的核心功能
one of the core capabilities that we’ve been enabled.
238
00:10:18,630 –> 00:10:20,540
其中一件非常重要的事就是
One of the really important things to do
239
00:10:20,540 –> 00:10:22,720
把它从大多数设备
is to transition from it being on most devices
240
00:10:22,720 –> 00:10:23,900
过渡到所有的设备
to being on all devices.
241
00:10:23,900 –> 00:10:27,340
因此这就变成了 Android N 的任务
So this became required as of the Android N release.
242
00:10:27,340 –> 00:10:29,230
我们从现在起将会看到
So we’re going to see, from here on out,
243
00:10:29,230 –> 00:10:32,150
所有的新设备都将装载它
all new devices are going to definitely have it on board.
244
00:10:32,150 –> 00:10:33,812
而且就在现在 绝大多数的
As it is right now, the vast majority
245
00:10:33,812 –> 00:10:38,620
高端或是中端设备都已经有 Keystore 了
of higher end and mid-range devices already have Keystore in place.
246
00:10:38,620 –> 00:10:42,490
所以 Android N 中的一个新特性
So one of the new features that was introduced with Android N
247
00:10:42,490 –> 00:10:44,280
就是密钥认证
was what we call attestation.
248
00:10:44,280 –> 00:10:47,020
关于密钥认证我们所做的就是把密钥
What we do with attestation is bake a key
249
00:10:47,020 –> 00:10:49,857
加进 TrustZone 中的固件中
into the firmware inside of TrustZone.
250
00:10:49,857 –> 00:10:51,940
这样你就可以验证
So it is possible for you to validate that this is
251
00:10:51,940 –> 00:10:53,231
硬件的合法性了
a legitimate piece of hardware.
252
00:10:53,231 –> 00:10:55,580
你可以通过创建一个密钥
And you can check that by creating a key
253
00:10:55,580 –> 00:10:57,700
然后检测绑定到
and then checking the search chain to tie it
254
00:10:57,700 –> 00:11:00,510
需要进行 CTS 测试的硬件搜索链
back to a piece of hardware that’s gone through CTS testing.
255
00:11:00,510 –> 00:11:02,260
我将用几秒钟的时间
And I’ll sort of talk through how
256
00:11:02,260 –> 00:11:04,444
稍微讨论一下你应该如何做
it is that you can do that in just a second.
257
00:11:04,444 –> 00:11:06,860
这是一个源码的
So here’s an example of what that looks like from a source
258
00:11:06,860 –> 00:11:08,370
例子
code standpoint.
259
00:11:08,370 –> 00:11:09,350
你需要做什么
What do you need to do?
260
00:11:09,350 –> 00:11:12,490
你需要从创建一个 KeyPair 开始
Well, you can start off by creating a key pair.
261
00:11:12,490 –> 00:11:16,050
你创建了一个 Android Keystore 的实例
So you create an instance of Android Keystore.
262
00:11:16,050 –> 00:11:18,760
在这个例子中 我们用的是椭圆曲线
In this instance, we’re using elliptic curves,
263
00:11:18,760 –> 00:11:21,120
所以你需要把它加入到你的算法中
so you specify that to your algorithm.
264
00:11:21,120 –> 00:11:23,410
我将要介绍一件在 Android M
One of the more interesting new capabilities
265
00:11:23,410 –> 00:11:25,440
中更有趣的特性
that was introduced actually in Android M
266
00:11:25,440 –> 00:11:27,240
那就是这个密钥只有刚被验证过的
was the ability to say this key can only
267
00:11:27,240 –> 00:11:31,069
用户才可以使用
be used if the user has recently authenticated.
268
00:11:31,069 –> 00:11:32,860
我再用几秒钟多说一点
I’ll talk more about that in just a second.
269
00:11:32,860 –> 00:11:34,710
这是一个很有力的声明
But that’s a really powerful statement that you can make.
270
00:11:34,710 –> 00:11:36,640
那就是你能知道有一个真真切切的用户
So that you know that there’s a real user that’s
271
00:11:36,640 –> 00:11:38,431
在与设备进行着交互
been interacting with the device right now.
272
00:11:38,431 –> 00:11:40,950
当然这也是被内置于 TrustZone 中的
And that’s been validated inside of TrustZone.
273
00:11:40,950 –> 00:11:42,745
所以你可以保护你的密钥
So you can protect your keys.
274
00:11:42,745 –> 00:11:44,370
然后你可以做的最后一件事就是
And then the last thing that you can do
275
00:11:44,370 –> 00:11:46,867
你能够获得与密钥相关的
is you can actually get the certificate chain associated
276
00:11:46,867 –> 00:11:47,450
证书
with that key.
277
00:11:47,450 –> 00:11:52,370
所以这密钥是绑定到设备上的
So that key is one that has been bound to a particular device.
278
00:11:52,370 –> 00:11:54,452
而且它不能转移到其他设备上
And it can’t move to some other device.
279
00:11:54,452 –> 00:11:56,910
然后你就可以通过看证书链
Then you can actually confirm by looking at the certificate
280
00:11:56,910 –> 00:12:00,450
确定这是一个已经通过 CTS 测试的正常设备
chain that it’s a device that legitimately went through CTS testing.
281
00:12:00,450 –> 00:12:02,790
它已经经过确认了
It’s gone through that kind of validation.
282
00:12:02,790 –> 00:12:06,740
所以我认为这种类型的功能是非常重要的
So I think this type of capability is really important for enhancing
283
00:12:06,740 –> 00:12:09,240
尤其是对通过 Google 检验的
the trust in those devices that have gone through the Google
284
00:12:09,240 –> 00:12:14,260
Android 测试设备信任度的增加
validation process and are valid, Android tested devices.
285
00:12:14,260 –> 00:12:18,522
所以你需要认真想一想
So some best practices, think for a moment
286
00:12:18,522 –> 00:12:20,730
你的应用中是否需要加上
whether there’s a case for you to be using encryption
287
00:12:20,730 –> 00:12:22,840
最佳范例中的加密功能
in the context of your application.
288
00:12:22,840 –> 00:12:25,340
如果是的话 那么 Keystore 对于你来说
And if so, then Keystore is a great place for you
289
00:12:25,340 –> 00:12:27,380
就是保存密钥最好的地方
to be storing those keys.
290
00:12:27,380 –> 00:12:28,170
它可供使用
It’s available.
291
00:12:28,170 –> 00:12:29,850
而且很直观
It’s very straightforward.
292
00:12:29,850 –> 00:12:32,060
而且它的优点在于
And it has the advantage of the key
293
00:12:32,060 –> 00:12:34,560
即使设备中的其他东西被破解了
not being exposed in the event of compromise of other things
294
00:12:34,560 –> 00:12:36,300
密钥也不会被暴露出来
on the device.
295
00:12:36,300 –> 00:12:39,590
你也可以用这个从 Android N 开始的密钥
You can also use the key, starting with Android N,
296
00:12:39,590 –> 00:12:42,100
来验证这是否是一个合法的 Android 设备
as a mechanism to validate that this is a legitimate Android
297
00:12:42,100 –> 00:12:47,270
而非一个不兼容的设备
device and not one that’s been created outside the compatibility.
298
00:12:47,270 –> 00:12:48,766
这就给了你进一步校验
And so that gives you the ability
299
00:12:48,766 –> 00:12:50,390
设备的能力
to do further validation of the device.
300
00:12:53,140 –> 00:12:54,600
我之前提到了验证
I hinted at authentication.
301
00:12:54,600 –> 00:12:56,190
让我们来谈论一些
So let’s talk a little bit about some of the changes
302
00:12:56,190 –> 00:12:58,023
关于验证方面的改变
that have gone into authentication recently.
303
00:13:00,872 –> 00:13:02,580
在加强验证方面
So there’s two different goals that we’re
304
00:13:02,580 –> 00:13:06,530
我们有两个不同的目标
striving for as we’re enhancing authentication.
305
00:13:06,530 –> 00:13:12,370
第一个就是 坦率地说
The first one is, well, let’s be frank,
306
00:13:12,370 –> 00:13:14,590
用户根本不喜欢验证
users don’t like authenticating.
307
00:13:14,590 –> 00:13:17,372
验证是很令人厌烦的
It’s annoying.
308
00:13:17,372 –> 00:13:18,580
我拿出我的设备
I want to take out my device.
309
00:13:18,580 –> 00:13:20,000
我就想马上使用它
And I want to use it immediately.
310
00:13:20,000 –> 00:13:21,900
我就想立刻看到内容
And I want to have access to my information.
311
00:13:21,900 –> 00:13:24,170
所以我们才开始调查
And so when we began looking into why
312
00:13:24,170 –> 00:13:26,654
为什么用户不在他们的设备上使用屏幕锁
it is that users didn’t have lock screens on their device.
313
00:13:26,654 –> 00:13:28,070
这就是为什么用户不喜欢
And why they didn’t use what seems
314
00:13:28,070 –> 00:13:31,680
使用这最基本的安全保护方式
to be the most fundamental security protection,
315
00:13:31,680 –> 00:13:34,830
答案就是 它们出现的太频繁了
the answer is, it just comes up too often.
316
00:13:34,830 –> 00:13:37,770
因此接近半数的用户
And almost half of Android users have
317
00:13:37,770 –> 00:13:40,330
决定不使用屏幕锁
decided that they don’t want a secure lock screen.
318
00:13:40,330 –> 00:13:42,220
所以我们尽力做的事情就是
So one of the things that we’re trying to do
319
00:13:42,220 –> 00:13:44,410
实现用户的愿望
is find ways to encourage that.
320
00:13:44,410 –> 00:13:48,011
如果在用户登入设备时
Because if we get to a point where the logging in mechanism
321
00:13:48,011 –> 00:13:50,010
在开始与设备交互时
is trustworthy, where authentication of the user
322
00:13:50,010 –> 00:13:51,340
就是被验证过的
at the time they start interacting with the device,
323
00:13:51,340 –> 00:13:52,850
那么你应用中的设置
then you can do a lot more and be
324
00:13:52,850 –> 00:13:55,255
其实可以更加的灵活
a lot more flexible in the set of applications that you can provide.
325
00:13:55,255 –> 00:13:57,440
所以 Android Pay 就是一个很好的例子
So Android Pay is a good example where,
326
00:13:57,440 –> 00:14:01,410
因为用户是已经被验证过的 他们就可以使用 Android Pay
because users are authenticated, they can have access to Android Pay.
327
00:14:01,410 –> 00:14:05,300
所以我们结合了这两种想法
So we actually bind those two ideas together.
328
00:14:05,300 –> 00:14:08,164
因此在介绍指纹解锁时就更容易了
So to make things easier we introduced fingerprints.
329
00:14:08,164 –> 00:14:10,080
这些我们之前都已经介绍过了
That was one of the things that was introduced
330
00:14:10,080 –> 00:14:12,220
包括 Nexus 手机上的 Android M
with Android M on Nexus phones and an API for you
331
00:14:12,220 –> 00:14:14,290
以及开发者所使用的API
to interact with it as an application developer.
332
00:14:14,290 –> 00:14:17,380
我们可以看到在 Nexus 设备上
On Nexus devices we’ve seen adoption of secure lock screen
333
00:14:17,380 –> 00:14:20,836
一旦加入了指纹解锁
go from about 50% to over 90% on devices
334
00:14:20,836 –> 00:14:22,210
屏幕锁的使用数量就从50%上升到了90%
where a fingerprint is available.
335
00:14:22,210 –> 00:14:25,324
因为这实在是太简单方便了
Because it’s just so much easier.
336
00:14:25,324 –> 00:14:27,240
我们也为那些没有指纹识别传感器的设备
We’ve also made changes for those devices that
337
00:14:27,240 –> 00:14:29,030
提供了另一种解决方案
don’t have access to fingerprint,
338
00:14:29,030 –> 00:14:32,610
比如说智能解锁
for one reason or another, through things like Smart Lock.
339
00:14:32,610 –> 00:14:34,870
其中智能解锁提供的一个功能
One of the capabilities that Smart Lock provides
340
00:14:34,870 –> 00:14:38,365
我们称之为身体探测
is what we call on body detection, where we monitor how the device is
341
00:14:38,365 –> 00:14:40,240
我们可以监测出与设备交互的周围环境
interacting with the environment around them.
342
00:14:40,240 –> 00:14:41,170
它是否在口袋里
Is it in their pocket?
343
00:14:41,170 –> 00:14:43,461
它是不是还在初次解锁它的人
Do we think it’s still in control of the individual who
344
00:14:43,461 –> 00:14:44,770
手里
first unlocked it?
345
00:14:44,770 –> 00:14:47,360
这个功能可以使
The use of that alone can reduce the frequency
346
00:14:47,360 –> 00:14:50,560
验证频率减少50%
with which users need to authenticate by over 50%.
347
00:14:50,560 –> 00:14:52,180
在我们的经验中能够看到这一点
We’ve seen that in our experience.
348
00:14:52,180 –> 00:14:56,640
在把验证变得简单这件事上我们已经取得很大的进展了
So we’ve got good progress on making authentication easier for users.
349
00:14:56,640 –> 00:14:59,180
这也是我们一直在努力的事情
So that’s one of the things that we’re striving for.
350
00:14:59,180 –> 00:15:00,830
我们还尽力把
The other thing that we’re trying to do
351
00:15:00,830 –> 00:15:03,330
验证变得更强大
is make authentication stronger.
352
00:15:03,330 –> 00:15:05,340
这同样也带来一些改变
So there are some changes there as well.
353
00:15:05,340 –> 00:15:08,860
其中之一就是允许
One of them was to allow applications
354
00:15:08,860 –> 00:15:11,380
应用把私密数据绑定到验证上
to tie their secrets to authentication.
355
00:15:11,380 –> 00:15:14,000
你可以确保应用中的某些功能
So you can make sure that your application will only
356
00:15:14,000 –> 00:15:17,050
是只有被验证过的
function if the user has a secure lock screen
357
00:15:17,050 –> 00:15:19,100
用户才可以使用的
and they have been recently authenticated.
358
00:15:19,100 –> 00:15:21,220
这是一个非常重要的改变
So that’s an important change that you can make.
359
00:15:21,220 –> 00:15:23,345
有一类事情是应用需要特别担心的
One of the types of things that an application that
360
00:15:23,345 –> 00:15:25,110
即财务系统
worries about, say financial systems
361
00:15:25,110 –> 00:15:27,830
或是访问敏感数据
or access to sensitive data, would want to do.
362
00:15:27,830 –> 00:15:30,780
我们做的另一件事就是
Another thing that we’ve done is to move the authentication
363
00:15:30,780 –> 00:15:32,660
把验证挪进了 TrustZone
actually into TrustZone.
364
00:15:32,660 –> 00:15:34,860
所以即使
So that even if the overall operating system
365
00:15:34,860 –> 00:15:37,680
操作系统都被攻陷了
has been compromised, there is no mechanism
366
00:15:37,680 –> 00:15:41,850
根据现有的机制
available for the device to leak the credential,
367
00:15:41,850 –> 00:15:45,900
证书 指纹或是
the fingerprint, for example, or the user’s lock screen password
368
00:15:45,900 –> 00:15:48,310
用户的解锁密码
into a place that it could do and exhaust
369
00:15:48,310 –> 00:15:50,280
也不会泄露
over the strength of that credential.
370
00:15:54,060 –> 00:15:57,181
因此你需要思考的就是如何利用好验证
So you want to think about how to use authentication.
371
00:15:57,181 –> 00:15:59,430
我们提供了一些指纹的 API
We’ve provided some APIs so that it’s possible for you
372
00:15:59,430 –> 00:16:01,860
你可以直接调用
to directly invoke the fingerprint APIs.
373
00:16:01,860 –> 00:16:05,770
我们也提供了一些 API 让你可以控制
We’ve also provided APIs that allow you to control the user
374
00:16:05,770 –> 00:16:06,940
相关的用户体验
experience around that.
375
00:16:06,940 –> 00:16:09,550
你不一定必须描述
So you’re not constrained in how you would represent
376
00:16:09,550 –> 00:16:10,830
你将用验证来干什么
what it means to authenticate.
377
00:16:10,830 –> 00:16:13,530
但我们还是建议你提供
This is again, you get to offer context
378
00:16:13,530 –> 00:16:16,060
说明来解释你为什么需要验证
for why it is that you’re requesting authentication.
379
00:16:16,060 –> 00:16:17,250
因为我们认为应用体验中
We think that’s a really important part
380
00:16:17,250 –> 00:16:19,680
一个非常重要的部分
of the application experience is that you are effectively
381
00:16:19,680 –> 00:16:22,490
就是你以何种方式告诉用户
in control over how it is that you represent to the user what
382
00:16:22,490 –> 00:16:23,710
你将要干什么
you’re going to do.
383
00:16:23,710 –> 00:16:26,860
所以在这个实例中 UI 描述出了
So in this instance, that UI describing
384
00:16:26,860 –> 00:16:31,000
Google Play 如何使用指纹识别
how fingerprint is taken place is being drawn entirely by Google Play.
385
00:16:31,000 –> 00:16:32,875
他们需要描述接下来要做的事情
They get to describe, we’re going to do this.
386
00:16:32,875 –> 00:16:35,590
这就是我们如何使用它的做法 如果你也想这样
And here’s how we’re going to use it, if they want to do that.
387
00:16:35,590 –> 00:16:37,589
你也可以在你的应用中这样做
And you can do that in your application as well.
388
00:16:39,880 –> 00:16:43,740
这里提供一个快速示例 非常直观的
Just to give a quick example, very, very straightforward how
389
00:16:43,740 –> 00:16:51,340
展示如何把应用与指纹绑定
you create a key in this instance and then bind that to a fingerprint.
390
00:16:51,340 –> 00:16:53,590
在这个实例中 我想特意强调的是
In this instance, the thing that I wanted to highlight
391
00:16:53,590 –> 00:16:57,836
你事实上创建了一个回调
is that you’re actually creating a callback, a wrap based
392
00:16:57,836 –> 00:16:59,210
一个基于密钥的包装
on the key, and you’re only going
393
00:16:59,210 –> 00:17:02,884
如果用户验证成功了你只需要解密就行了
to do the decryption if the user has successfully authenticated.
394
00:17:02,884 –> 00:17:04,550
所以你现在知道与你应用
So you now know that the data associated
395
00:17:04,550 –> 00:17:06,630
相关的数据都是包装在密钥中的
with your application that’s been wrapped in that key
396
00:17:06,630 –> 00:17:09,254
只有通过验证的用户
simply doesn’t exist and is not accessible until after the user
397
00:17:09,254 –> 00:17:10,690
才能够访问这些数据
is authenticated.
398
00:17:10,690 –> 00:17:15,945
我再花几分钟时间说一下直接启动
I’ll talk in a couple of minutes about how we’re doing direct to boot.
399
00:17:15,945 –> 00:17:18,690
它有一个相似的模块 就是应用数据
And it has a similar model, where application data is not
400
00:17:18,690 –> 00:17:22,880
只有在用户已经被验证过了之后才能被获取
available until the user has already been authenticated.
401
00:17:22,880 –> 00:17:26,079
最佳范例
So a couple of best practices, I think
402
00:17:26,079 –> 00:17:30,680
我认为这对于
that there’s a real opportunity to auth-bound keys
403
00:17:30,680 –> 00:17:36,100
验证密钥锁屏和安全锁屏的使用
to drive both adoption of the use of authentication
404
00:17:36,100 –> 00:17:38,030
来说是一个真正的机会
on the lock screen and secure lock screen.
405
00:17:38,030 –> 00:17:40,010
同时也简化了用户与
And also to simplify the way that the user
406
00:17:40,010 –> 00:17:42,051
应用之间的交互方式
is going to be interacting with your application.
407
00:17:42,051 –> 00:17:44,720
因此当用户使用你的应用时
Then you don’t need to have a check for pin or password
408
00:17:44,720 –> 00:17:45,930
你就没有必要再让用户做出 pin 码或是密码检查了
when a user comes in to your application,
409
00:17:45,930 –> 00:17:46,830
即使应用中包含很多敏感数据
no matter how sensitive it is.
410
00:17:46,830 –> 00:17:49,455
因为你知道他们在解锁屏幕时
Because you know that they very recently have gone through that
411
00:17:49,455 –> 00:17:51,310
已经验证过身份了
authentication already at the lock screen.
412
00:17:51,310 –> 00:17:53,770
所以我是明确鼓励使用上述机制的
So I would definitely encourage using that mechanism.
413
00:17:53,770 –> 00:17:55,140
你可以设定一个时间上限
You can time bound it and say, if they’ve
414
00:17:55,140 –> 00:17:57,310
可以是一分钟 五分钟 十分钟
logged in the last minute, the last five minutes, the last 10
415
00:17:57,310 –> 00:17:59,610
只要是符合你应用的
minutes, whatever’s appropriate for your application
416
00:17:59,610 –> 00:18:03,891
安全规范就好
to drive good security practices consistent with your application.
417
00:18:03,891 –> 00:18:05,890
另一件我鼓励的事
The other thing that I would encourage you to do
418
00:18:05,890 –> 00:18:09,710
当然就是指纹解锁了
is certainly favor fingerprint.
419
00:18:09,710 –> 00:18:12,830
如果设备上有一个
You know the evidence seems to be that a fingerprint
420
00:18:12,830 –> 00:18:14,040
指纹识别器
readers exist on a device.
421
00:18:14,040 –> 00:18:16,130
那么用户总是倾向于使用它的
That’s going to be the mechanism that users are going to want to use.
422
00:18:16,130 –> 00:18:18,379
所以我也鼓励你
So I would encourage you to use that as your mechanism
423
00:18:18,379 –> 00:18:21,850
把指纹解锁
to do binding of authentication credentials
424
00:18:21,850 –> 00:18:24,400
加进你的解锁机制里
to key material inside of Keystore.
425
00:18:24,400 –> 00:18:26,414
如果指纹解锁
If that’s not available, then falling back
426
00:18:26,414 –> 00:18:28,830
不可用的话
to doing something like create confirmed device credential
427
00:18:28,830 –> 00:18:32,624
那就做点类似创建确认设备凭据
intent as a means to bind to whatever other secure lock
428
00:18:32,624 –> 00:18:34,040
之类的事
screen they have on the devices is
429
00:18:34,040 –> 00:18:36,110
用来安全的
a perfectly reasonable fallback for those devices where
430
00:18:36,110 –> 00:18:37,276
解锁设备
fingerprint isn’t available.
431
00:18:40,146 –> 00:18:42,020
其实我们已经谈到很多了
So we’ve covered a couple of features so far.
432
00:18:42,020 –> 00:18:44,620
下面我们来说一下加密部分
We’re going to get now into the crypto section.
433
00:18:44,620 –> 00:18:48,167
我们先来讨论一下网络安全 之后是安全存储
Talk first about secure networking and then get into secure storage.
434
00:18:54,860 –> 00:19:01,400
我很好奇究竟多少的细微改变
It’s amazing to me how often simple changes can make
435
00:19:01,400 –> 00:19:04,590
才能引发一个安全方面巨大的变革
a huge difference in security.
436
00:19:04,590 –> 00:19:08,210
我们花了一分钟思考
We spent a minute thinking about users and how many of them
437
00:19:08,210 –> 00:19:11,609
为什么有些用户选择不在锁屏上加密码
choose not to have a lock screen.
438
00:19:11,609 –> 00:19:12,650
因为这很复杂
Because it’s complicated.
439
00:19:12,650 –> 00:19:15,820
而且很麻烦 同样地
Because it’s difficult. In the same way,
440
00:19:15,820 –> 00:19:17,880
我们发现部分应用的开发者
we find that application developers often
441
00:19:17,880 –> 00:19:21,320
也同样选择不使用安全的网络传输
choose not to use secure networking because a little bit
442
00:19:21,320 –> 00:19:22,746
因为它太麻烦了
too difficult.
443
00:19:22,746 –> 00:19:25,120
所以我们在最近的几个发布版本中
So what we’ve been doing over the last couple of releases
444
00:19:25,120 –> 00:19:27,780
试着让它变得简单一点
is trying to make that simpler.
445
00:19:27,780 –> 00:19:29,672
麻烦的地方在于我们发现
One of the complexities that we found
446
00:19:29,672 –> 00:19:31,130
应用的开发者
is that application developers just
447
00:19:31,130 –> 00:19:34,650
不知道他们现在使用的网络传输是否安全
don’t know whether they’re using secure traffic or not.
448
00:19:34,650 –> 00:19:37,860
一个很普遍的例子是 他们在应用中
A good example might be, they’ve incorporated an advertising
449
00:19:37,860 –> 00:19:40,190
加入了广告包
library into their application.
450
00:19:40,190 –> 00:19:44,340
为了使广告内容
Does that advertising library use HTTPS to request assets
451
00:19:44,340 –> 00:19:46,680
个性化
when it sends up device identifiers or user identifiers
452
00:19:46,680 –> 00:19:48,555
发送设备标识或是用户标识时
in order to request those advertisements that
453
00:19:48,555 –> 00:19:50,490
广告包是否用的是HTTPS请求
have been personalized for that application?
454
00:19:50,490 –> 00:19:51,856
你知道吗
Do you know?
455
00:19:51,856 –> 00:19:54,230
Android Marshmallow 的其中一个特点就是
And so one of the features that was introduced in Android
456
00:19:54,230 –> 00:19:57,040
允许应用控制网络请求
Marshmallow was the ability for an application to say,
457
00:19:57,040 –> 00:20:00,430
我可以选择使用明文通信
you know what, I want to use clear-text traffic.
458
00:20:00,430 –> 00:20:05,010
或是相反地 我不想选择明文通信
And conversely, I don’t think that I need to use clear-text traffic.
459
00:20:05,010 –> 00:20:07,319
如果你在使用一个类似 gmail 的应用
If you’re an application like gmail,
460
00:20:07,319 –> 00:20:09,610
你可以说我知道我所有的连接
you can say I know that all my connections are going up
461
00:20:09,610 –> 00:20:10,210
都将上传到 Google 服务器中
to a Google server.
462
00:20:10,210 –> 00:20:11,300
这也是一种保护的手段
And that’s the one that’s been protected.
463
00:20:11,300 –> 00:20:11,410
当然
And.
464
00:20:11,410 –> 00:20:14,280
我也可以说 嗯 我不想使用任何明文通信
I can say, whoop, I’m going to not use any clear-text traffic.
465
00:20:14,280 –> 00:20:15,290
如果你是另一个应用
If you’re a different application,
466
00:20:15,290 –> 00:20:17,498
那么你就需要知道它是否
then you need to go through the process of evaluating
467
00:20:17,498 –> 00:20:18,440
在使用明文通信
whether it’s there.
468
00:20:18,440 –> 00:20:20,690
这就是我们做的
So this is a feature that was put in place to simplify
469
00:20:20,690 –> 00:20:22,648
快速明确你的应用是否
understanding whether your application actually
470
00:20:22,648 –> 00:20:23,890
在使用明文通信
uses clear-text traffic.
471
00:20:23,890 –> 00:20:26,710
而且能让用户知道
And to give users visibility into whether you think
472
00:20:26,710 –> 00:20:29,410
他的应用是否在使用明文通信
you use clear-text traffic.
473
00:20:29,410 –> 00:20:32,600
当然 这用起来也很简单
So, it’s really straightforward, very easy to use.
474
00:20:32,600 –> 00:20:34,730
它就在你的 manifests 中
Inside your manifests, it’s very simple.
475
00:20:34,730 –> 00:20:36,120
你使用明文通信了吗
Do you use clear-text traffic?
476
00:20:36,120 –> 00:20:38,160
没有
No.
477
00:20:38,160 –> 00:20:43,060
接着是 API 例如一个 URL
And then API, such as URL– yeah,
478
00:20:43,060 –> 00:20:48,160
HTTP://URL 连接 如果它不使同 HTTPS 是不会正常工作的
HTTP://URL Connect, where it’s not using HTTPS will simply not work.
479
00:20:48,160 –> 00:20:50,140
所以这些 API 被用于
So those APIs that are known to be
480
00:20:50,140 –> 00:20:52,959
保证通过网络传输的用户数据
insecure in transmitting user data across a network simply
481
00:20:52,959 –> 00:20:53,750
的安全
no longer function.
482
00:20:53,750 –> 00:20:55,083
它们将返回一个安全错误
They’ll return a security error.
483
00:20:55,083 –> 00:20:57,090
你就可以摆脱困境了
And you can bail out.
484
00:20:57,090 –> 00:20:59,290
这多方便
So that’s great.
485
00:20:59,290 –> 00:21:01,540
只可惜这导致了大部分的应用是安全的
Except that it turns out most applications
486
00:21:01,540 –> 00:21:03,695
而一小部分是不安全的
do some stuff secure and some stuff not secure.
487
00:21:03,695 –> 00:21:05,945
所以我们知道我们需要提供更强的灵活性
So we knew that we needed to provide more flexibility.
488
00:21:05,945 –> 00:21:07,570
所以我们在 Android N 中
And so that’s one of the things that we
489
00:21:07,570 –> 00:21:10,520
致力于更加精细的控制
began focusing on in Android N is how do we
490
00:21:10,520 –> 00:21:13,930
尤其是当我们了解到
have more granular controls while recognizing
491
00:21:13,930 –> 00:21:16,810
存在于 SSL 和 TLS 栈中的粒度
that the granularity that’s existed in SSL and TLS
492
00:21:16,810 –> 00:21:20,140
已经成为了在实现部署中
Stacks and the SSL APIs has been a source
493
00:21:20,140 –> 00:21:24,370
难以置信的复杂与困难的来源
of incredible complexity and incredible difficulty in deployment.
494
00:21:24,370 –> 00:21:27,010
所以我们想在网络安全配置方面做的工作就是
And so what we want to do with network security config
495
00:21:27,010 –> 00:21:30,710
让身为应用开发者的你在使用安全传输时
is make it really easy for you, as an application developer,
496
00:21:30,710 –> 00:21:33,700
更容易
to know where you’re using secure transports.
497
00:21:33,700 –> 00:21:35,207
而且在这过程中
And then to control those transports
498
00:21:35,207 –> 00:21:37,540
不会使你的代码变得更复杂
in a way that doesn’t make your coding really difficult.
499
00:21:37,540 –> 00:21:38,970
它非常清晰
So it’s entirely declarative.
500
00:21:38,970 –> 00:21:40,300
因为它全在 manifest 里
And it’s all in the manifest.
501
00:21:40,300 –> 00:21:43,170
现在让我们谈谈一些基础功能
So let’s talk about some of the basic capabilities.
502
00:21:43,170 –> 00:21:45,520
这是一个很简单的例子
Well here’s a really simple one.
503
00:21:45,520 –> 00:21:49,110
原来 我没有在每个地方都使用安全通路
It turns out, I don’t use secure traffic everywhere.
504
00:21:49,110 –> 00:21:51,822
但是我知道我正在 secure.example.com 上使用它
But I know that I use it on secure.example.com.
505
00:21:51,822 –> 00:21:54,160
这样我就可以使用 domain-config
And so I can use a domain config.
506
00:21:54,160 –> 00:21:59,060
我把它配置在使用安全通路的地方
I set up where this domain is one that uses secure traffic.
507
00:21:59,060 –> 00:22:03,560
当我指定为 false 时 它使用明文通信
OK, so it does use clear-text traffic, specifies it as false.
508
00:22:03,560 –> 00:22:06,340
而且我没有对任何要与我的应用交互的
And I don’t make any claims about any other domains
509
00:22:06,340 –> 00:22:09,030
域名做任何的要求
that my application might be interacting with.
510
00:22:09,030 –> 00:22:11,175
这样你就可以保持
So you can keep that advertising library
511
00:22:11,175 –> 00:22:12,800
广告库的不变
that otherwise would have prevented you
512
00:22:12,800 –> 00:22:14,870
也不用担心你应用的其他功能
from being confident about the rest of the functionality
513
00:22:14,870 –> 00:22:15,703
有任何的变化
of your application.
514
00:22:19,870 –> 00:22:22,210
这仅仅
So that’s the start of the types of things
515
00:22:22,210 –> 00:22:23,610
是开端
that you’d want to be able to do.
516
00:22:23,610 –> 00:22:25,401
我们发现的另外一件事情
Another thing that we’ve found is that it’s
517
00:22:25,401 –> 00:22:28,540
就是调试困难
very difficult to do debugging.
518
00:22:28,540 –> 00:22:31,100
这种情况很常见
We see that in the context of Google on a regular basis.
519
00:22:31,100 –> 00:22:32,980
我们在调试设备上的交互方式
The way that we interact with our debug infrastructure
520
00:22:32,980 –> 00:22:35,563
与真实发布设备上的交互方式
is different from the way that we do interact with our release
521
00:22:35,563 –> 00:22:36,450
非常不同
infrastructure.
522
00:22:36,450 –> 00:22:38,074
他们的密钥材料是不一样的
We have different key material on them.
523
00:22:38,074 –> 00:22:40,552
不是所有的 Android 设备中
We might not come from a certificate authority that’s
524
00:22:40,552 –> 00:22:43,380
都有权威机构的认证
a well known certificate authority that’s on all the Android devices.
525
00:22:43,380 –> 00:22:45,046
因为这仅仅是一个测试设备
Because it’s just a test infrastructure.
526
00:22:45,046 –> 00:22:47,240
而且你也不想为复杂而又昂贵的SSL
And you don’t want to have to pay for and maintain
527
00:22:47,240 –> 00:22:50,540
付费和维护
that sort of complex or costly SSL infrastructure.
528
00:22:50,540 –> 00:22:52,670
价格虽然不是那么高
Not that it’s that costly, but that’s the mindset
529
00:22:52,670 –> 00:22:54,049
但这是很多开发者的真实想法
of a lot of developers.
530
00:22:54,049 –> 00:22:57,100
所以我们要做的就是把它变得简单点
And so one of the things that we want to do is make it really simple.
531
00:22:57,100 –> 00:22:59,730
在过去 开发者的方法是
Because in the past, the way that developers have done this,
532
00:22:59,730 –> 00:23:02,340
他们必须通过一系列的自定义代码
is they’ve had to go through a lot of custom code
533
00:23:02,340 –> 00:23:04,680
来改变 SSL 在应用中的
to change how SSL handling took place
534
00:23:04,680 –> 00:23:06,380
操作模式
inside the context of their application.
535
00:23:06,380 –> 00:23:08,140
因此我们把网络安全配置的事
So we’re going to do that all in the manifest now with network
536
00:23:08,140 –> 00:23:09,357
全都放在了 manifest 中
security config.
537
00:23:09,357 –> 00:23:11,190
这样做就与原来基于
So that should make it really, really simple
538
00:23:11,190 –> 00:23:14,640
发布设施的做法完全不同了
for you to test in a way that’s distinct from, entirely
539
00:23:14,640 –> 00:23:17,490
这将变得极为简单
independent from, your release infrastructure,
540
00:23:17,490 –> 00:23:20,380
而且你再也不用写任何的自定义代码了
but also not have to write any custom code to do that.
541
00:23:20,380 –> 00:23:22,600
感觉如何
So what does it look like?
542
00:23:22,600 –> 00:23:26,460
在 network-security-config 中可以直接修改
Here’s a pretty simple way to do it, network security config.
543
00:23:26,460 –> 00:23:28,250
你需要加上 debug-overrides
You declare debug overrides.
544
00:23:28,250 –> 00:23:30,950
当你在调试应用的时候
And you set a different set of trust anchors
545
00:23:30,950 –> 00:23:34,796
设置一个不一样的 trust-anchors
when your application is running in a debug environment.
546
00:23:34,796 –> 00:23:36,670
你指定 trust-anchors 是什么
And you specify what those trust anchors are.
547
00:23:36,670 –> 00:23:39,210
你完全可以在你的应用里这么做 像在这做的一样
You can include them in your applications, as is being done here.
548
00:23:39,210 –> 00:23:41,126
事实上它们在你的应用中
This is actually specifying that they’re going
549
00:23:41,126 –> 00:23:42,644
被具体指定了
to be in your application.
550
00:23:42,644 –> 00:23:44,560
而且当你的应用调试完成以后
And you now know that when your application is
551
00:23:44,560 –> 00:23:49,260
你不用修改任何的代码
no longer in a debug build, no change to your code at all.
552
00:23:49,260 –> 00:23:51,080
你用发布版本发布出来
You’ve released it in release mode.
553
00:23:51,080 –> 00:23:52,090
你上传它
You ship it.
554
00:23:52,090 –> 00:23:54,287
所有有关调试的重写代码
And all of the code related to this debug overrides
555
00:23:54,287 –> 00:23:56,620
都不会再展示在应用之中
is no longer going to be present inside the application.
556
00:23:56,620 –> 00:23:57,578
非常直观
Really straightforward.
557
00:24:02,414 –> 00:24:03,830
你也许想做
You may want to do things that are
558
00:24:03,830 –> 00:24:08,160
比域名等级限制更复杂的事
more sophisticated than just domain level restrictions,
559
00:24:08,160 –> 00:24:10,150
使用 certificate-authorities 中的 built
using the built in certificate authorities,
560
00:24:10,150 –> 00:24:13,929
或从调试硬件中区别出
or differentiating your debug hardware, debug
561
00:24:13,929 –> 00:24:15,970
调试设施和发布设施
infrastructure, from your release infrastructure.
562
00:24:15,970 –> 00:24:17,905
所以我们再谈论下这个问题
So let’s talk about that for just a second.
563
00:24:17,905 –> 00:24:19,280
有很多种不同的方法
Here’s a couple of different ways
564
00:24:19,280 –> 00:24:21,920
可以限制你需要与之交互的证书
that you can actually limit the set of certificates
565
00:24:21,920 –> 00:24:25,280
而且不需要写一个你自己的
that you interact with without needing to write your own SSL
566
00:24:25,280 –> 00:24:28,520
SSL 错误处理器或是 SSL 证书确认程序
error handlers and SSL certificate validation routines.
567
00:24:28,520 –> 00:24:32,240
这是一个很简单的域名
Really simple one, these are domains for which
568
00:24:32,240 –> 00:24:34,760
需要把我们应用中的
we are going to include the certificates that
569
00:24:34,760 –> 00:24:38,960
证书绑定上去
are tied to those domains in our application.
570
00:24:38,960 –> 00:24:42,870
所以我们指定了 secure.example.com 和 cdn.example.com
So we specify secure.example.com, cdn.example.com.
571
00:24:42,870 –> 00:24:45,120
而这些应用与证书
And these are apps, these are certs, that are actually
572
00:24:45,120 –> 00:24:47,230
都将直接在我的应用里
going to be directly in my app.
573
00:24:47,230 –> 00:24:49,710
所以不需要依赖系统证书
So don’t rely on the system certificates.
574
00:24:49,710 –> 00:24:53,500
我也不需要买一个证书或是别人的认证
I don’t need to go buy a certificate or validate with somebody else.
575
00:24:53,500 –> 00:24:55,970
我应用的信任凭据就在
My application’s trust is contained entirely inside
576
00:24:55,970 –> 00:24:56,830
应用里面
of that application.
577
00:24:56,830 –> 00:24:58,580
这样我就可以连接到服务器了
And then I can connect out to that server.
578
00:25:02,759 –> 00:25:04,550
另一个我们经常问到的就是
Another thing that we often get asked about
579
00:25:04,550 –> 00:25:06,990
怎样证书锁定
is, how do I do certificate pinning?
580
00:25:06,990 –> 00:25:09,050
证书锁定 如果你对
Certificate pinning, in case you’re not
581
00:25:09,050 –> 00:25:11,050
这个术语不熟悉 就是判断
familiar with the term, is to identify
582
00:25:11,050 –> 00:25:15,082
一个特定的证书 不是 CA 不是证书链
a specific certificate, not a CA, no a certificate chain,
583
00:25:15,082 –> 00:25:17,540
是一个你需要与一个特定服务器
but a specific certificate that you expect to be associated
584
00:25:17,540 –> 00:25:19,080
通信的证书
with a particular web service.
585
00:25:19,080 –> 00:25:21,320
所以我们要介绍的一个功能就是
So one of the capabilities that we introduced here
586
00:25:21,320 –> 00:25:24,500
指定 pin 当然同样是在 manifest 中
is the ability to specify a pin, again directly in the manifest,
587
00:25:24,500 –> 00:25:26,740
你不需要修改 SSL 代码
so you don’t have to manipulate the SSL code
588
00:25:26,740 –> 00:25:28,470
或是你自己的证书
or do your own certificate validation.
589
00:25:28,470 –> 00:25:31,840
如果你想的话可以迅速的做出改变
And you can very quickly make a change to that if you’d like to do so.
590
00:25:31,840 –> 00:25:36,740
我担心锁定和管理你自己的信任凭据
I would caution that pinning and managing your own trusts
591
00:25:36,740 –> 00:25:38,100
会比较棘手
can be a little bit tricky.
592
00:25:38,100 –> 00:25:40,840
所以我们明确地鼓励你使用内置插件
And so we definitely encourage you to use the built ins.
593
00:25:40,840 –> 00:25:43,390
但是我们也想保证你的
But we also wanted to make sure that you have the flexibility
594
00:25:43,390 –> 00:25:44,877
灵活性
to do things.
595
00:25:44,877 –> 00:25:46,960
如果你不想刁难自己的话
if you really want to cause yourself a little more
596
00:25:46,960 –> 00:25:50,120
你最好还是这样做
grief than you otherwise had to do.
597
00:25:50,120 –> 00:25:54,649
这是我幻灯片里想讲述的重点
So here’s how I would describe that in bullet points on a slide.
598
00:25:54,649 –> 00:25:57,190
我们在网络安全配置方面
There’s a bunch of changes that we made with network security
599
00:25:57,190 –> 00:25:59,590
做了很多的改变 而且我们认为这些改变
config and some best practices that we
600
00:25:59,590 –> 00:26:03,240
几乎适用于每个人
think are appropriate for nearly everyone.
601
00:26:03,240 –> 00:26:05,330
一个很好的例子就是
A good example of that is identifying
602
00:26:05,330 –> 00:26:06,920
在所有域名中识别出
what are the domains that you expect
603
00:26:06,920 –> 00:26:10,210
你想要确保安全的那些域名
all of the traffic on those domains to be secure.
604
00:26:10,210 –> 00:26:11,340
然后着重保证它的安全
And actually specify that.
605
00:26:11,340 –> 00:26:14,442
如果它用明文通信 那就把它设置为 false
Say it uses clear-text traffic and set it to false.
606
00:26:14,442 –> 00:26:16,650
这样你就能确保不会意外地
So that you can make sure that you don’t accidentally
607
00:26:16,650 –> 00:26:19,220
通过这些网络发送任何不安全的数据
send any insecure data over those networks.
608
00:26:19,220 –> 00:26:22,451
理想状况是 我们希望你把它用在每一个地方
Ideally, we would like you to do it for everything.
609
00:26:22,451 –> 00:26:23,700
当然我们现在还不是很完美
But we’re not there quite yet.
610
00:26:23,700 –> 00:26:24,366
我们知道
We realize that.
611
00:26:24,366 –> 00:26:25,492
这是一个递进的过程
So this is incremental.
612
00:26:25,492 –> 00:26:26,950
最后我们将在整个
And eventually we’ll get to a point
613
00:26:26,950 –> 00:26:28,408
Android 生态系统中
where it can be done for everything
614
00:26:28,408 –> 00:26:30,550
的每一点网络访问上
across the entire Android ecosystem
615
00:26:30,550 –> 00:26:33,380
都用上这个技术
as we are pushing to do the same across the broader web.
616
00:26:36,020 –> 00:26:38,420
另一个我们做出的重要改变是
Another important change that was made
617
00:26:38,420 –> 00:26:41,380
用户的安装证书不再是默认的了
was that user installed certificates are no longer
618
00:26:41,380 –> 00:26:43,590
之前使用此设备的用户
trusted by default. The user on a device
619
00:26:43,590 –> 00:26:46,377
有权利在
has the ability to go in, add a certificate,
620
00:26:46,377 –> 00:26:48,210
应用与服务器
and, previously, had the ability to then man
621
00:26:48,210 –> 00:26:50,410
中间
in the middle, traffic between your application
622
00:26:50,410 –> 00:26:52,150
添加一个证书
and your server infrastructure.
623
00:26:52,150 –> 00:26:54,690
他们想那么做的原因有很多
There’s a lot of reasons why they might want to do that.
624
00:26:54,690 –> 00:26:56,231
同样地 你也有相当多的理由
And there’s a lot of reasons that you
625
00:26:56,231 –> 00:26:58,400
把这功能放到你的应用中
might want to enable it in your application as well.
626
00:26:58,400 –> 00:27:01,522
另一方面 我们发现在
On the other hand, we thought and we found in conversations
627
00:27:01,522 –> 00:27:03,730
开发者的对话中 绝大多数的开发者
with developers, that the vast majority of developers
628
00:27:03,730 –> 00:27:05,150
就这个没什么预期
don’t anticipate that.
629
00:27:05,150 –> 00:27:06,800
如果他们能连接到自己的服务器
And if they’re connecting to their own infrastructure
630
00:27:06,800 –> 00:27:09,091
又连接不到别的地方 那么他们就没有什么特殊的理由
and to nowhere else, they don’t see a particular reason
631
00:27:09,091 –> 00:27:10,020
这样做了
to enable that.
632
00:27:10,020 –> 00:27:12,994
所以这就有了用户在无意中
And so there was a risk of users unintentionally
633
00:27:12,994 –> 00:27:15,990
安装了有可能导致中间人攻击的证书
installing certificates that could allow for a man in the middle.
634
00:27:15,990 –> 00:27:19,530
所以我们改变了这种默认的安装方式
And so we’ve changed the default to no longer have
635
00:27:19,530 –> 00:27:22,160
在默认情况下 允许在
user certificates be, by default,
636
00:27:22,160 –> 00:27:26,002
应用与终端之间拦截通信
able to intercept traffic between your application and your endpoint.
637
00:27:26,002 –> 00:27:27,460
如果你愿意的话你也可以做出改变
You can change that if you want to.
638
00:27:27,460 –> 00:27:28,924
可能在你应用中的某些情况下
There may be situations where it’s
639
00:27:28,924 –> 00:27:31,340
是适用的
appropriate to do that in the context of your application.
640
00:27:31,340 –> 00:27:31,780
有些则不适用
There may not.
641
00:27:31,780 –> 00:27:35,630
这取决于你
It’s something for you to take a look at and make a determination for.
642
00:27:35,630 –> 00:27:38,840
我们致力的另一件事就是简化调试
The other thing that we’ve tried to do is simplify debugging.
643
00:27:38,840 –> 00:27:41,230
我们建议你可以试一试
So I would encourage you to go look at your application.
644
00:27:41,230 –> 00:27:45,170
如果你使用了任何的 SSL 操作
If you have any SSL handling that you’ve implemented
645
00:27:45,170 –> 00:27:48,300
比如说自定义操作 自定义认证 或其他自定义的 SSL 操作
that’s custom handling, custom cert verification, custom SSL
646
00:27:48,300 –> 00:27:52,110
你可以用网络安全配置替换之
handlers, you probably can replace that with network security config
647
00:27:52,110 –> 00:27:53,630
这样做将更简单
and make it much easier to make sure that you
648
00:27:53,630 –> 00:27:54,838
而且不容易出错
don’t make a mistake in that.
649
00:27:58,950 –> 00:28:01,760
如果你还想做的更多
If you want to do something and you
650
00:28:01,760 –> 00:28:04,460
而且你觉得有信心
feel confident in your ability to manage
651
00:28:04,460 –> 00:28:06,414
管理你自己的证书 我们同样
your own certificates, we’ve provided that
652
00:28:06,414 –> 00:28:08,830
提供更简单的做法
and try to make that a little bit simpler for you as well.
653
00:28:08,830 –> 00:28:13,094
不过就像我刚才说的 这么做可能更复杂
But as I mentioned, this is a little bit more difficult
654
00:28:13,094 –> 00:28:14,510
而且更容易出错
and a little bit more error prone.
655
00:28:14,510 –> 00:28:16,635
这是你需要想清楚的地方
So it’s something that you’d want to think through.
656
00:28:20,870 –> 00:28:22,930
上述就是网络相关的内容
So we talked about networking.
657
00:28:22,930 –> 00:28:25,370
下面我们来聊聊我们经常提到的加密技术
Now let’s get into the thing that we so often just refer
658
00:28:25,370 –> 00:28:30,980
2016年的大型加密讨论
to as encryption, the big encryption debates of 2016.
659
00:28:30,980 –> 00:28:32,920
我花费了很多时间来谈论
I’ve been spending a lot of my time talking
660
00:28:32,920 –> 00:28:35,390
为什么存储加密对
about why it is that storage encryption is
661
00:28:35,390 –> 00:28:38,060
用户数据的保护如此的重要
so important for protecting user data.
662
00:28:38,060 –> 00:28:41,320
我们用类似 Android Pay 这样的应用
The benefits that it has accrued on the ecosystem where we’re
663
00:28:41,320 –> 00:28:44,350
让开发者能够在 Android 生态系统中获得收益
now able to deliver applications like Android Pay, where it’s
664
00:28:44,350 –> 00:28:47,560
因此对开发者来说 设备信息的
possible for a developer to rely on the integrity
665
00:28:47,560 –> 00:28:49,530
完整性和机密性
and the confidentiality of information
666
00:28:49,530 –> 00:28:51,890
是相当关键的
that’s critical to the application on the device.
667
00:28:51,890 –> 00:28:54,430
这就是我们在所有装载有 Marshmallow
That’s one of the reasons among many
668
00:28:54,430 –> 00:28:58,690
系统的设备上开始推广加密技术
that we’ve moved towards requiring encryption on all capable devices
669
00:28:58,690 –> 00:29:00,170
的原因
starting with Marshmallow.
670
00:29:00,170 –> 00:29:02,010
这是强制执行的
We made that mandatory.
671
00:29:02,010 –> 00:29:04,980
我们会把它变得越来越健壮
And we’ve been making that more and more robust.
672
00:29:04,980 –> 00:29:07,522
因为我们认为直接对用户设备的物理威胁
Because we think direct physical threats to the user’s device
673
00:29:07,522 –> 00:29:09,896
也是我们需要考虑的事情
are one of the things that we need to be concerned about.
674
00:29:09,896 –> 00:29:12,350
这就是我们开始推广的设备名单
These are devices that we move around in the world with.
675
00:29:12,350 –> 00:29:14,520
这也包括手环之类的设备
They are sometimes attached to your wrist.
676
00:29:14,520 –> 00:29:16,400
也包括你车中的设备
They’re sometimes in your car.
677
00:29:16,400 –> 00:29:19,610
有多种强存储加密方式
There’s a lot of different ways that having strong storage
678
00:29:19,610 –> 00:29:22,540
对 Android 的安全来说是非常重要的
encryption is really fundamental to Android security.
679
00:29:22,540 –> 00:29:24,850
但这不意味着我们不能把它变得更好
But that doesn’t mean we can’t make it better.
680
00:29:24,850 –> 00:29:26,370
也不意味着我们不能在用户体验的角度上
It doesn’t mean that we can’t improve it from a user
681
00:29:26,370 –> 00:29:27,360
把它变得更好
experience standpoint.
682
00:29:27,360 –> 00:29:29,360
Android N 的一个重大变化就是
And so one of the big changes with the Android N
683
00:29:29,360 –> 00:29:31,950
直接启动
is what we refer to as Direct Boot.
684
00:29:31,950 –> 00:29:34,140
我将分别从用户和开发者的角度说
I’ll talk about it both from a user perspective
685
00:29:34,140 –> 00:29:37,730
不过在开发者的角度上会多说一点
and then I’ll get into it a little bit from a developer’s perspective.
686
00:29:37,730 –> 00:29:40,020
从用户的角度来说 直接启动
From a user perspective, direct boot basically
687
00:29:40,020 –> 00:29:44,700
意味着我不需要重复的输入密码了
means I don’t go through two times putting in my user’s password.
688
00:29:44,700 –> 00:29:46,330
我不必输入两次
I don’t have to double enter that.
689
00:29:46,330 –> 00:29:49,205
因为在设备开启的时候
Because currently, the first time the device comes up,
690
00:29:49,205 –> 00:29:50,080
就已经输入过了
you have to enter it.
691
00:29:50,080 –> 00:29:51,430
然后设备就被解锁了
The device is then decrypted.
692
00:29:51,430 –> 00:29:54,650
然后你就可以与应用交互了
And then you get it again as you’re interacting with it.
693
00:29:54,650 –> 00:29:56,110
这也意味着在你第一次进入之后
It also means that all of the data
694
00:29:56,110 –> 00:29:58,276
所有的数据都被解锁了
is decrypted after you’ve entered it the first time.
695
00:29:58,276 –> 00:30:00,620
我再简单说两句
So we’ll talk about that more in just a second.
696
00:30:00,620 –> 00:30:04,440
全盘加密的另一个挑战就是
Another challenge that exists with full disk encryption
697
00:30:04,440 –> 00:30:09,460
所有的数据都一直处于保护之中
is it means that, yes, all the data is protected all the time.
698
00:30:09,460 –> 00:30:15,460
直到用户输入了他们的密码 你就完蛋了
But until the user has entered their password, you’re stuck.
699
00:30:15,460 –> 00:30:18,090
因为没有应用能访问数据
No application has the ability to access data.
700
00:30:18,090 –> 00:30:22,272
所以其中一个重要的改变就是设备现在就被启动了
And so one of the important changes is the device will now come up.
701
00:30:22,272 –> 00:30:24,480
还有运行在后台的东西
And things that are running in the background, things
702
00:30:24,480 –> 00:30:30,479
像是来电 短信
like inbound calls, inbound SMS, your alarm
703
00:30:30,479 –> 00:30:32,020
你要早起赶上
clock in the morning for those of you
704
00:30:32,020 –> 00:30:34,270
6点从旧金山
who had to get up earlier than the six o’clock shuttle
705
00:30:34,270 –> 00:30:36,432
开来的公交车
coming down from San Francisco, who
706
00:30:36,432 –> 00:30:38,890
别人都不像我运气这么好
didn’t have the fortune that I did of having a two-year-old
707
00:30:38,890 –> 00:30:42,430
因为我在三点就醒了 而这种情况持续了两年
wake you up at 3:00 so you were already awake.
708
00:30:42,430 –> 00:30:43,980
你依赖你的闹钟吗
You rely on your alarm clock?
709
00:30:43,980 –> 00:30:48,350
我已经超过六个月没这么做了
I don’t have to do that for another six or so months.
710
00:30:48,350 –> 00:30:51,240
所以我们开始了这项工作
And so we move towards making that work,
711
00:30:51,240 –> 00:30:53,694
即使用户还没有把它们放进凭据里
even if the user hasn’t put in their credential.
712
00:30:53,694 –> 00:30:55,860
以上就是站在用户角度上的讨论
So that’s what it looks like from a user standpoint.
713
00:30:55,860 –> 00:30:57,630
那从开发者的角度来说呢
What’s it look like from a developer standpoint?
714
00:30:57,630 –> 00:31:01,340
我们介绍关于存储加密的两种不同观念
We introduced two different concepts in terms of storage encryption.
715
00:31:01,340 –> 00:31:04,020
第一种就是你最熟悉的
The first is the one that’s most familiar to you
716
00:31:04,020 –> 00:31:06,750
凭据加密
right now, credential encryption.
717
00:31:06,750 –> 00:31:10,660
这意味着只有用户进入了他们的凭据之后
That means this data is only available after the user has
718
00:31:10,660 –> 00:31:12,940
才能访问数据
entered their credential.
719
00:31:12,940 –> 00:31:16,070
还有一种就是我们刚才提到的设备加密数据
We also have what we refer to as device encrypted data.
720
00:31:16,070 –> 00:31:21,720
这种数据只有用 TrustZone 中存储的密钥才能访问
This is data that’s available with a key that’s stored in TrustZone.
721
00:31:21,720 –> 00:31:24,740
这就是防止数据泄露的
So it’s protected in a variety of different mechanisms
722
00:31:24,740 –> 00:31:25,820
各种手段
against extractions.
723
00:31:25,820 –> 00:31:27,560
数据仍然是被加密的
The data is still encrypted, but it’s
724
00:31:27,560 –> 00:31:30,810
不过是被与设备相关联的密钥加密了
encrypted with a key that’s only tied to the device.
725
00:31:30,810 –> 00:31:32,880
默认情况下 应用还是运行在
Applications by default are going
726
00:31:32,880 –> 00:31:34,700
凭据加密环境下
to run in credential encrypted environment.
727
00:31:34,700 –> 00:31:37,328
所以如果你不做出任何改变 你所要做的就是
So if you don’t change anything, the behavior you have is going
728
00:31:37,328 –> 00:31:39,240
弄懂你的应用是如何工作的
to be exactly the way your application works now,
729
00:31:39,240 –> 00:31:41,590
用户一旦登入设备
which is once the user logs in, you can access the data
730
00:31:41,590 –> 00:31:43,860
你就可以用上述方式访问数据了
and you can kind of proceed along your way.
731
00:31:43,860 –> 00:31:48,030
但是如果你的应用在用户解锁设备之前
But if you have an application that requires access
732
00:31:48,030 –> 00:31:50,800
就需要访问数据的话
to information potentially before the user had entered
733
00:31:50,800 –> 00:31:54,220
你可以把你的应用标记为直接启动感知
their credentials, you can declare yourself to be direct boot aware.
734
00:31:54,220 –> 00:31:56,705
这样你在被声明为
And then you have access to the data
735
00:31:56,705 –> 00:31:58,830
直接启动感知的 activity 中
in the context of the activity that’s been declared
736
00:31:58,830 –> 00:31:59,947
就可以直接访问数据了
to be direct boot aware.
737
00:31:59,947 –> 00:32:01,530
当然你也可以直接与之交互
And you can actually interact with it.
738
00:32:01,530 –> 00:32:03,080
这就是 TalkBack 的工作原理
So that’s how TalkBacks works.
739
00:32:03,080 –> 00:32:04,880
这就是短信的工作原理
That’s how a SMS’ works.
740
00:32:04,880 –> 00:32:07,890
这就是闹钟
That’s how alarms store, this is an alarm,
741
00:32:07,890 –> 00:32:09,510
尤其是在重启后
and immediately upon reboot, I want
742
00:32:09,510 –> 00:32:11,010
的工作原理
to be able to execute on that alarm.
743
00:32:13,979 –> 00:32:16,810
怎样声明直接启动感知呢
What does it mean to declare yourself to be direct boot aware?
744
00:32:16,810 –> 00:32:18,184
非常直观
Pretty straightforward.
745
00:32:18,184 –> 00:32:19,850
上半部分在 manifest 里
The top half of this is in the manifest.
746
00:32:19,850 –> 00:32:22,000
你只需要说 我是直接启动感知就行了
You just say, I’m direct boot aware.
747
00:32:22,000 –> 00:32:25,890
然后 receiver 就被触发了
OK, and then that receiver can be triggered.
748
00:32:25,890 –> 00:32:29,270
这样一个 intent 就被触发了
In the event that a particular intent is fired like,
749
00:32:29,270 –> 00:32:32,566
也许是叫 boot complete 吧
I don’t know, boot complete, then your application
750
00:32:32,566 –> 00:32:36,470
然后你的应用就会根据特定的 receiver 运行
will start running in the context of that particular receiver.
751
00:32:36,470 –> 00:32:38,862
为了使用存储 你最可能干的事情
To use storage, which presumably is one of the things
752
00:32:38,862 –> 00:32:40,320
就是你需要
that you’d want to do, you’re going
753
00:32:40,320 –> 00:32:44,550
在设备保护存储中
to need to create storage that’s in the context of device
754
00:32:44,550 –> 00:32:45,330
开辟一块存储空间出来
protected storage.
755
00:32:45,330 –> 00:32:47,340
这是底部的一小段代码
And so there’s a little snippet of code down there at the bottom.
756
00:32:47,340 –> 00:32:48,530
你创建你应用的 context
You create your app context.
757
00:32:48,530 –> 00:32:49,571
你使用你应用的 context
You use your app context.
758
00:32:49,571 –> 00:32:52,480
你创建一个设备保护与存储的 context
And then you create a device protect and storage context.
759
00:32:52,480 –> 00:32:53,860
然后只需把它打开就行了
And then you just open it.
760
00:32:53,860 –> 00:32:56,330
你可以用任何你喜欢的方式与之交互
You interact with it exactly like you would any other way.
761
00:32:56,330 –> 00:32:59,920
当你按我刚才说的那么做时
When you are running in what I refer to as the device context,
762
00:32:59,920 –> 00:33:02,100
与之相反的是凭据保护
as opposed to the credential protected context,
763
00:33:02,100 –> 00:33:05,680
你仍然可以创建凭据保护的文件
you can still create files that are credential protected.
764
00:33:05,680 –> 00:33:06,770
你只是不能读取它们
You just can’t read them.
765
00:33:09,401 –> 00:33:11,400
但你仍然可以做很多事情
But there are lots of ways that could be useful.
766
00:33:11,400 –> 00:33:12,150
你可以往后附加
You can append.
767
00:33:15,030 –> 00:33:17,560
如果你收到一封邮件
So if you receive an inbound mail message.
768
00:33:17,560 –> 00:33:20,460
那你就需要转换成一个很糟糕的邮件
And you’ve got a really horrible mail storage
769
00:33:20,460 –> 00:33:22,500
存储格式 然后附加在后面
format where you just append.
770
00:33:22,500 –> 00:33:25,291
你可以仅拿到标题然后展示在锁屏界面上
You could just grab the headers and display that on the lock screen.
771
00:33:25,291 –> 00:33:27,160
然后获取真实的内容
And then take the actual content and push it
772
00:33:27,160 –> 00:33:29,197
并把它放到凭据保护存储里
into credential protected storage.
773
00:33:29,197 –> 00:33:31,280
你可能只是因为缓存才这么做
You’d probably want to do that just for the cache,
774
00:33:31,280 –> 00:33:32,857
而非针对所有的邮件
not for all of your mail.
775
00:33:32,857 –> 00:33:34,440
在需要有精致的用户体验地方
But you could do those kinds of things
776
00:33:34,440 –> 00:33:35,898
为了维护最佳的安全
where you have a sophisticated user
777
00:33:35,898 –> 00:33:38,810
你也可以这样做
experience while maintaining optimal security.
778
00:33:38,810 –> 00:33:42,020
下面我们来谈谈最佳范例
So let’s talk about some of those best practices.
779
00:33:42,020 –> 00:33:44,870
第一个我想说的就是使用默认值
The first thing I want to do is point out, just use the defaults.
780
00:33:44,870 –> 00:33:46,320
绝大部分的应用
The vast majority of applications,
781
00:33:46,320 –> 00:33:47,861
你是不希望在用户登录之前
you’re not expecting your application
782
00:33:47,861 –> 00:33:50,925
做太多事情的
to do much, if anything, prior to the user logging in.
783
00:33:50,925 –> 00:33:53,170
这就跟默认模式非常匹配了
And so it’s perfectly appropriate to use the defaults.
784
00:33:53,170 –> 00:33:55,727
从安全的角度来说这也是比较理想的
And that sort of optimal from a security standpoint.
785
00:33:55,727 –> 00:33:58,310
这也使你的开发更简单
It also makes your life a little bit simpler because you don’t
786
00:33:58,310 –> 00:34:00,880
因为你不需要想 我现在是不是要接入设备的内容啦
have to think, is this available to me now in the device context?
787
00:34:00,880 –> 00:34:02,480
我能够接入凭据吗
Am I able to access credentials?
788
00:34:02,480 –> 00:34:04,050
如果你运行起来 那么数据就在这
It’s there if you’re running.
789
00:34:04,050 –> 00:34:08,750
如果你没有直接启动感知 那就是上述这样
If you aren’t direct boot aware, everything’s there if you’re running.
790
00:34:08,750 –> 00:34:10,333
如果你是直接启动感知的
If you are direct boot aware, then you
791
00:34:10,333 –> 00:34:12,850
那你就要明确在何时
have to be direct boot aware of which things are going
792
00:34:12,850 –> 00:34:15,510
什么数据是可以被访问的
to be available at that time.
793
00:34:15,510 –> 00:34:17,630
另一个最佳实践是 仔细想想
The other best practice is, think very carefully
794
00:34:17,630 –> 00:34:19,300
如果你是直接启动感知的
about if you are direct boot aware,
795
00:34:19,300 –> 00:34:21,674
哪些东西应该放入设备加密
which things do you want to put into the device encrypted
796
00:34:21,674 –> 00:34:23,830
或是设备保护存储中
or device protected storage?
797
00:34:23,830 –> 00:34:27,601
请不要把有效时间过长的凭据放进来
Please don’t put long live credentials into that area.
798
00:34:27,601 –> 00:34:29,100
如果你不想切断
So you don’t want to have off tokens
799
00:34:29,100 –> 00:34:31,266
用于连接 service 的 token 的话
that are sitting there that could be used to connect
800
00:34:31,266 –> 00:34:34,370
即使用户还没有
to a service, even though the user hasn’t authorized that
801
00:34:34,370 –> 00:34:36,855
进入凭据给它授权
by entering their credential.
802
00:34:36,855 –> 00:34:38,730
我们需要考虑的另一件事是
One of the things that we want to think about
803
00:34:38,730 –> 00:34:41,320
你能否限制 token 的范围
is, can you limit the scope of tokens?
804
00:34:41,320 –> 00:34:44,429
如果你有一个类似邮件接收器的东西
So if you have something like a mail receiver, maybe
805
00:34:44,429 –> 00:34:45,864
可能你只是想阅读邮件
you just want to read mail.
806
00:34:45,864 –> 00:34:49,370
但那并不意味着你将要发送邮件
But that doesn’t necessarily mean that you’re going to send it.
807
00:34:49,370 –> 00:34:50,750
如果你不希望用户
If you don’t expect the user ever
808
00:34:50,750 –> 00:34:52,270
在还没有登录设备的时候
to be able to send mail when they haven’t actually
809
00:34:52,270 –> 00:34:54,120
就能发送邮件
logged onto the device, you certainly
810
00:34:54,120 –> 00:34:55,661
你应该也不希望他们 嗯 比如说
don’t expect them to be able to like,
811
00:34:55,661 –> 00:34:58,740
删除他们的账户 删除他们所有的信息
I don’t know, delete their account, delete all of their messages.
812
00:34:58,740 –> 00:35:00,156
这些都是你不希望在用户登录之前
These are not tasks that you would
813
00:35:00,156 –> 00:35:02,650
看到的景象
expect to happen before the user has logged in.
814
00:35:02,650 –> 00:35:04,510
所以你想
And so you would want to limit the scope
815
00:35:04,510 –> 00:35:05,640
通过限制 token 的能力范围
of the ability of the application
816
00:35:05,640 –> 00:35:08,014
来限制应用
to perform those behaviors by limiting the authentication
817
00:35:08,014 –> 00:35:11,310
能力的范围
tokens that it has available inside that scope.
818
00:35:11,310 –> 00:35:12,810
还有我想提醒你的是
And then the other one that I hinted
819
00:35:12,810 –> 00:35:15,018
如果你收到了一些你认为是敏感的数据
at there, which is, if you receive some data that you
820
00:35:15,018 –> 00:35:18,030
接收它 然后加密
think is sensitive, receive it, put it somewhere that’s encrypted.
821
00:35:18,030 –> 00:35:20,519
你可以用类似公钥的非对称加密
You can either encrypt it locally using
822
00:35:20,519 –> 00:35:22,810
当然前提是你有
asymmetric cryptography like public key, where you just
823
00:35:22,810 –> 00:35:25,350
设备保护存储的公钥
have the key that you have the public key
824
00:35:25,350 –> 00:35:27,520
或是用凭据保护存储中的
in device protected storage and the private key
825
00:35:27,520 –> 00:35:31,554
私钥加密
to be able to decrypt it inside of the credential protected storage.
826
00:35:31,554 –> 00:35:33,970
所以你知道读取邮件的权限
So you know that that key and the ability to read the mail
827
00:35:33,970 –> 00:35:37,150
需要用户登录他们的设备
requires the user to have entered their password.
828
00:35:37,150 –> 00:35:40,830
你可以做很多的事情
There’s a variety of things you can do there as well.
829
00:35:40,830 –> 00:35:43,110
我们也正在努力中
OK, we’re making good progress.
830
00:35:43,110 –> 00:35:44,800
我还有十分钟就要离开了
We’ve got about 10 minutes left.
831
00:35:44,800 –> 00:35:47,405
下面我们将要谈一谈 verified boot 和沙盒
We’re going to barrel through verified boot and sandboxing.
832
00:35:47,405 –> 00:35:50,552
在最后会有两到三分钟的
And I think we’ll have two or three minutes to talk questions
833
00:35:50,552 –> 00:35:51,260
问答时间
there at the end.
834
00:35:51,260 –> 00:35:52,730
我会预留出来
And I’ll hang out for a while.
835
00:35:52,730 –> 00:35:56,200
享受在旧金山没有的阳光
Enjoy the sunshine, which we don’t have up in San Francisco.
836
00:35:59,020 –> 00:36:03,780
verified boot 已经被介绍过很多次了
Verified boot was introduced over a couple of releases
837
00:36:03,780 –> 00:36:06,810
而且在 M 版本上的设备装载
and then became required on M for devices
838
00:36:06,810 –> 00:36:10,070
有能力提供 verified boot 的硬件已经是必须的了
that had hardware capable of providing verified boot, which
839
00:36:10,070 –> 00:36:12,570
这在线性加密中基本相当于
basically amounts to devices that met a performance
840
00:36:12,570 –> 00:36:16,680
每秒50兆的高级加密标准
threshold of about 50 megabits per second AES in line encryption.
841
00:36:16,680 –> 00:36:18,680
顺便说 这包括了绝大多数的设备
That’s the vast majority of devices, by the way.
842
00:36:22,020 –> 00:36:26,690
在 N 中我们把所谓的强制模式
In N we moved from what we called enforcing mode
843
00:36:26,690 –> 00:36:29,010
转换成了严格强制模式
to strictly enforcing mode.
844
00:36:29,010 –> 00:36:32,200
在 M 中警告用户然后继续启动
With M it was acceptable for a device to warn the user
845
00:36:32,200 –> 00:36:35,017
是可以接受的
and then proceed to boot, as a mechanism
846
00:36:35,017 –> 00:36:37,100
这也是我们验证实际
for us to begin to validate how frequently were we
847
00:36:37,100 –> 00:36:38,100
出错率的一种机制
seeing errors in the field?
848
00:36:38,100 –> 00:36:39,520
我们看到了什么问题
What kinds of problems were we seeing?
849
00:36:39,520 –> 00:36:41,850
并确保这里将要出问题
And making sure that there was going to be disruption.
850
00:36:41,850 –> 00:36:44,010
我认为一个很有意思的特点是
One of, I think, the more intriguing features
851
00:36:44,010 –> 00:36:47,520
错误更正
that was introduced in verified boot was error correction.
852
00:36:47,520 –> 00:36:50,590
它是在 N 中被介绍的 它可以帮我们探测出
It was introduced with Android N. This gives us the ability
853
00:36:50,590 –> 00:36:54,760
位级错误 实际上是大量的位级错误
to detect bit level errors, and actually lots of bit level errors.
854
00:36:54,760 –> 00:36:57,760
实际上它们在内核层
And they actually get corrected at the time those blocks are
855
00:36:57,760 –> 00:37:00,290
被读取的时候就被纠正了
being read at the kernel level.
856
00:37:00,290 –> 00:37:03,430
所以 当你正用低端硬件处理问题时
And so, when you’re dealing with very low-end hardware,
857
00:37:03,430 –> 00:37:06,710
位级错误就是我们会遇到的问题了
bit level errors were a problem that we might run into.
858
00:37:06,710 –> 00:37:09,000
我们至少看到了一个实例
We’ve also seen at least one instance
859
00:37:09,000 –> 00:37:12,740
测试它们做出的改变
of testing where there were actually changes made
860
00:37:12,740 –> 00:37:15,740
在设备被 root 之后
that were– after a device had been rooted,
861
00:37:15,740 –> 00:37:17,349
通过增加 SU
there were changes made to allow it
862
00:37:17,349 –> 00:37:20,170
或是其他手段等等
to continue to be rooted by adding SU and a couple of other things.
863
00:37:20,170 –> 00:37:22,790
错误更正消除了这些改变
An error correction actually erased those changes.
864
00:37:22,790 –> 00:37:25,217
所以它们仍在那 但是你不能执行他们
So they were still there, but you couldn’t actually
865
00:37:25,217 –> 00:37:26,800
这很令人震惊吧
get them to execute, which is amazing.
866
00:37:26,800 –> 00:37:30,320
这是一次意外 但也足够让人兴奋
Totally an accident, but pretty exciting.
867
00:37:30,320 –> 00:37:33,470
我们开始留意到底有多少种检查
We’re beginning to see how those kinds of checks
868
00:37:33,470 –> 00:37:36,248
可以提高安全性 并且是在我们意料之外的
could actually improve security in more than the expected ways.
869
00:37:39,530 –> 00:37:42,720
verified boot 可以让开发者的你
Verified boot is part of making it easier for you
870
00:37:42,720 –> 00:37:44,480
更容易了解到你所运行的环境
as a developer to understand that you’re
871
00:37:44,480 –> 00:37:47,600
是一个非常安全的环境
running in an environment that is a strong secure environment.
872
00:37:47,600 –> 00:37:49,690
另一件
And so there’s one other thing that we
873
00:37:49,690 –> 00:37:52,320
我们要讨论的是 SafetyNet API
want to talk about in this context, which is the safety
874
00:37:52,320 –> 00:37:54,770
和补丁程序级别字符串
net API and patch level strings, which
875
00:37:54,770 –> 00:37:56,802
都是为了让开发者
are both mechanisms designed to make it easier
876
00:37:56,802 –> 00:37:58,260
更容易的弄明白
for you as an application developer
877
00:37:58,260 –> 00:38:01,310
什么是运行设备中的
to understand what is the security context of this device
878
00:38:01,310 –> 00:38:02,619
安全背景
that I’m running on?
879
00:38:02,619 –> 00:38:04,160
SafetyNet API
So the safety net API– I’ll give you
880
00:38:04,160 –> 00:38:07,090
我将用几秒钟的时间举一个示例代码
an example code in just a second– basically looks
881
00:38:07,090 –> 00:38:10,020
它基于设备的特性 而且适配到 Jelly Bean
at the device characteristics– and this goes back all the way
882
00:38:10,020 –> 00:38:15,070
来试着说明这是否是真实的设备
to Jelly Bean– and tries to understand whether this is a real device.
883
00:38:15,070 –> 00:38:17,990
它基于大量的硬件属性
It looks at a bunch of hardware characteristics,
884
00:38:17,990 –> 00:38:20,190
包括 GPU 是怎么工作的
including like how does the GPU work?
885
00:38:20,190 –> 00:38:21,910
GPU 的编号是什么
Not what is the GPU’s serial number?
886
00:38:21,910 –> 00:38:24,837
GPU 的执行操作是什么
Not what is– but performs operations on the GPU
887
00:38:24,837 –> 00:38:26,670
用于确保它是以一种
to make sure that it’s executing in a manner
888
00:38:26,670 –> 00:38:28,830
我们认为与
that we would expect to be consistent with a piece
889
00:38:28,830 –> 00:38:30,914
正在运行的操作系统的硬件
of hardware that matches this specification that’s
890
00:38:30,914 –> 00:38:33,760
相匹配的方式运行的
being provided by the operating system that’s running on top of it.
891
00:38:33,760 –> 00:38:35,740
所以我们收集了很多数据
So we aggregate a whole bunch of that,
892
00:38:35,740 –> 00:38:37,850
分析它们 然后反馈给你 yes
analyze that, and make a statement back to you
893
00:38:37,850 –> 00:38:40,225
这看起来像是一个
that yes, this looks like a real piece of hardware that’s
894
00:38:40,225 –> 00:38:43,190
运行某版本 Android 的兼容设备
running a version of Android that is a CTS compatible,
895
00:38:43,190 –> 00:38:45,894
由 OEM 检测 然后提交到 Google
tested by OEM, and then submitted to Google
896
00:38:45,894 –> 00:38:48,310
这样我们就能确定这是一个真实的硬件
so that we can confirm that it’s a real piece of hardware.
897
00:38:48,310 –> 00:38:50,102
因此 SafetyNet API 的
So that’s one of the goals of SafetyNet API
898
00:38:50,102 –> 00:38:52,900
一个目标就是让你对这个功能充满信心
is to make it possible for you to have that kind of confidence.
899
00:38:52,900 –> 00:38:54,608
另一个我们要介绍的是
And then another thing that we introduced
900
00:38:54,608 –> 00:38:56,980
Android 补丁程序级别字符串
was called the Android patch level string.
901
00:38:56,980 –> 00:39:00,500
补丁程序级别字符串非常非常的简单
The patch level string is really, really simple.
902
00:39:00,500 –> 00:39:02,900
你可以检测它 这样你就可以看到
You can check it, and you can see
903
00:39:02,900 –> 00:39:06,480
上次设备安全更新的时间
when is the last time this device got a security update?
904
00:39:06,480 –> 00:39:11,010
如果历史可以借鉴
If history is any guide, we’ve released now
905
00:39:11,010 –> 00:39:14,590
我们发布月度安全更新的次数已经有10次了
10 monthly security updates.
906
00:39:14,590 –> 00:39:16,590
如果这个字符串已经过期一个月了
If that string is more than a month out of date,
907
00:39:16,590 –> 00:39:19,160
那说明这个设备已经有安全问题了
there are publicly known security issues that affect that device.
908
00:39:19,160 –> 00:39:20,930
所以我们和设备制造商共同努力
So we’re working with OEMs and carriers
909
00:39:20,930 –> 00:39:23,430
确保升级推送能按时推送
to make sure that they’re able to deliver updates very, very quickly.
910
00:39:23,430 –> 00:39:25,510
但是作为应用开发者的你
But you as an application developer
911
00:39:25,510 –> 00:39:28,580
可能想评估
might want to look at that and evaluate
912
00:39:28,580 –> 00:39:30,800
你对具体设备的信任程度
how much trust you have in that particular device.
913
00:39:30,800 –> 00:39:32,400
尤其在企业的环境中
Especially in an enterprise context,
914
00:39:32,400 –> 00:39:34,734
我们看到越来越多的企业有类似这样的政策
we’re seeing more and more enterprises set policies that
915
00:39:34,734 –> 00:39:36,650
如果这个设备过期超过60天了
say things like, if this device is out of date
916
00:39:36,650 –> 00:39:39,780
那就不适合我的企业环境了
more than 60 days, it’s not appropriate for my enterprise environment.
917
00:39:39,780 –> 00:39:42,113
而且我们也想把这变得简单点
And we wanted to make that a really simple thing for you
918
00:39:42,113 –> 00:39:44,850
你不用安装一大批的热修复和补丁包
have to do so you don’t have a table of hot fixes and service
919
00:39:44,850 –> 00:39:47,530
来确保设备是安全的
packs to figure out whether a device is secure.
920
00:39:47,530 –> 00:39:50,790
如果这是在 KitKat 或是更高的版本 它有一个最近的安全补丁级别
If it’s on KitKat or above, and it has a recent security patch
921
00:39:50,790 –> 00:39:52,570
你就知道该升级了
level, you know it’s up to date.
922
00:39:52,570 –> 00:39:53,600
这是非常简便的
It’s pretty simple.
923
00:39:53,600 –> 00:39:57,684
正则表达式发挥了很大作用
Regular expressions help me to make that determination.
924
00:39:57,684 –> 00:40:00,620
让我们再用几秒钟谈论一下 SafetyNet
But let’s talk about SafetyNet for just a second.
925
00:40:00,620 –> 00:40:03,030
这不是一个由平台级别提供的 API
This is an API that’s not provided at the platform level.
926
00:40:03,030 –> 00:40:06,690
它是由 Google Play 服务提供的
It’s provided by a Google Play Services.
927
00:40:06,690 –> 00:40:08,460
相对来说比较直观
Relatively straightforward.
928
00:40:08,460 –> 00:40:09,590
你创建一个回调
You create a callback.
929
00:40:09,590 –> 00:40:10,440
你调用它
You invoke that.
930
00:40:10,440 –> 00:40:12,590
然后你拿到结果
And you get back the result. This is a result
931
00:40:12,590 –> 00:40:13,732
这就是要被签名的结果
that’s going to be signed.
932
00:40:13,732 –> 00:40:15,940
你想要看一下 SafetyNet 文件
You want to go to look at the SafetyNet documentation
933
00:40:15,940 –> 00:40:18,270
来确认 key 被签名成什么样了
to see what the key is that it’s been signed with.
934
00:40:18,270 –> 00:40:20,990
我们鼓励你做离线确认
We encourage you to do offline verification of this.
935
00:40:20,990 –> 00:40:23,210
然后你就在你的应用中接收到它了
So you receive it in the context of your application,
936
00:40:23,210 –> 00:40:25,090
之后你把它上传到服务器
but then you send it up to your server.
937
00:40:25,090 –> 00:40:26,690
然后服务器作出判断
And your server makes a determination
938
00:40:26,690 –> 00:40:29,640
判别这是否是从 Google 发来的
about whether this is a legitimate, signed statement
939
00:40:29,640 –> 00:40:30,896
合法的带签名陈述
that came back from Google.
940
00:40:30,896 –> 00:40:34,140
在带签名陈述中你要寻找什么呢
What are the things that you’re looking for in that signed statement?
941
00:40:34,140 –> 00:40:36,450
第一件事就是这是一个 nonce
The first is that there’s a nonce that
942
00:40:36,450 –> 00:40:39,480
它创建于服务器 下发到客户端
was created on your server, sent down to your client,
943
00:40:39,480 –> 00:40:40,780
再返回到服务器
comes back to your server.
944
00:40:40,780 –> 00:40:43,650
这和你递交的一样
And it’s the same as the nonce that you submitted.
945
00:40:43,650 –> 00:40:45,880
所以你想确保它确实经历了相同的过程
So you want to make sure that it actually went
946
00:40:45,880 –> 00:40:48,840
并且被 Google 签名了
through that same process and was signed by Google.
947
00:40:48,840 –> 00:40:51,580
然后它告诉你是不是有什么东西需要匹配 CTS
And then it tells you is this something that matches CTS?
948
00:40:51,580 –> 00:40:53,965
那么 是否匹配 CTS 呢
So, CTS profile match true or false?
949
00:40:53,965 –> 00:40:55,340
这将告诉你
That will give you a sense for is
950
00:40:55,340 –> 00:40:58,460
这是一个真实的硬件设备
this a device, a real hardware device, that
951
00:40:58,460 –> 00:41:01,390
已经经历了完整的 CTS 确认过程
has gone through the full CTS validation process
952
00:41:01,390 –> 00:41:03,220
并且正在以最初提交的
and is continuing to operate in the manner
953
00:41:03,220 –> 00:41:04,725
方式继续运行
that it was originally submitted.
954
00:41:04,725 –> 00:41:06,350
这是一群其他的环境
There’s a bunch of other context that’s
955
00:41:06,350 –> 00:41:09,710
你可以从中辨别这是不是你想要的
provided so you can validate that these are what you’re expecting.
956
00:41:09,710 –> 00:41:12,480
是不是你的应用给服务器提交的数据
Was it your app that sent up to the server?
957
00:41:12,480 –> 00:41:14,770
类似这样
Things like that.
958
00:41:14,770 –> 00:41:18,480
我最后想说的是沙盒
The last thing that I want to talk about is sandboxing.
959
00:41:18,480 –> 00:41:21,700
我们对 Android 中的沙盒寄予希望
Sandboxing is an area that we’ve been investing in in Android.
960
00:41:21,700 –> 00:41:23,742
每一次的发布都带来新的功能
With every release we introduce new capabilities.
961
00:41:23,742 –> 00:41:25,116
有一些事情
These are some of the things that
962
00:41:25,116 –> 00:41:27,240
在 Android M 和 N 中变化非常的大
have changed pretty significantly in Android M
963
00:41:27,240 –> 00:41:30,445
对 SELinux 有相当大的改进
and N. Significant improvements to SELinux, especially
964
00:41:30,445 –> 00:41:32,070
尤其是与驱动程序的交互
in the way that interacts with drivers.
965
00:41:32,070 –> 00:41:34,377
我们现在非常关心内核安全
We’re very concerned about kernel security right now.
966
00:41:34,377 –> 00:41:37,520
所以我们改变了使用 SELinux 的 ioctl 过滤方式
So we’ve made changes to the way ioctl’s are filtered with SELinux.
967
00:41:37,520 –> 00:41:43,160
Seccomp 同样考虑到
Seccomp, which also allows for filtering of interactions
968
00:41:43,160 –> 00:41:43,907
与内核的交互过滤
with the kernel.
969
00:41:43,907 –> 00:41:46,240
我将再多花一点时间谈论 Seccomp
Seccomp I’m going to I talk about more in just a moment.
970
00:41:46,240 –> 00:41:48,020
因为作为应用开发者的你
Because you, as an application developer,
971
00:41:48,020 –> 00:41:49,706
可以自己使用它
can actually use it yourself.
972
00:41:49,706 –> 00:41:51,580
这和 SELinux 有一点不同
Which is a little bit different from SELinux,
973
00:41:51,580 –> 00:41:54,410
我们所做的全都是直接适合你的配置
where we’ve done all the configuration for you directly.
974
00:41:54,410 –> 00:41:58,090
我们在 Android N 中用了两种工具使媒体服务器强化了很多
We’ve used those two tools to do a lot of mediaserver hardening
975
00:41:58,090 –> 00:42:01,780
而且我们同样也做了许多别的改变
in Android N. And then we’ve made a number of other changes
976
00:42:01,780 –> 00:42:06,430
为的是增强沙盒的健壮性
that we think increase the strength of the sandboxing.
977
00:42:06,430 –> 00:42:07,920
我们仅仅贴出了目录
We just put out a blog post.
978
00:42:07,920 –> 00:42:08,860
我知道它字很小
I know this is tiny.
979
00:42:08,860 –> 00:42:11,920
我也不认为你能阅读它
I don’t actually think you can read it.
980
00:42:11,920 –> 00:42:13,050
好吧 确实可以看到内容
It is actually readable.
981
00:42:13,050 –> 00:42:14,500
我不确定在投影仪上
All right, I wasn’t sure if it was even
982
00:42:14,500 –> 00:42:17,314
它能否显示清楚
going have enough pixels on the projector to be able to read it.
983
00:42:17,314 –> 00:42:18,730
我们贴出的目录
The blog post that we just put out
984
00:42:18,730 –> 00:42:21,680
描述了我们怎样使用这些性能
that describes how it is that we use some of these capabilities
985
00:42:21,680 –> 00:42:26,070
增强并拆解
to strengthen and really break down
986
00:42:26,070 –> 00:42:28,050
媒体服务器中的性能
the capabilities inside of mediaserver
987
00:42:28,050 –> 00:42:30,970
然后用 Seccomp 和 SELinux 把它们隔离起来
and isolate them using Seccomp and SELinux.
988
00:42:30,970 –> 00:42:34,310
所以如果一个区域出了问题 譬如说编码解码器
So that a compromise in one area, e.g. in the codec,
989
00:42:34,310 –> 00:42:36,420
在媒体服务器的环境中
doesn’t lead to a compromise in other areas
990
00:42:36,420 –> 00:42:37,700
不会导致在其他区域出问题
in the context of mediaserver.
991
00:42:37,700 –> 00:42:39,950
在你的应用中可以做同样的事情
But you can do the same thing inside your application.
992
00:42:39,950 –> 00:42:44,000
如果你有一个很复杂的金融业务
If you have a complex financial transaction that’s
993
00:42:44,000 –> 00:42:46,030
并且其中还有图像处理
based on image processing, you might
994
00:42:46,030 –> 00:42:48,152
你可能想把这两件事情分开
want to separate those two things apart.
995
00:42:48,152 –> 00:42:49,610
我不知道你为什么要这么做
I don’t know why you would do that.
996
00:42:49,610 –> 00:42:51,540
不过同时 这也有很多
But, at the same time, there are lots
997
00:42:51,540 –> 00:42:53,484
给信用卡拍照的应用
of apps that take pictures of credit cards
998
00:42:53,484 –> 00:42:55,150
之后试着处理信息
and then try to process that information
999
00:42:55,150 –> 00:42:56,830
然后支付
and then use that as a payment.
1000
00:42:56,830 –> 00:43:01,650
这是一个应用要做的事情
So it’s actually a thing that applications do do.
1001
00:43:01,650 –> 00:43:06,250
我们也把它广泛应用到了 Chrome 硬件中
We’ve also been using this pretty extensively to harden Chrome.
1002
00:43:06,250 –> 00:43:09,510
因为这里储存了你最敏感的凭据
Because that is something that stores your most sensitive
1003
00:43:09,510 –> 00:43:12,500
而且处理了很多
credentials and does a lot of processing of data
1004
00:43:12,500 –> 00:43:14,090
从互联网来的数据
that comes from the Internet.
1005
00:43:14,090 –> 00:43:16,040
在浏览器中这两件事
It’s ironic how close those two things
1006
00:43:16,040 –> 00:43:17,546
是非常紧密的
are in the context of a web browser.
1007
00:43:17,546 –> 00:43:19,920
所以这类平台级的性能很重要
So it’s really important that these kinds of capabilities
1008
00:43:19,920 –> 00:43:21,690
为的是
exist at the platform level to make
1009
00:43:21,690 –> 00:43:25,780
能够让应用更加健壮
it easy for that application to harden itself.
1010
00:43:25,780 –> 00:43:30,000
这是用 Seccomp 的一个范例
Here’s a sample of what it looks like to use Seccomp.
1011
00:43:30,000 –> 00:43:32,500
我们在媒体服务器的环境中开发了一个库
we actually created a library in the context of mediaserver.
1012
00:43:32,500 –> 00:43:33,958
所以如果你想深挖 Android 开源项目的话
So if you would dig around in AOSP,
1013
00:43:33,958 –> 00:43:37,800
你可能会发现一个叫 Mini Jail 的东西
you’ll be able to find something that’s called Mini Jail.
1014
00:43:37,800 –> 00:43:42,080
它讲述如何放置过滤器
And it describes how we set specific filters
1015
00:43:42,080 –> 00:43:46,030
来限制 Seccomp 中的
to limit the set of capabilities that each
1016
00:43:46,030 –> 00:43:48,170
或是硬件角度上的媒体服务器中的
of the different elements inside of Seccomp
1017
00:43:48,170 –> 00:43:52,645
每一个不同元素的性能
or inside of mediaserver have access to from hardware standpoint.
1018
00:43:52,645 –> 00:43:54,520
我们还做了很多别的事情
There are a bunch of other changes that we’ve
1019
00:43:54,520 –> 00:43:57,800
比如说让设备更难被破解
made as well, that make it more difficult for a device
1020
00:43:57,800 –> 00:43:59,400
以及其他我们谈论
to be compromised, things that we
1021
00:43:59,400 –> 00:44:02,859
关于沙盒强化时的一些想法
think about when we’re talking about hardening of sandbox.
1022
00:44:02,859 –> 00:44:04,650
它们也可能会对你的应用产生影响
They may have effects on your applications.
1023
00:44:04,650 –> 00:44:07,890
我也鼓励你看看那些
So I would encourage you to take a look at those
1024
00:44:07,890 –> 00:44:10,300
将要到来的改变
and be conscious that these changes are coming.
1025
00:44:10,300 –> 00:44:14,130
在这里也同样发生很多改变
So there are a couple of these changes here.
1026
00:44:14,130 –> 00:44:16,120
这是两个其他的 API
There are two other APIs that we’ve also
1027
00:44:16,120 –> 00:44:20,780
是关于抑制权限的
been very actively looking at to restrain the capabilities.
1028
00:44:20,780 –> 00:44:23,970
因为它们与滥用权限有关
Because they’ve been associated with abuse, basically.
1029
00:44:23,970 –> 00:44:27,150
我们给了设备管理很多权力
We gave a lot of power to device administrators.
1030
00:44:27,150 –> 00:44:29,224
比如说用户正在和
And it happens that that same power
1031
00:44:29,224 –> 00:44:31,140
他们的设备交互
to manage the way that the user is interacting
1032
00:44:31,140 –> 00:44:33,362
用勒索软件
with their device can be used to harm them
1033
00:44:33,362 –> 00:44:34,570
损害用户的利益
in the context of ransomware.
1034
00:44:34,570 –> 00:44:36,697
你改变了用户的密码然后说
You change the user’s password and then you say,
1035
00:44:36,697 –> 00:44:38,780
除非你付我钱否则我是不会让你登录回设备的
I’m not going to let you log back into your device
1036
00:44:38,780 –> 00:44:41,590
这是勒索软件的
until you pay me, is sort of the most fundamental way
1037
00:44:41,590 –> 00:44:42,922
常用做法
that ransomware can work.
1038
00:44:42,922 –> 00:44:45,796
所以我们做出了一些改变
And so we’re making changes to make it more difficult for applications
1039
00:44:45,796 –> 00:44:48,330
让这种应用不那么容易的能够访问这些API
to access those APIs.
1040
00:44:48,330 –> 00:44:49,850
同时我们也限制了
And then we’ve also limited the way
1041
00:44:49,850 –> 00:44:51,750
应用通过系统警告窗口
that applications can overlay content
1042
00:44:51,750 –> 00:44:55,230
覆盖在另一个应用上的方式
onto another application through system alert windows.
1043
00:44:55,230 –> 00:44:58,164
这也是我们强化了的地方
So that’s an area that we’ve been hardening as well.
1044
00:44:58,164 –> 00:45:00,580
抱歉两分钟的提问时间已经没有了
I lied when I said I would have two minutes for questions.
1045
00:45:00,580 –> 00:45:03,080
时钟告诉我还有五秒钟
The clock now says five seconds.
1046
00:45:03,080 –> 00:45:06,130
不过我们试着覆盖了所有的要点
But we managed to cover all of these key elements.
1047
00:45:06,130 –> 00:45:08,440
我不想在这多讲其他的了
I did want to leave you with a couple of pointers
1048
00:45:08,440 –> 00:45:10,690
以免你们陷入
to some additional information that you
1049
00:45:10,690 –> 00:45:14,250
过多的细节中
can look at to try to get into some more of the details here.
1050
00:45:14,250 –> 00:45:17,947
我将出去逛逛并乐于解答
And I will hang out outside and happy to answer any questions
1051
00:45:17,947 –> 00:45:18,780
你提出的所有问题
that you might have.
1052
00:45:18,780 –> 00:45:19,613
非常感谢
Thank you very much.
1053
00:45:19,613 –> 00:45:20,990
享受今天吧
Enjoy the rest of your day.
1054
00:45:20,990 –> 00:45:28,180
[MUSIC PLAYING]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- What is the purpose of @SmallTest, @MediumTest, and @LargeTest annotations in Android?
- Error: Flag android.useDeprecatedNdk is no longer supported and will be removed in the next version
- what is new in c sharp 2.0--study from msdn [转]
- Mixed mode assembly is built against version 'v2.0.50727' of the runtime and cannot be loaded in the 4.0 runtime without additio
- What is Local Index and Global Index in Partition Table? What is Prefix Index and Nonprefix Index in table?
- What is Thin Provision and Thin Reclamation in Storage Industry
- New replication features in SQL Server 2008 and what they mean to you
- Drag and Drop: New Data Transfer Capabilities in the JavaTM 2 Platform, Standard Edition (J2SETM), version 1.4
- Overview and What’s New in SAP BusinessObjects EPM 10.0(主要是关于SAP BPC 10.0)
- what is overloading and overidding in C++
- Learn To Save and Load External Images in Google Android
- What's New in the .NET Framework Version 4
- What's New in the C# 3.0 Language and Compiler
- What is difference between And and Andalso in VB.net ?
- Know Your Android Bootloader—What it is and Why it Matters
- macro与inline的区别 What is the difference between macro and inline?
- What is new and important info you can get from JavaOne 2007
- [转贴]What is Google Binary Search and Should We Fear it?
- Some Friends asked me : what is DiffGram in ado.net , here is answer and sample , enjoy it
- What Is Bootloader And How To Unlock Bootloader On Android Phones