What is new in Android security (M and N Version) - Google I/O 2016 翻译

时间:2021-02-09 17:04:54

截至发博,字幕还在后期中,应该快了吧。
YouTube视频链接:https://www.youtube.com/watch?v=XZzLjllizYs

字幕翻译:
1
00:00:01,820 –> 00:00:04,920
他们告诉我计时已经开始了
They pointed at me and the clock started moving.

2
00:00:04,920 –> 00:00:08,640
我们有44分钟外加56秒来讨论安全问题
We have 44 minutes and 56 seconds to talk about security.

3
00:00:08,640 –> 00:00:10,090
早上好
Good morning.

4
00:00:10,090 –> 00:00:12,270
现在是早上9点
It’s 9:00 AM.

5
00:00:12,270 –> 00:00:14,580
我今早6点就坐公交车从旧金山过来
I caught the bus down from San Francisco at 6:00 AM

6
00:00:14,580 –> 00:00:17,160
然后在公交车上修改了幻灯片的
this morning to clean up some last little details

7
00:00:17,160 –> 00:00:18,890
最后一点细节
of my slides on the bus.

8
00:00:18,890 –> 00:00:22,040
大家都吃早饭了吗
Did everybody find coffee and breakfast?

9
00:00:22,040 –> 00:00:23,420
如果还没,去吃吧
If not, go find it.

10
00:00:23,420 –> 00:00:24,110
然后再回来
Come back.

11
00:00:24,110 –> 00:00:26,380
我们会在这等一小会
We’ll be here for a little bit.

12
00:00:26,380 –> 00:00:28,560
我的名字叫 Adrian Ludwig
My name is Adrian Ludwig.

13
00:00:28,560 –> 00:00:30,730
我带领的 Android 安全团队
I head up the Android Security team

14
00:00:30,730 –> 00:00:34,539
在那个方向有至少3个展区
here at Google, or at least three blocks over that way at Google.

15
00:00:34,539 –> 00:00:38,310
我们负责 Android 平台的安全事务
We’re responsible for the security of the Android platform.

16
00:00:38,310 –> 00:00:41,190
这个平台具有多样性并且变化迅速
The platform is a broad, diverse, growing kind

17
00:00:41,190 –> 00:00:43,390
像你们知道的那样
of incredible thing, as many of you know.

18
00:00:43,390 –> 00:00:50,070
所以我们的工作范围也具有多样性而且变化迅速
So the scope of what we do is also broad, diverse, and growing.

19
00:00:50,070 –> 00:00:52,580
你已经看到了
You saw a couple things that were mentioned yesterday

20
00:00:52,580 –> 00:00:56,260
昨天提出的一些 Android N 的新特性
in the keynote that are new features that were introduced

21
00:00:56,260 –> 00:00:58,340
我们正致力于
in Android N that we’ve been working

22
00:00:58,340 –> 00:01:00,500
和其他的 Android 团队一起
with the rest of the Android team to enable,

23
00:01:00,500 –> 00:01:02,440
把类似文件基础加密 媒体服务器强化
things like File Based Encryption,

24
00:01:02,440 –> 00:01:04,640
以及自动更新等功能付诸实践
Media Server Hardening, and Automatic Updates.

25
00:01:04,640 –> 00:01:06,570
有一些核心改变在 Android N 的介绍中
These are some of the core changes that

26
00:01:06,570 –> 00:01:11,580
已经提到过了 那些建立在安全模型上的技术
have been introduced in Android N. Those of course

27
00:01:11,580 –> 00:01:17,010
现在已经扩展到 Android 平台中了
build on a security model that extends deep into the platform.

28
00:01:17,010 –> 00:01:19,160
这不是遥不可及的未来 它触手可及
It’s not just a future here, a future there.

29
00:01:19,160 –> 00:01:22,090
这些是关于我们如何把应用分段
It’s about how we have segmented applications.

30
00:01:22,090 –> 00:01:24,430
我们如何在 Android 平台中把权限独立出来
How we have isolated capabilities

31
00:01:24,430 –> 00:01:26,630
以及我们用来实现
in the platform and the underlying technologies

32
00:01:26,630 –> 00:01:29,540
这些安全功能的底层技术
that we’re using to deliver those security features.

33
00:01:29,540 –> 00:01:34,410
不过这并不仅仅限于 Android 自身
It’s not limited just to Android itself though.

34
00:01:34,410 –> 00:01:37,060
我们在 Android 操作系统
The work that we do in securing the Android operating

35
00:01:37,060 –> 00:01:39,660
Android 平台与 Android 生态系统中
system, the Android platform, and the Android ecosystem

36
00:01:39,660 –> 00:01:42,140
所做的安全工作已经被
extends to a broad range of applications

37
00:01:42,140 –> 00:01:46,210
扩展到了 Google 的安全服务范畴中
that we deliver that we talk about as the Google Security Services.

38
00:01:46,210 –> 00:01:49,290
这些在昨天的主题分享中
Those also got a very brief mention yesterday

39
00:01:49,290 –> 00:01:51,570
也提到过了
in the keynote that I wanted to flag,

40
00:01:51,570 –> 00:01:56,650
目前我们每天的扫描次数超过十亿次
which is that at present we’re doing over a billion scans per day.

41
00:01:56,650 –> 00:01:58,605
我们称之为“检测” 因为不做安全工作的人
We say checks, because non-security people are

42
00:01:58,605 –> 00:02:01,530
觉得相比扫描一词 检测听起来更让人舒服一点
more comfortable with the idea of doing a checkup than doing a scan.

43
00:02:01,530 –> 00:02:04,300
但是我们现在正在做的事就是
But what we’re doing is looking at security characteristics

44
00:02:04,300 –> 00:02:06,300
寻找设备上不那么安全的地方
on the devices that are out there in the world

45
00:02:06,300 –> 00:02:08,206
然后把它变得安全
to make sure that we’re keeping them safe.

46
00:02:08,206 –> 00:02:09,580
其中我们关注的一件事就是数字
One of the things that we look at

47
00:02:09,580 –> 00:02:12,660
即被安装到设备上的
is the number, the broad range of applications that have been

48
00:02:12,660 –> 00:02:13,910
应用数量
installed on these devices.

49
00:02:13,910 –> 00:02:16,530
所以我们每天检测应用的数量超过80亿
So we check over 8 billion applications

50
00:02:16,530 –> 00:02:19,770
来保证你的全方位安全
every single day, to give you a sense of the overall scope.

51
00:02:19,770 –> 00:02:23,000
Dave 无法知道的其中一件事就是
One of the things that Dave wasn’t able to get into

52
00:02:23,000 –> 00:02:26,550
他不知道这究竟意味着什么
was what exactly these things mean.

53
00:02:26,550 –> 00:02:28,740
大概三个还是四个星期前我们推出了
About three or four weeks ago we published

54
00:02:28,740 –> 00:02:32,250
一个名叫“安全检查年”的活动
something called the “Annual Security Year in Review,” where

55
00:02:32,250 –> 00:02:34,170
我们在这些安全服务中
we went into a lot of the work that we’ve

56
00:02:34,170 –> 00:02:36,910
做了大量的工作
been doing investing in these security services,

57
00:02:36,910 –> 00:02:40,520
使得已经投入使用的 Google 后台技术
making them more capable, using the technology

58
00:02:40,520 –> 00:02:43,540
能够进行更加复杂的分析
that Google has in our back end to deliver

59
00:02:43,540 –> 00:02:46,062
并理解现在的 Android 生态系统中
more and more sophisticated analysis of applications,

60
00:02:46,062 –> 00:02:47,770
正在
more and more sophisticated understanding

61
00:02:47,770 –> 00:02:50,090
发生着什么
of what it is that’s going on in the Android ecosystem

62
00:02:50,090 –> 00:02:52,890
以便我们能更好的保护用户
so that we can better protect users.

63
00:02:52,890 –> 00:02:55,650
这张图其实意味着50页的文件
That 50-page document included this diagram.

64
00:02:55,650 –> 00:02:57,850
当然我不打算在这里展开说
I’m not going to go into a lot of detail here.

65
00:02:57,850 –> 00:03:04,070
但我想强调的是我们关注
But I wanted to emphasize that the vast majority of our focus

66
00:03:04,070 –> 00:03:06,530
每一件能够保护用户的事情
is on everything that we can do to protect users.

67
00:03:06,530 –> 00:03:10,630
所以无论从硬件的更新与安全
So that ranges from hardware updates and hardware security,

68
00:03:10,630 –> 00:03:13,320
还是平台的更新与安全还是服务
to platform updates and platform security features,

69
00:03:13,320 –> 00:03:14,872
都是我们所关心的范围
to services as well.

70
00:03:14,872 –> 00:03:16,830
而且我们正致力于安全的每一层
And we’re investing at every layer in the stack

71
00:03:16,830 –> 00:03:19,380
从而最大程度的保护用户
to try to protect users as best we can.

72
00:03:19,380 –> 00:03:23,000
现在我将详细解释
Now for today, I’m going to hone in on a handful

73
00:03:23,000 –> 00:03:25,010
Android M 和 N
of specific new capabilities that

74
00:03:25,010 –> 00:03:29,170
中的新特性
were introduced in Android M and Android N. M

75
00:03:29,170 –> 00:03:31,760
让我们从实际情况来看一下 Android M
because, let’s be realistic.

76
00:03:31,760 –> 00:03:34,170
它目前还没有被广泛的使用
It hasn’t gotten to a point where it has broad based adoption.

77
00:03:34,170 –> 00:03:35,700
所以如果你还没有花费很长时间思考
So it’s not terribly surprising if you

78
00:03:35,700 –> 00:03:37,070
怎样利用 Android M 中的特性
haven’t been spending a lot of time thinking

79
00:03:37,070 –> 00:03:39,070
那你是不会被震惊到的
about how to take advantage of the features that

80
00:03:39,070 –> 00:03:41,950
而且因为 Android N 现在比较火热
were introduced in M. And Android N because that’s the new hotness.

81
00:03:41,950 –> 00:03:44,970
而且它也推出
Or at least it will be as soon as it begins to roll out

82
00:03:44,970 –> 00:03:47,930
有几个月了
a couple of months from now.

83
00:03:47,930 –> 00:03:51,540
所以我想强调的是
So I wanted to emphasize though that this is just

84
00:03:51,540 –> 00:03:55,485
这只是我们所有工作的一部分
part of the overall sort of set of capabilities that we have.

85
00:03:55,485 –> 00:03:57,610
我们想为应用的开发人员做些事情
We want to build things for application developers.

86
00:03:57,610 –> 00:03:59,184
我们想为用户做些事情
We want to build things for users.

87
00:03:59,184 –> 00:04:01,100
而且我们也想为设备制造商做些事情
And we want to build things for device makers.

88
00:04:01,100 –> 00:04:04,569
而我认为目前 用户是最重要的
I think on the main stage, the focus was on users.

89
00:04:04,569 –> 00:04:06,110
当然我们也把很多时间
Elsewhere in the world we spend a lot

90
00:04:06,110 –> 00:04:07,790
用在了与设备制造商交流上
of time talking about device makers.

91
00:04:07,790 –> 00:04:09,170
但是今天 我们想要谈谈
But today, we’re going to talk about what

92
00:04:09,170 –> 00:04:10,628
我们正在做的新事情
are the new things that we’re doing

93
00:04:10,628 –> 00:04:12,530
为什么对开发者而言
to make your life as an application developer

94
00:04:12,530 –> 00:04:15,478
在 Android M 和 N 上开发软件更爽
better on Android M and N.

95
00:04:15,478 –> 00:04:17,760
所以这就是我主要想讲的几点
So these are some of the key features that I’m going to talk about.

96
00:04:17,760 –> 00:04:19,222
一共有七点
There are seven of them up here.

97
00:04:19,222 –> 00:04:21,180
我将一个一个的说
I’m just going to walk through them one by one.

98
00:04:21,180 –> 00:04:24,174
我们将逐一介绍
We’ll talk about what it is that was introduced,

99
00:04:24,174 –> 00:04:26,590
并且看一看部分源码
take a look at some source code so that you can understand

100
00:04:26,590 –> 00:04:28,440
以便你能更好的在你的应用中使用它
how you might incorporate it into your application

101
00:04:28,440 –> 00:04:29,800
而且还能增长开发经验
and your development experience.

102
00:04:29,800 –> 00:04:31,360
然后我们将讨论一下
And then talk about some of the best practices

103
00:04:31,360 –> 00:04:32,710
我们认为的
that we’ve been thinking about for how

104
00:04:32,710 –> 00:04:34,440
你将如何运用在你程序中的
we think it is that you’d want to be incorporating

105
00:04:34,440 –> 00:04:36,940
最佳范例
these new technologies into your application development.

106
00:04:36,940 –> 00:04:37,440
如何
Right?

107
00:04:37,440 –> 00:04:38,450
很直观吧
Pretty straightforward.

108
00:04:38,450 –> 00:04:41,450
嘣嘣嘣 然后跳到下一个 嘣嘣嘣
Boom, boom, boom, move to the next one, boom, boom, boom.

109
00:04:41,450 –> 00:04:44,225
没有绚丽的图标 只有一些代码
No fancy diagrams, just a little bit of code here and there.

110
00:04:44,225 –> 00:04:47,315
所以权限是我们将要讨论的第一个话题
So permissions is the first thing we’re going to talk about.

111
00:04:47,315 –> 00:04:50,400
你也许记得
You may remember, or you may know,

112
00:04:50,400 –> 00:04:53,020
如果你在装有 Android M 的 Nexus 设备上
if you’re running on Android M right now on Nexus device

113
00:04:53,020 –> 00:04:55,480
或是其他装有 Android M 的其他设备上运行程序
or one of the other devices that’s started to receive it,

114
00:04:55,480 –> 00:04:58,310
其中用户体验的一个主要变化就是
that one of the major changes in the user experience that

115
00:04:58,310 –> 00:05:02,270
运行时权限
was introduced with Marshmallow was runtime permissions,

116
00:05:02,270 –> 00:05:05,500
意思就是只有在程序运行过程中
the idea that an application can defer

117
00:05:05,500 –> 00:05:09,920
真正需要使用到相应权限时才进行申请
requesting the use of permissions until it really needs them.

118
00:05:09,920 –> 00:05:11,445
因此用户就有了
And that the user has the ability

119
00:05:11,445 –> 00:05:13,040
决定是否给予权限
to decide whether the application gets

120
00:05:13,040 –> 00:05:15,340
的权利
that specific permission or not.

121
00:05:15,340 –> 00:05:18,374
这是 Android M 中
Really a fundamental change in the way that applications

122
00:05:18,374 –> 00:05:20,790
申请敏感权限的
are going to request access to more sensitive capabilities

123
00:05:20,790 –> 00:05:22,632
一个根本性变化
on the device introduced with Marshmallow.

124
00:05:25,530 –> 00:05:27,500
从应用开发者的立场来说
From an application developer’s standpoint,

125
00:05:27,500 –> 00:05:29,680
这是一件很值得考虑的事情
it’s a really powerful thing for you to think about.

126
00:05:29,680 –> 00:05:32,080
它给了你简化安装应用过程
It gives you the ability to simplify the installation

127
00:05:32,080 –> 00:05:33,334
的能力
process for your application.

128
00:05:33,334 –> 00:05:36,460
因为你不需要提前申请所有的权限了
Because you don’t have to request all of those permissions up front.

129
00:05:36,460 –> 00:05:39,030
它也不需要
It gives you the ability to upgrade

130
00:05:39,030 –> 00:05:42,410
在用户确认升级之后
without having the user have to confirm that that upgrade is

131
00:05:42,410 –> 00:05:45,720
再升级
necessary for applications being delivered through, for example,

132
00:05:45,720 –> 00:05:46,830
比如说从 Google Play 上
through Google Play.

133
00:05:46,830 –> 00:05:49,090
因为这在安全性上
Because there’s no increase in the capabilities

134
00:05:49,090 –> 00:05:50,870
没有任何的变化
of the application in the security model.

135
00:05:50,870 –> 00:05:53,010
因此也没有让用户确认的必要
And so there’s no need for the user to affirm that.

136
00:05:53,010 –> 00:05:54,850
所以这真的可以提高
So this can really accelerate the rate

137
00:05:54,850 –> 00:05:56,766
你的应用的升级比例
at which your applications are being upgraded,

138
00:05:56,766 –> 00:06:00,590
如果你能在新平台上运用好运行时权限的话
if you take advantage of runtime permissions on these newer platforms.

139
00:06:00,590 –> 00:06:03,264
而且我认为 就我十分担心的问题
And from my perspective, when I think about security,

140
00:06:03,264 –> 00:06:05,180
安全性考虑而言
one of the things I worry about is making sure

141
00:06:05,180 –> 00:06:07,490
这可以确保用户知道应用中都在发生着什么
that users understand what it is that’s going on.

142
00:06:07,490 –> 00:06:10,250
而且我们也发现运行时权限对用户来说
And we found that runtime permissions are fundamentally

143
00:06:10,250 –> 00:06:12,172
是更加能够接受的
more understandable for users.

144
00:06:12,172 –> 00:06:13,630
这使得开发者可以
They give the application developer

145
00:06:13,630 –> 00:06:16,340
在更恰当的时候申请权限
the ability to provide context, and the user

146
00:06:16,340 –> 00:06:18,539
而用户也更好的理解
to understand how that capability is

147
00:06:18,539 –> 00:06:22,800
所申请的权限用在了什么地方
going to be associated with the application that they’re employing.

148
00:06:22,800 –> 00:06:24,550
如何
So what does it look like?

149
00:06:24,550 –> 00:06:26,342
这很直观吧
It’s pretty straightforward.

150
00:06:26,342 –> 00:06:29,216
你需要做的第一件事就是
The first thing that you want to do in the context of your application

151
00:06:29,216 –> 00:06:33,250
调用当时的局部环境并且检查自身的权限
is invoke the local environment and check self permission.

152
00:06:33,250 –> 00:06:36,890
我已经有这个权限了吗
Do I already have this permission?

153
00:06:36,890 –> 00:06:39,090
如果没有 那你可能需要
If you don’t, then you want to explain,

154
00:06:39,090 –> 00:06:40,815
向你的用户解释一下
probably provide some context to the user

155
00:06:40,815 –> 00:06:43,010
为何你要在此处申请权限
about why it is that you’re going to request that permission.

156
00:06:43,010 –> 00:06:45,640
在这个例子中申请的是读取联系*限
In this particular instance it’s the use of read contacts.

157
00:06:45,640 –> 00:06:47,390
你可能说 我需要发邮件
So you might say, I want to send an email.

158
00:06:47,390 –> 00:06:48,973
如果我能够看到在你的联系人中
And it would be really nice if I could

159
00:06:48,973 –> 00:06:52,120
谁已经是你的好友了
see who you’re already friends with inside your contact

160
00:06:52,120 –> 00:06:54,740
这样会非常方便
environment, or make a call, or any number

161
00:06:54,740 –> 00:06:57,620
当然也可以是打电话或其他功能
of other types of functionality it might want to expose.

162
00:06:57,620 –> 00:06:59,934
如果你还没有读取过的话
If you do not have the capability already,

163
00:06:59,934 –> 00:07:01,600
那么你就需要申请权限了
then you’re going to need to request it.

164
00:07:01,600 –> 00:07:04,200
而且 API 也相当的简单 “Request Permission”
And there’s a simple API, “Request Permission.”

165
00:07:04,200 –> 00:07:06,520
然后你就可以请求权限了
And you can go ahead make that request.

166
00:07:06,520 –> 00:07:10,267
现在也许你已经申请到权限了 也许没有
And at that point, you now have that permission, or not.

167
00:07:10,267 –> 00:07:12,600
下面我们来演示一下
Let’s talk a little bit about some of the best practices

168
00:07:12,600 –> 00:07:14,774
确保你能申请到权限的最佳范例
to make sure that you actually get that permission.

169
00:07:14,774 –> 00:07:17,190
因为我们也要考虑到用户
Because that’s one of the things that people are concerned

170
00:07:17,190 –> 00:07:21,290
不一定总是会同意
about with runtime permissions is that they maybe don’t always

171
00:07:21,290 –> 00:07:22,012
申请权限的
say yes.

172
00:07:22,012 –> 00:07:24,886
所以你也需要考虑到
So you’re going to need to consider in the context of your application

173
00:07:24,886 –> 00:07:27,415
用户不同意的情况
that the user might say no.

174
00:07:27,415 –> 00:07:28,790
而且你也同样要考虑
And you’re going to want to think

175
00:07:28,790 –> 00:07:31,350
怎样做才能让更多的用户
about how it is that you can increase the likelihood

176
00:07:31,350 –> 00:07:32,730
通过权限申请
that the user will say yes.

177
00:07:32,730 –> 00:07:35,977
所以我们提供了一些设计准则
So one of the things that we did is provide some design guidelines.

178
00:07:35,977 –> 00:07:37,060
准则已经推出了
Those have been published.

179
00:07:37,060 –> 00:07:40,270
你可以在 developer.android.com
You can find them up on developer.android.com

180
00:07:40,270 –> 00:07:42,686
上找到一些最佳范例
that describe some of the best practices.

181
00:07:42,686 –> 00:07:45,740
最重要的是告诉用户
One of the most important ones is to provide some context for why it

182
00:07:45,740 –> 00:07:47,230
你将要用它来做什么
is that you’re going to do it.

183
00:07:47,230 –> 00:07:50,214
以 Hangouts 中的短信为例
So for example, in the case of SMS,

184
00:07:50,214 –> 00:07:51,880
如果你想在
in the case of the Hangouts application,

185
00:07:51,880 –> 00:07:53,310
应用中接收到
explaining hey, if you want to receive

186
00:07:53,310 –> 00:07:54,900
短信里的内容
SMS in the context of this application,

187
00:07:54,900 –> 00:07:56,608
那我们就需要读取短信的权限
we’re going to need to have access to it.

188
00:07:56,608 –> 00:07:58,152
我现在要请求权限了
And I’m going to request it now, then

189
00:07:58,152 –> 00:08:00,610
这有助于提高申请权限的成功率
makes it possible for you to request it and really increase

190
00:08:00,610 –> 00:08:03,800
用户觉得这对我确实有意义
the rate at which user say, OK, makes sense to me.

191
00:08:03,800 –> 00:08:05,460
接受吧
Go ahead and grant it.

192
00:08:05,460 –> 00:08:07,350
在加入了权限解释的 Google 应用中
Within the context of Google applications,

193
00:08:07,350 –> 00:08:11,220
我们发现85%的用户同意了权限申请
we found that about 85% of the time users do say yes.

194
00:08:11,220 –> 00:08:13,550
相比那些不加权限解释的应用
That’s better than the average that we’ve

195
00:08:13,550 –> 00:08:16,400
加了权限解释的应用权限申请通过率
seen for other applications that are sort of broadly distributed

196
00:08:16,400 –> 00:08:17,810
更高
on the Android platform.

197
00:08:17,810 –> 00:08:20,750
这是一个通过率提高了的例子
Just to give you some examples of how much better it is,

198
00:08:20,750 –> 00:08:25,180
大约15.8%的用户在第一次提示时拒绝了权限申请
about 15.8% of the time when we prompt a user, they say no.

199
00:08:25,180 –> 00:08:27,970
这比之前降低了40%
That’s about 40% lower.

200
00:08:27,970 –> 00:08:30,900
而其他应用的拒绝率
So for other applications, the failure rate on that request

201
00:08:30,900 –> 00:08:33,080
大概在20%到25%之间
is going to be about 20% to 25%.

202
00:08:33,080 –> 00:08:35,520
这其中差了40%
So about 40% difference between those.

203
00:08:35,520 –> 00:08:39,940
如果你不停的申请权限而用户又不停的拒绝申请
If you ask too many times and the user says no repeatedly,

204
00:08:39,940 –> 00:08:42,870
我觉得在三次之后
eventually, after I think three times,

205
00:08:42,870 –> 00:08:46,490
用户就有权利选择不要再申请了
the user has the option to say stop asking me.

206
00:08:46,490 –> 00:08:48,289
而且我们发现在 Google 应用中
And so we found that the stop asking me,

207
00:08:48,289 –> 00:08:51,470
拒绝再次申请的概率大约是3%
don’t ever ask me again rate for Google applications is about 3%.

208
00:08:51,470 –> 00:08:53,324
所以我们要在合适的时候申请权限
So effectively we prompt a couple of times

209
00:08:53,324 –> 00:08:54,740
这样用户
in order to get to the point where

210
00:08:54,740 –> 00:08:56,614
才不会觉得不舒服
the user is comfortable with the application.

211
00:08:56,614 –> 00:08:59,490
大约97%的用户
And we find about 97% of the time users

212
00:08:59,490 –> 00:09:02,360
通过了申请的权限
accept the permission ask that we’re making.

213
00:09:02,360 –> 00:09:05,209
上述就是你需要考虑的最佳范例
So those are the best practices that you want to think about.

214
00:09:05,209 –> 00:09:06,750
我们还做了
There’s another capability that we’ve

215
00:09:06,750 –> 00:09:08,530
一件大事
been expanding dramatically, which

216
00:09:08,530 –> 00:09:12,060
就是密钥材料的保护
is a protection of key material, cryptographic keys

217
00:09:12,060 –> 00:09:13,220
尤其是 Android 上的密钥
specifically on Androids.

218
00:09:13,220 –> 00:09:16,340
所以我们来讨论一下 Android 密钥库
So we’ll talk about the Android Keystore.

219
00:09:16,340 –> 00:09:18,990
密钥库广泛的应用在
The Keystore leverages hardware that

220
00:09:18,990 –> 00:09:22,545
Android 设备中
exists on the vast majority of Android devices.

221
00:09:22,545 –> 00:09:25,170
作为一名安全从业者
As a security practitioner, it’s always been really interesting

222
00:09:25,170 –> 00:09:28,750
我对那些带有 TrustZone 的设备十分感兴趣
to me that most devices, literally about 80% to 90%

223
00:09:28,750 –> 00:09:31,230
这些设备大概占到80%到90%
of devices have something called TrustZone on them.

224
00:09:31,230 –> 00:09:33,170
他们都有一个 TEE
They have a TEE that’s been put in place.

225
00:09:33,170 –> 00:09:37,300
它提供了一套可以访问 DRM 保护内容的机制
It was there to enable access to DRM protected content.

226
00:09:37,300 –> 00:09:39,410
我们这几年正在做的就是
What we’ve been doing over the last several years

227
00:09:39,410 –> 00:09:41,626
让开发者保护
is making that available to you as an application

228
00:09:41,626 –> 00:09:43,250
用户设备中的敏感功能与
developer as a means for you to protect

229
00:09:43,250 –> 00:09:46,660
密钥成为可能
the most sensitive capabilities and keys in your device.

230
00:09:46,660 –> 00:09:52,000
让我们从 jb-mr2 开始说起吧
So starting in jb-mr2.

231
00:09:52,000 –> 00:09:55,140
大概在四年前
So almost four years ago, we began implementing API

232
00:09:55,140 –> 00:09:56,830
我们开始不断的继承 API
after API after API.

233
00:09:56,830 –> 00:10:02,820
从 Android L 开始 陆续可以使用 RSA 和椭圆曲线数字签名算法
As of Android L, the ability to use RSA, elliptic curve DSA,

234
00:10:02,820 –> 00:10:07,620
即ECDSA 或是像 AES 这样的对称算法 还有 HMAC
so ECDSA, symmetric algorithms like AES, and then also HMAC,

235
00:10:07,620 –> 00:10:10,820
这些密钥都被内置在 TrustZone 中
where those keys are held inside of TrustZone and cannot be

236
00:10:10,820 –> 00:10:13,900
而没有展现在普通用户面前
exposed to the kernel or to anybody else on the device is

237
00:10:13,900 –> 00:10:18,630
但这些功能确实是设备的核心功能
one of the core capabilities that we’ve been enabled.

238
00:10:18,630 –> 00:10:20,540
其中一件非常重要的事就是
One of the really important things to do

239
00:10:20,540 –> 00:10:22,720
把它从大多数设备
is to transition from it being on most devices

240
00:10:22,720 –> 00:10:23,900
过渡到所有的设备
to being on all devices.

241
00:10:23,900 –> 00:10:27,340
因此这就变成了 Android N 的任务
So this became required as of the Android N release.

242
00:10:27,340 –> 00:10:29,230
我们从现在起将会看到
So we’re going to see, from here on out,

243
00:10:29,230 –> 00:10:32,150
所有的新设备都将装载它
all new devices are going to definitely have it on board.

244
00:10:32,150 –> 00:10:33,812
而且就在现在 绝大多数的
As it is right now, the vast majority

245
00:10:33,812 –> 00:10:38,620
高端或是中端设备都已经有 Keystore 了
of higher end and mid-range devices already have Keystore in place.

246
00:10:38,620 –> 00:10:42,490
所以 Android N 中的一个新特性
So one of the new features that was introduced with Android N

247
00:10:42,490 –> 00:10:44,280
就是密钥认证
was what we call attestation.

248
00:10:44,280 –> 00:10:47,020
关于密钥认证我们所做的就是把密钥
What we do with attestation is bake a key

249
00:10:47,020 –> 00:10:49,857
加进 TrustZone 中的固件中
into the firmware inside of TrustZone.

250
00:10:49,857 –> 00:10:51,940
这样你就可以验证
So it is possible for you to validate that this is

251
00:10:51,940 –> 00:10:53,231
硬件的合法性了
a legitimate piece of hardware.

252
00:10:53,231 –> 00:10:55,580
你可以通过创建一个密钥
And you can check that by creating a key

253
00:10:55,580 –> 00:10:57,700
然后检测绑定到
and then checking the search chain to tie it

254
00:10:57,700 –> 00:11:00,510
需要进行 CTS 测试的硬件搜索链
back to a piece of hardware that’s gone through CTS testing.

255
00:11:00,510 –> 00:11:02,260
我将用几秒钟的时间
And I’ll sort of talk through how

256
00:11:02,260 –> 00:11:04,444
稍微讨论一下你应该如何做
it is that you can do that in just a second.

257
00:11:04,444 –> 00:11:06,860
这是一个源码的
So here’s an example of what that looks like from a source

258
00:11:06,860 –> 00:11:08,370
例子
code standpoint.

259
00:11:08,370 –> 00:11:09,350
你需要做什么
What do you need to do?

260
00:11:09,350 –> 00:11:12,490
你需要从创建一个 KeyPair 开始
Well, you can start off by creating a key pair.

261
00:11:12,490 –> 00:11:16,050
你创建了一个 Android Keystore 的实例
So you create an instance of Android Keystore.

262
00:11:16,050 –> 00:11:18,760
在这个例子中 我们用的是椭圆曲线
In this instance, we’re using elliptic curves,

263
00:11:18,760 –> 00:11:21,120
所以你需要把它加入到你的算法中
so you specify that to your algorithm.

264
00:11:21,120 –> 00:11:23,410
我将要介绍一件在 Android M
One of the more interesting new capabilities

265
00:11:23,410 –> 00:11:25,440
中更有趣的特性
that was introduced actually in Android M

266
00:11:25,440 –> 00:11:27,240
那就是这个密钥只有刚被验证过的
was the ability to say this key can only

267
00:11:27,240 –> 00:11:31,069
用户才可以使用
be used if the user has recently authenticated.

268
00:11:31,069 –> 00:11:32,860
我再用几秒钟多说一点
I’ll talk more about that in just a second.

269
00:11:32,860 –> 00:11:34,710
这是一个很有力的声明
But that’s a really powerful statement that you can make.

270
00:11:34,710 –> 00:11:36,640
那就是你能知道有一个真真切切的用户
So that you know that there’s a real user that’s

271
00:11:36,640 –> 00:11:38,431
在与设备进行着交互
been interacting with the device right now.

272
00:11:38,431 –> 00:11:40,950
当然这也是被内置于 TrustZone 中的
And that’s been validated inside of TrustZone.

273
00:11:40,950 –> 00:11:42,745
所以你可以保护你的密钥
So you can protect your keys.

274
00:11:42,745 –> 00:11:44,370
然后你可以做的最后一件事就是
And then the last thing that you can do

275
00:11:44,370 –> 00:11:46,867
你能够获得与密钥相关的
is you can actually get the certificate chain associated

276
00:11:46,867 –> 00:11:47,450
证书
with that key.

277
00:11:47,450 –> 00:11:52,370
所以这密钥是绑定到设备上的
So that key is one that has been bound to a particular device.

278
00:11:52,370 –> 00:11:54,452
而且它不能转移到其他设备上
And it can’t move to some other device.

279
00:11:54,452 –> 00:11:56,910
然后你就可以通过看证书链
Then you can actually confirm by looking at the certificate

280
00:11:56,910 –> 00:12:00,450
确定这是一个已经通过 CTS 测试的正常设备
chain that it’s a device that legitimately went through CTS testing.

281
00:12:00,450 –> 00:12:02,790
它已经经过确认了
It’s gone through that kind of validation.

282
00:12:02,790 –> 00:12:06,740
所以我认为这种类型的功能是非常重要的
So I think this type of capability is really important for enhancing

283
00:12:06,740 –> 00:12:09,240
尤其是对通过 Google 检验的
the trust in those devices that have gone through the Google

284
00:12:09,240 –> 00:12:14,260
Android 测试设备信任度的增加
validation process and are valid, Android tested devices.

285
00:12:14,260 –> 00:12:18,522
所以你需要认真想一想
So some best practices, think for a moment

286
00:12:18,522 –> 00:12:20,730
你的应用中是否需要加上
whether there’s a case for you to be using encryption

287
00:12:20,730 –> 00:12:22,840
最佳范例中的加密功能
in the context of your application.

288
00:12:22,840 –> 00:12:25,340
如果是的话 那么 Keystore 对于你来说
And if so, then Keystore is a great place for you

289
00:12:25,340 –> 00:12:27,380
就是保存密钥最好的地方
to be storing those keys.

290
00:12:27,380 –> 00:12:28,170
它可供使用
It’s available.

291
00:12:28,170 –> 00:12:29,850
而且很直观
It’s very straightforward.

292
00:12:29,850 –> 00:12:32,060
而且它的优点在于
And it has the advantage of the key

293
00:12:32,060 –> 00:12:34,560
即使设备中的其他东西被破解了
not being exposed in the event of compromise of other things

294
00:12:34,560 –> 00:12:36,300
密钥也不会被暴露出来
on the device.

295
00:12:36,300 –> 00:12:39,590
你也可以用这个从 Android N 开始的密钥
You can also use the key, starting with Android N,

296
00:12:39,590 –> 00:12:42,100
来验证这是否是一个合法的 Android 设备
as a mechanism to validate that this is a legitimate Android

297
00:12:42,100 –> 00:12:47,270
而非一个不兼容的设备
device and not one that’s been created outside the compatibility.

298
00:12:47,270 –> 00:12:48,766
这就给了你进一步校验
And so that gives you the ability

299
00:12:48,766 –> 00:12:50,390
设备的能力
to do further validation of the device.

300
00:12:53,140 –> 00:12:54,600
我之前提到了验证
I hinted at authentication.

301
00:12:54,600 –> 00:12:56,190
让我们来谈论一些
So let’s talk a little bit about some of the changes

302
00:12:56,190 –> 00:12:58,023
关于验证方面的改变
that have gone into authentication recently.

303
00:13:00,872 –> 00:13:02,580
在加强验证方面
So there’s two different goals that we’re

304
00:13:02,580 –> 00:13:06,530
我们有两个不同的目标
striving for as we’re enhancing authentication.

305
00:13:06,530 –> 00:13:12,370
第一个就是 坦率地说
The first one is, well, let’s be frank,

306
00:13:12,370 –> 00:13:14,590
用户根本不喜欢验证
users don’t like authenticating.

307
00:13:14,590 –> 00:13:17,372
验证是很令人厌烦的
It’s annoying.

308
00:13:17,372 –> 00:13:18,580
我拿出我的设备
I want to take out my device.

309
00:13:18,580 –> 00:13:20,000
我就想马上使用它
And I want to use it immediately.

310
00:13:20,000 –> 00:13:21,900
我就想立刻看到内容
And I want to have access to my information.

311
00:13:21,900 –> 00:13:24,170
所以我们才开始调查
And so when we began looking into why

312
00:13:24,170 –> 00:13:26,654
为什么用户不在他们的设备上使用屏幕锁
it is that users didn’t have lock screens on their device.

313
00:13:26,654 –> 00:13:28,070
这就是为什么用户不喜欢
And why they didn’t use what seems

314
00:13:28,070 –> 00:13:31,680
使用这最基本的安全保护方式
to be the most fundamental security protection,

315
00:13:31,680 –> 00:13:34,830
答案就是 它们出现的太频繁了
the answer is, it just comes up too often.

316
00:13:34,830 –> 00:13:37,770
因此接近半数的用户
And almost half of Android users have

317
00:13:37,770 –> 00:13:40,330
决定不使用屏幕锁
decided that they don’t want a secure lock screen.

318
00:13:40,330 –> 00:13:42,220
所以我们尽力做的事情就是
So one of the things that we’re trying to do

319
00:13:42,220 –> 00:13:44,410
实现用户的愿望
is find ways to encourage that.

320
00:13:44,410 –> 00:13:48,011
如果在用户登入设备时
Because if we get to a point where the logging in mechanism

321
00:13:48,011 –> 00:13:50,010
在开始与设备交互时
is trustworthy, where authentication of the user

322
00:13:50,010 –> 00:13:51,340
就是被验证过的
at the time they start interacting with the device,

323
00:13:51,340 –> 00:13:52,850
那么你应用中的设置
then you can do a lot more and be

324
00:13:52,850 –> 00:13:55,255
其实可以更加的灵活
a lot more flexible in the set of applications that you can provide.

325
00:13:55,255 –> 00:13:57,440
所以 Android Pay 就是一个很好的例子
So Android Pay is a good example where,

326
00:13:57,440 –> 00:14:01,410
因为用户是已经被验证过的 他们就可以使用 Android Pay
because users are authenticated, they can have access to Android Pay.

327
00:14:01,410 –> 00:14:05,300
所以我们结合了这两种想法
So we actually bind those two ideas together.

328
00:14:05,300 –> 00:14:08,164
因此在介绍指纹解锁时就更容易了
So to make things easier we introduced fingerprints.

329
00:14:08,164 –> 00:14:10,080
这些我们之前都已经介绍过了
That was one of the things that was introduced

330
00:14:10,080 –> 00:14:12,220
包括 Nexus 手机上的 Android M
with Android M on Nexus phones and an API for you

331
00:14:12,220 –> 00:14:14,290
以及开发者所使用的API
to interact with it as an application developer.

332
00:14:14,290 –> 00:14:17,380
我们可以看到在 Nexus 设备上
On Nexus devices we’ve seen adoption of secure lock screen

333
00:14:17,380 –> 00:14:20,836
一旦加入了指纹解锁
go from about 50% to over 90% on devices

334
00:14:20,836 –> 00:14:22,210
屏幕锁的使用数量就从50%上升到了90%
where a fingerprint is available.

335
00:14:22,210 –> 00:14:25,324
因为这实在是太简单方便了
Because it’s just so much easier.

336
00:14:25,324 –> 00:14:27,240
我们也为那些没有指纹识别传感器的设备
We’ve also made changes for those devices that

337
00:14:27,240 –> 00:14:29,030
提供了另一种解决方案
don’t have access to fingerprint,

338
00:14:29,030 –> 00:14:32,610
比如说智能解锁
for one reason or another, through things like Smart Lock.

339
00:14:32,610 –> 00:14:34,870
其中智能解锁提供的一个功能
One of the capabilities that Smart Lock provides

340
00:14:34,870 –> 00:14:38,365
我们称之为身体探测
is what we call on body detection, where we monitor how the device is

341
00:14:38,365 –> 00:14:40,240
我们可以监测出与设备交互的周围环境
interacting with the environment around them.

342
00:14:40,240 –> 00:14:41,170
它是否在口袋里
Is it in their pocket?

343
00:14:41,170 –> 00:14:43,461
它是不是还在初次解锁它的人
Do we think it’s still in control of the individual who

344
00:14:43,461 –> 00:14:44,770
手里
first unlocked it?

345
00:14:44,770 –> 00:14:47,360
这个功能可以使
The use of that alone can reduce the frequency

346
00:14:47,360 –> 00:14:50,560
验证频率减少50%
with which users need to authenticate by over 50%.

347
00:14:50,560 –> 00:14:52,180
在我们的经验中能够看到这一点
We’ve seen that in our experience.

348
00:14:52,180 –> 00:14:56,640
在把验证变得简单这件事上我们已经取得很大的进展了
So we’ve got good progress on making authentication easier for users.

349
00:14:56,640 –> 00:14:59,180
这也是我们一直在努力的事情
So that’s one of the things that we’re striving for.

350
00:14:59,180 –> 00:15:00,830
我们还尽力把
The other thing that we’re trying to do

351
00:15:00,830 –> 00:15:03,330
验证变得更强大
is make authentication stronger.

352
00:15:03,330 –> 00:15:05,340
这同样也带来一些改变
So there are some changes there as well.

353
00:15:05,340 –> 00:15:08,860
其中之一就是允许
One of them was to allow applications

354
00:15:08,860 –> 00:15:11,380
应用把私密数据绑定到验证上
to tie their secrets to authentication.

355
00:15:11,380 –> 00:15:14,000
你可以确保应用中的某些功能
So you can make sure that your application will only

356
00:15:14,000 –> 00:15:17,050
是只有被验证过的
function if the user has a secure lock screen

357
00:15:17,050 –> 00:15:19,100
用户才可以使用的
and they have been recently authenticated.

358
00:15:19,100 –> 00:15:21,220
这是一个非常重要的改变
So that’s an important change that you can make.

359
00:15:21,220 –> 00:15:23,345
有一类事情是应用需要特别担心的
One of the types of things that an application that

360
00:15:23,345 –> 00:15:25,110
即财务系统
worries about, say financial systems

361
00:15:25,110 –> 00:15:27,830
或是访问敏感数据
or access to sensitive data, would want to do.

362
00:15:27,830 –> 00:15:30,780
我们做的另一件事就是
Another thing that we’ve done is to move the authentication

363
00:15:30,780 –> 00:15:32,660
把验证挪进了 TrustZone
actually into TrustZone.

364
00:15:32,660 –> 00:15:34,860
所以即使
So that even if the overall operating system

365
00:15:34,860 –> 00:15:37,680
操作系统都被攻陷了
has been compromised, there is no mechanism

366
00:15:37,680 –> 00:15:41,850
根据现有的机制
available for the device to leak the credential,

367
00:15:41,850 –> 00:15:45,900
证书 指纹或是
the fingerprint, for example, or the user’s lock screen password

368
00:15:45,900 –> 00:15:48,310
用户的解锁密码
into a place that it could do and exhaust

369
00:15:48,310 –> 00:15:50,280
也不会泄露
over the strength of that credential.

370
00:15:54,060 –> 00:15:57,181
因此你需要思考的就是如何利用好验证
So you want to think about how to use authentication.

371
00:15:57,181 –> 00:15:59,430
我们提供了一些指纹的 API
We’ve provided some APIs so that it’s possible for you

372
00:15:59,430 –> 00:16:01,860
你可以直接调用
to directly invoke the fingerprint APIs.

373
00:16:01,860 –> 00:16:05,770
我们也提供了一些 API 让你可以控制
We’ve also provided APIs that allow you to control the user

374
00:16:05,770 –> 00:16:06,940
相关的用户体验
experience around that.

375
00:16:06,940 –> 00:16:09,550
你不一定必须描述
So you’re not constrained in how you would represent

376
00:16:09,550 –> 00:16:10,830
你将用验证来干什么
what it means to authenticate.

377
00:16:10,830 –> 00:16:13,530
但我们还是建议你提供
This is again, you get to offer context

378
00:16:13,530 –> 00:16:16,060
说明来解释你为什么需要验证
for why it is that you’re requesting authentication.

379
00:16:16,060 –> 00:16:17,250
因为我们认为应用体验中
We think that’s a really important part

380
00:16:17,250 –> 00:16:19,680
一个非常重要的部分
of the application experience is that you are effectively

381
00:16:19,680 –> 00:16:22,490
就是你以何种方式告诉用户
in control over how it is that you represent to the user what

382
00:16:22,490 –> 00:16:23,710
你将要干什么
you’re going to do.

383
00:16:23,710 –> 00:16:26,860
所以在这个实例中 UI 描述出了
So in this instance, that UI describing

384
00:16:26,860 –> 00:16:31,000
Google Play 如何使用指纹识别
how fingerprint is taken place is being drawn entirely by Google Play.

385
00:16:31,000 –> 00:16:32,875
他们需要描述接下来要做的事情
They get to describe, we’re going to do this.

386
00:16:32,875 –> 00:16:35,590
这就是我们如何使用它的做法 如果你也想这样
And here’s how we’re going to use it, if they want to do that.

387
00:16:35,590 –> 00:16:37,589
你也可以在你的应用中这样做
And you can do that in your application as well.

388
00:16:39,880 –> 00:16:43,740
这里提供一个快速示例 非常直观的
Just to give a quick example, very, very straightforward how

389
00:16:43,740 –> 00:16:51,340
展示如何把应用与指纹绑定
you create a key in this instance and then bind that to a fingerprint.

390
00:16:51,340 –> 00:16:53,590
在这个实例中 我想特意强调的是
In this instance, the thing that I wanted to highlight

391
00:16:53,590 –> 00:16:57,836
你事实上创建了一个回调
is that you’re actually creating a callback, a wrap based

392
00:16:57,836 –> 00:16:59,210
一个基于密钥的包装
on the key, and you’re only going

393
00:16:59,210 –> 00:17:02,884
如果用户验证成功了你只需要解密就行了
to do the decryption if the user has successfully authenticated.

394
00:17:02,884 –> 00:17:04,550
所以你现在知道与你应用
So you now know that the data associated

395
00:17:04,550 –> 00:17:06,630
相关的数据都是包装在密钥中的
with your application that’s been wrapped in that key

396
00:17:06,630 –> 00:17:09,254
只有通过验证的用户
simply doesn’t exist and is not accessible until after the user

397
00:17:09,254 –> 00:17:10,690
才能够访问这些数据
is authenticated.

398
00:17:10,690 –> 00:17:15,945
我再花几分钟时间说一下直接启动
I’ll talk in a couple of minutes about how we’re doing direct to boot.

399
00:17:15,945 –> 00:17:18,690
它有一个相似的模块 就是应用数据
And it has a similar model, where application data is not

400
00:17:18,690 –> 00:17:22,880
只有在用户已经被验证过了之后才能被获取
available until the user has already been authenticated.

401
00:17:22,880 –> 00:17:26,079
最佳范例
So a couple of best practices, I think

402
00:17:26,079 –> 00:17:30,680
我认为这对于
that there’s a real opportunity to auth-bound keys

403
00:17:30,680 –> 00:17:36,100
验证密钥锁屏和安全锁屏的使用
to drive both adoption of the use of authentication

404
00:17:36,100 –> 00:17:38,030
来说是一个真正的机会
on the lock screen and secure lock screen.

405
00:17:38,030 –> 00:17:40,010
同时也简化了用户与
And also to simplify the way that the user

406
00:17:40,010 –> 00:17:42,051
应用之间的交互方式
is going to be interacting with your application.

407
00:17:42,051 –> 00:17:44,720
因此当用户使用你的应用时
Then you don’t need to have a check for pin or password

408
00:17:44,720 –> 00:17:45,930
你就没有必要再让用户做出 pin 码或是密码检查了
when a user comes in to your application,

409
00:17:45,930 –> 00:17:46,830
即使应用中包含很多敏感数据
no matter how sensitive it is.

410
00:17:46,830 –> 00:17:49,455
因为你知道他们在解锁屏幕时
Because you know that they very recently have gone through that

411
00:17:49,455 –> 00:17:51,310
已经验证过身份了
authentication already at the lock screen.

412
00:17:51,310 –> 00:17:53,770
所以我是明确鼓励使用上述机制的
So I would definitely encourage using that mechanism.

413
00:17:53,770 –> 00:17:55,140
你可以设定一个时间上限
You can time bound it and say, if they’ve

414
00:17:55,140 –> 00:17:57,310
可以是一分钟 五分钟 十分钟
logged in the last minute, the last five minutes, the last 10

415
00:17:57,310 –> 00:17:59,610
只要是符合你应用的
minutes, whatever’s appropriate for your application

416
00:17:59,610 –> 00:18:03,891
安全规范就好
to drive good security practices consistent with your application.

417
00:18:03,891 –> 00:18:05,890
另一件我鼓励的事
The other thing that I would encourage you to do

418
00:18:05,890 –> 00:18:09,710
当然就是指纹解锁了
is certainly favor fingerprint.

419
00:18:09,710 –> 00:18:12,830
如果设备上有一个
You know the evidence seems to be that a fingerprint

420
00:18:12,830 –> 00:18:14,040
指纹识别器
readers exist on a device.

421
00:18:14,040 –> 00:18:16,130
那么用户总是倾向于使用它的
That’s going to be the mechanism that users are going to want to use.

422
00:18:16,130 –> 00:18:18,379
所以我也鼓励你
So I would encourage you to use that as your mechanism

423
00:18:18,379 –> 00:18:21,850
把指纹解锁
to do binding of authentication credentials

424
00:18:21,850 –> 00:18:24,400
加进你的解锁机制里
to key material inside of Keystore.

425
00:18:24,400 –> 00:18:26,414
如果指纹解锁
If that’s not available, then falling back

426
00:18:26,414 –> 00:18:28,830
不可用的话
to doing something like create confirmed device credential

427
00:18:28,830 –> 00:18:32,624
那就做点类似创建确认设备凭据
intent as a means to bind to whatever other secure lock

428
00:18:32,624 –> 00:18:34,040
之类的事
screen they have on the devices is

429
00:18:34,040 –> 00:18:36,110
用来安全的
a perfectly reasonable fallback for those devices where

430
00:18:36,110 –> 00:18:37,276
解锁设备
fingerprint isn’t available.

431
00:18:40,146 –> 00:18:42,020
其实我们已经谈到很多了
So we’ve covered a couple of features so far.

432
00:18:42,020 –> 00:18:44,620
下面我们来说一下加密部分
We’re going to get now into the crypto section.

433
00:18:44,620 –> 00:18:48,167
我们先来讨论一下网络安全 之后是安全存储
Talk first about secure networking and then get into secure storage.

434
00:18:54,860 –> 00:19:01,400
我很好奇究竟多少的细微改变
It’s amazing to me how often simple changes can make

435
00:19:01,400 –> 00:19:04,590
才能引发一个安全方面巨大的变革
a huge difference in security.

436
00:19:04,590 –> 00:19:08,210
我们花了一分钟思考
We spent a minute thinking about users and how many of them

437
00:19:08,210 –> 00:19:11,609
为什么有些用户选择不在锁屏上加密码
choose not to have a lock screen.

438
00:19:11,609 –> 00:19:12,650
因为这很复杂
Because it’s complicated.

439
00:19:12,650 –> 00:19:15,820
而且很麻烦 同样地
Because it’s difficult. In the same way,

440
00:19:15,820 –> 00:19:17,880
我们发现部分应用的开发者
we find that application developers often

441
00:19:17,880 –> 00:19:21,320
也同样选择不使用安全的网络传输
choose not to use secure networking because a little bit

442
00:19:21,320 –> 00:19:22,746
因为它太麻烦了
too difficult.

443
00:19:22,746 –> 00:19:25,120
所以我们在最近的几个发布版本中
So what we’ve been doing over the last couple of releases

444
00:19:25,120 –> 00:19:27,780
试着让它变得简单一点
is trying to make that simpler.

445
00:19:27,780 –> 00:19:29,672
麻烦的地方在于我们发现
One of the complexities that we found

446
00:19:29,672 –> 00:19:31,130
应用的开发者
is that application developers just

447
00:19:31,130 –> 00:19:34,650
不知道他们现在使用的网络传输是否安全
don’t know whether they’re using secure traffic or not.

448
00:19:34,650 –> 00:19:37,860
一个很普遍的例子是 他们在应用中
A good example might be, they’ve incorporated an advertising

449
00:19:37,860 –> 00:19:40,190
加入了广告包
library into their application.

450
00:19:40,190 –> 00:19:44,340
为了使广告内容
Does that advertising library use HTTPS to request assets

451
00:19:44,340 –> 00:19:46,680
个性化
when it sends up device identifiers or user identifiers

452
00:19:46,680 –> 00:19:48,555
发送设备标识或是用户标识时
in order to request those advertisements that

453
00:19:48,555 –> 00:19:50,490
广告包是否用的是HTTPS请求
have been personalized for that application?

454
00:19:50,490 –> 00:19:51,856
你知道吗
Do you know?

455
00:19:51,856 –> 00:19:54,230
Android Marshmallow 的其中一个特点就是
And so one of the features that was introduced in Android

456
00:19:54,230 –> 00:19:57,040
允许应用控制网络请求
Marshmallow was the ability for an application to say,

457
00:19:57,040 –> 00:20:00,430
我可以选择使用明文通信
you know what, I want to use clear-text traffic.

458
00:20:00,430 –> 00:20:05,010
或是相反地 我不想选择明文通信
And conversely, I don’t think that I need to use clear-text traffic.

459
00:20:05,010 –> 00:20:07,319
如果你在使用一个类似 gmail 的应用
If you’re an application like gmail,

460
00:20:07,319 –> 00:20:09,610
你可以说我知道我所有的连接
you can say I know that all my connections are going up

461
00:20:09,610 –> 00:20:10,210
都将上传到 Google 服务器中
to a Google server.

462
00:20:10,210 –> 00:20:11,300
这也是一种保护的手段
And that’s the one that’s been protected.

463
00:20:11,300 –> 00:20:11,410
当然
And.

464
00:20:11,410 –> 00:20:14,280
我也可以说 嗯 我不想使用任何明文通信
I can say, whoop, I’m going to not use any clear-text traffic.

465
00:20:14,280 –> 00:20:15,290
如果你是另一个应用
If you’re a different application,

466
00:20:15,290 –> 00:20:17,498
那么你就需要知道它是否
then you need to go through the process of evaluating

467
00:20:17,498 –> 00:20:18,440
在使用明文通信
whether it’s there.

468
00:20:18,440 –> 00:20:20,690
这就是我们做的
So this is a feature that was put in place to simplify

469
00:20:20,690 –> 00:20:22,648
快速明确你的应用是否
understanding whether your application actually

470
00:20:22,648 –> 00:20:23,890
在使用明文通信
uses clear-text traffic.

471
00:20:23,890 –> 00:20:26,710
而且能让用户知道
And to give users visibility into whether you think

472
00:20:26,710 –> 00:20:29,410
他的应用是否在使用明文通信
you use clear-text traffic.

473
00:20:29,410 –> 00:20:32,600
当然 这用起来也很简单
So, it’s really straightforward, very easy to use.

474
00:20:32,600 –> 00:20:34,730
它就在你的 manifests 中
Inside your manifests, it’s very simple.

475
00:20:34,730 –> 00:20:36,120
你使用明文通信了吗
Do you use clear-text traffic?

476
00:20:36,120 –> 00:20:38,160
没有
No.

477
00:20:38,160 –> 00:20:43,060
接着是 API 例如一个 URL
And then API, such as URL– yeah,

478
00:20:43,060 –> 00:20:48,160
HTTP://URL 连接 如果它不使同 HTTPS 是不会正常工作的
HTTP://URL Connect, where it’s not using HTTPS will simply not work.

479
00:20:48,160 –> 00:20:50,140
所以这些 API 被用于
So those APIs that are known to be

480
00:20:50,140 –> 00:20:52,959
保证通过网络传输的用户数据
insecure in transmitting user data across a network simply

481
00:20:52,959 –> 00:20:53,750
的安全
no longer function.

482
00:20:53,750 –> 00:20:55,083
它们将返回一个安全错误
They’ll return a security error.

483
00:20:55,083 –> 00:20:57,090
你就可以摆脱困境了
And you can bail out.

484
00:20:57,090 –> 00:20:59,290
这多方便
So that’s great.

485
00:20:59,290 –> 00:21:01,540
只可惜这导致了大部分的应用是安全的
Except that it turns out most applications

486
00:21:01,540 –> 00:21:03,695
而一小部分是不安全的
do some stuff secure and some stuff not secure.

487
00:21:03,695 –> 00:21:05,945
所以我们知道我们需要提供更强的灵活性
So we knew that we needed to provide more flexibility.

488
00:21:05,945 –> 00:21:07,570
所以我们在 Android N 中
And so that’s one of the things that we

489
00:21:07,570 –> 00:21:10,520
致力于更加精细的控制
began focusing on in Android N is how do we

490
00:21:10,520 –> 00:21:13,930
尤其是当我们了解到
have more granular controls while recognizing

491
00:21:13,930 –> 00:21:16,810
存在于 SSL 和 TLS 栈中的粒度
that the granularity that’s existed in SSL and TLS

492
00:21:16,810 –> 00:21:20,140
已经成为了在实现部署中
Stacks and the SSL APIs has been a source

493
00:21:20,140 –> 00:21:24,370
难以置信的复杂与困难的来源
of incredible complexity and incredible difficulty in deployment.

494
00:21:24,370 –> 00:21:27,010
所以我们想在网络安全配置方面做的工作就是
And so what we want to do with network security config

495
00:21:27,010 –> 00:21:30,710
让身为应用开发者的你在使用安全传输时
is make it really easy for you, as an application developer,

496
00:21:30,710 –> 00:21:33,700
更容易
to know where you’re using secure transports.

497
00:21:33,700 –> 00:21:35,207
而且在这过程中
And then to control those transports

498
00:21:35,207 –> 00:21:37,540
不会使你的代码变得更复杂
in a way that doesn’t make your coding really difficult.

499
00:21:37,540 –> 00:21:38,970
它非常清晰
So it’s entirely declarative.

500
00:21:38,970 –> 00:21:40,300
因为它全在 manifest 里
And it’s all in the manifest.

501
00:21:40,300 –> 00:21:43,170
现在让我们谈谈一些基础功能
So let’s talk about some of the basic capabilities.

502
00:21:43,170 –> 00:21:45,520
这是一个很简单的例子
Well here’s a really simple one.

503
00:21:45,520 –> 00:21:49,110
原来 我没有在每个地方都使用安全通路
It turns out, I don’t use secure traffic everywhere.

504
00:21:49,110 –> 00:21:51,822
但是我知道我正在 secure.example.com 上使用它
But I know that I use it on secure.example.com.

505
00:21:51,822 –> 00:21:54,160
这样我就可以使用 domain-config
And so I can use a domain config.

506
00:21:54,160 –> 00:21:59,060
我把它配置在使用安全通路的地方
I set up where this domain is one that uses secure traffic.

507
00:21:59,060 –> 00:22:03,560
当我指定为 false 时 它使用明文通信
OK, so it does use clear-text traffic, specifies it as false.

508
00:22:03,560 –> 00:22:06,340
而且我没有对任何要与我的应用交互的
And I don’t make any claims about any other domains

509
00:22:06,340 –> 00:22:09,030
域名做任何的要求
that my application might be interacting with.

510
00:22:09,030 –> 00:22:11,175
这样你就可以保持
So you can keep that advertising library

511
00:22:11,175 –> 00:22:12,800
广告库的不变
that otherwise would have prevented you

512
00:22:12,800 –> 00:22:14,870
也不用担心你应用的其他功能
from being confident about the rest of the functionality

513
00:22:14,870 –> 00:22:15,703
有任何的变化
of your application.

514
00:22:19,870 –> 00:22:22,210
这仅仅
So that’s the start of the types of things

515
00:22:22,210 –> 00:22:23,610
是开端
that you’d want to be able to do.

516
00:22:23,610 –> 00:22:25,401
我们发现的另外一件事情
Another thing that we’ve found is that it’s

517
00:22:25,401 –> 00:22:28,540
就是调试困难
very difficult to do debugging.

518
00:22:28,540 –> 00:22:31,100
这种情况很常见
We see that in the context of Google on a regular basis.

519
00:22:31,100 –> 00:22:32,980
我们在调试设备上的交互方式
The way that we interact with our debug infrastructure

520
00:22:32,980 –> 00:22:35,563
与真实发布设备上的交互方式
is different from the way that we do interact with our release

521
00:22:35,563 –> 00:22:36,450
非常不同
infrastructure.

522
00:22:36,450 –> 00:22:38,074
他们的密钥材料是不一样的
We have different key material on them.

523
00:22:38,074 –> 00:22:40,552
不是所有的 Android 设备中
We might not come from a certificate authority that’s

524
00:22:40,552 –> 00:22:43,380
都有权威机构的认证
a well known certificate authority that’s on all the Android devices.

525
00:22:43,380 –> 00:22:45,046
因为这仅仅是一个测试设备
Because it’s just a test infrastructure.

526
00:22:45,046 –> 00:22:47,240
而且你也不想为复杂而又昂贵的SSL
And you don’t want to have to pay for and maintain

527
00:22:47,240 –> 00:22:50,540
付费和维护
that sort of complex or costly SSL infrastructure.

528
00:22:50,540 –> 00:22:52,670
价格虽然不是那么高
Not that it’s that costly, but that’s the mindset

529
00:22:52,670 –> 00:22:54,049
但这是很多开发者的真实想法
of a lot of developers.

530
00:22:54,049 –> 00:22:57,100
所以我们要做的就是把它变得简单点
And so one of the things that we want to do is make it really simple.

531
00:22:57,100 –> 00:22:59,730
在过去 开发者的方法是
Because in the past, the way that developers have done this,

532
00:22:59,730 –> 00:23:02,340
他们必须通过一系列的自定义代码
is they’ve had to go through a lot of custom code

533
00:23:02,340 –> 00:23:04,680
来改变 SSL 在应用中的
to change how SSL handling took place

534
00:23:04,680 –> 00:23:06,380
操作模式
inside the context of their application.

535
00:23:06,380 –> 00:23:08,140
因此我们把网络安全配置的事
So we’re going to do that all in the manifest now with network

536
00:23:08,140 –> 00:23:09,357
全都放在了 manifest 中
security config.

537
00:23:09,357 –> 00:23:11,190
这样做就与原来基于
So that should make it really, really simple

538
00:23:11,190 –> 00:23:14,640
发布设施的做法完全不同了
for you to test in a way that’s distinct from, entirely

539
00:23:14,640 –> 00:23:17,490
这将变得极为简单
independent from, your release infrastructure,

540
00:23:17,490 –> 00:23:20,380
而且你再也不用写任何的自定义代码了
but also not have to write any custom code to do that.

541
00:23:20,380 –> 00:23:22,600
感觉如何
So what does it look like?

542
00:23:22,600 –> 00:23:26,460
在 network-security-config 中可以直接修改
Here’s a pretty simple way to do it, network security config.

543
00:23:26,460 –> 00:23:28,250
你需要加上 debug-overrides
You declare debug overrides.

544
00:23:28,250 –> 00:23:30,950
当你在调试应用的时候
And you set a different set of trust anchors

545
00:23:30,950 –> 00:23:34,796
设置一个不一样的 trust-anchors
when your application is running in a debug environment.

546
00:23:34,796 –> 00:23:36,670
你指定 trust-anchors 是什么
And you specify what those trust anchors are.

547
00:23:36,670 –> 00:23:39,210
你完全可以在你的应用里这么做 像在这做的一样
You can include them in your applications, as is being done here.

548
00:23:39,210 –> 00:23:41,126
事实上它们在你的应用中
This is actually specifying that they’re going

549
00:23:41,126 –> 00:23:42,644
被具体指定了
to be in your application.

550
00:23:42,644 –> 00:23:44,560
而且当你的应用调试完成以后
And you now know that when your application is

551
00:23:44,560 –> 00:23:49,260
你不用修改任何的代码
no longer in a debug build, no change to your code at all.

552
00:23:49,260 –> 00:23:51,080
你用发布版本发布出来
You’ve released it in release mode.

553
00:23:51,080 –> 00:23:52,090
你上传它
You ship it.

554
00:23:52,090 –> 00:23:54,287
所有有关调试的重写代码
And all of the code related to this debug overrides

555
00:23:54,287 –> 00:23:56,620
都不会再展示在应用之中
is no longer going to be present inside the application.

556
00:23:56,620 –> 00:23:57,578
非常直观
Really straightforward.

557
00:24:02,414 –> 00:24:03,830
你也许想做
You may want to do things that are

558
00:24:03,830 –> 00:24:08,160
比域名等级限制更复杂的事
more sophisticated than just domain level restrictions,

559
00:24:08,160 –> 00:24:10,150
使用 certificate-authorities 中的 built
using the built in certificate authorities,

560
00:24:10,150 –> 00:24:13,929
或从调试硬件中区别出
or differentiating your debug hardware, debug

561
00:24:13,929 –> 00:24:15,970
调试设施和发布设施
infrastructure, from your release infrastructure.

562
00:24:15,970 –> 00:24:17,905
所以我们再谈论下这个问题
So let’s talk about that for just a second.

563
00:24:17,905 –> 00:24:19,280
有很多种不同的方法
Here’s a couple of different ways

564
00:24:19,280 –> 00:24:21,920
可以限制你需要与之交互的证书
that you can actually limit the set of certificates

565
00:24:21,920 –> 00:24:25,280
而且不需要写一个你自己的
that you interact with without needing to write your own SSL

566
00:24:25,280 –> 00:24:28,520
SSL 错误处理器或是 SSL 证书确认程序
error handlers and SSL certificate validation routines.

567
00:24:28,520 –> 00:24:32,240
这是一个很简单的域名
Really simple one, these are domains for which

568
00:24:32,240 –> 00:24:34,760
需要把我们应用中的
we are going to include the certificates that

569
00:24:34,760 –> 00:24:38,960
证书绑定上去
are tied to those domains in our application.

570
00:24:38,960 –> 00:24:42,870
所以我们指定了 secure.example.com 和 cdn.example.com
So we specify secure.example.com, cdn.example.com.

571
00:24:42,870 –> 00:24:45,120
而这些应用与证书
And these are apps, these are certs, that are actually

572
00:24:45,120 –> 00:24:47,230
都将直接在我的应用里
going to be directly in my app.

573
00:24:47,230 –> 00:24:49,710
所以不需要依赖系统证书
So don’t rely on the system certificates.

574
00:24:49,710 –> 00:24:53,500
我也不需要买一个证书或是别人的认证
I don’t need to go buy a certificate or validate with somebody else.

575
00:24:53,500 –> 00:24:55,970
我应用的信任凭据就在
My application’s trust is contained entirely inside

576
00:24:55,970 –> 00:24:56,830
应用里面
of that application.

577
00:24:56,830 –> 00:24:58,580
这样我就可以连接到服务器了
And then I can connect out to that server.

578
00:25:02,759 –> 00:25:04,550
另一个我们经常问到的就是
Another thing that we often get asked about

579
00:25:04,550 –> 00:25:06,990
怎样证书锁定
is, how do I do certificate pinning?

580
00:25:06,990 –> 00:25:09,050
证书锁定 如果你对
Certificate pinning, in case you’re not

581
00:25:09,050 –> 00:25:11,050
这个术语不熟悉 就是判断
familiar with the term, is to identify

582
00:25:11,050 –> 00:25:15,082
一个特定的证书 不是 CA 不是证书链
a specific certificate, not a CA, no a certificate chain,

583
00:25:15,082 –> 00:25:17,540
是一个你需要与一个特定服务器
but a specific certificate that you expect to be associated

584
00:25:17,540 –> 00:25:19,080
通信的证书
with a particular web service.

585
00:25:19,080 –> 00:25:21,320
所以我们要介绍的一个功能就是
So one of the capabilities that we introduced here

586
00:25:21,320 –> 00:25:24,500
指定 pin 当然同样是在 manifest 中
is the ability to specify a pin, again directly in the manifest,

587
00:25:24,500 –> 00:25:26,740
你不需要修改 SSL 代码
so you don’t have to manipulate the SSL code

588
00:25:26,740 –> 00:25:28,470
或是你自己的证书
or do your own certificate validation.

589
00:25:28,470 –> 00:25:31,840
如果你想的话可以迅速的做出改变
And you can very quickly make a change to that if you’d like to do so.

590
00:25:31,840 –> 00:25:36,740
我担心锁定和管理你自己的信任凭据
I would caution that pinning and managing your own trusts

591
00:25:36,740 –> 00:25:38,100
会比较棘手
can be a little bit tricky.

592
00:25:38,100 –> 00:25:40,840
所以我们明确地鼓励你使用内置插件
And so we definitely encourage you to use the built ins.

593
00:25:40,840 –> 00:25:43,390
但是我们也想保证你的
But we also wanted to make sure that you have the flexibility

594
00:25:43,390 –> 00:25:44,877
灵活性
to do things.

595
00:25:44,877 –> 00:25:46,960
如果你不想刁难自己的话
if you really want to cause yourself a little more

596
00:25:46,960 –> 00:25:50,120
你最好还是这样做
grief than you otherwise had to do.

597
00:25:50,120 –> 00:25:54,649
这是我幻灯片里想讲述的重点
So here’s how I would describe that in bullet points on a slide.

598
00:25:54,649 –> 00:25:57,190
我们在网络安全配置方面
There’s a bunch of changes that we made with network security

599
00:25:57,190 –> 00:25:59,590
做了很多的改变 而且我们认为这些改变
config and some best practices that we

600
00:25:59,590 –> 00:26:03,240
几乎适用于每个人
think are appropriate for nearly everyone.

601
00:26:03,240 –> 00:26:05,330
一个很好的例子就是
A good example of that is identifying

602
00:26:05,330 –> 00:26:06,920
在所有域名中识别出
what are the domains that you expect

603
00:26:06,920 –> 00:26:10,210
你想要确保安全的那些域名
all of the traffic on those domains to be secure.

604
00:26:10,210 –> 00:26:11,340
然后着重保证它的安全
And actually specify that.

605
00:26:11,340 –> 00:26:14,442
如果它用明文通信 那就把它设置为 false
Say it uses clear-text traffic and set it to false.

606
00:26:14,442 –> 00:26:16,650
这样你就能确保不会意外地
So that you can make sure that you don’t accidentally

607
00:26:16,650 –> 00:26:19,220
通过这些网络发送任何不安全的数据
send any insecure data over those networks.

608
00:26:19,220 –> 00:26:22,451
理想状况是 我们希望你把它用在每一个地方
Ideally, we would like you to do it for everything.

609
00:26:22,451 –> 00:26:23,700
当然我们现在还不是很完美
But we’re not there quite yet.

610
00:26:23,700 –> 00:26:24,366
我们知道
We realize that.

611
00:26:24,366 –> 00:26:25,492
这是一个递进的过程
So this is incremental.

612
00:26:25,492 –> 00:26:26,950
最后我们将在整个
And eventually we’ll get to a point

613
00:26:26,950 –> 00:26:28,408
Android 生态系统中
where it can be done for everything

614
00:26:28,408 –> 00:26:30,550
的每一点网络访问上
across the entire Android ecosystem

615
00:26:30,550 –> 00:26:33,380
都用上这个技术
as we are pushing to do the same across the broader web.

616
00:26:36,020 –> 00:26:38,420
另一个我们做出的重要改变是
Another important change that was made

617
00:26:38,420 –> 00:26:41,380
用户的安装证书不再是默认的了
was that user installed certificates are no longer

618
00:26:41,380 –> 00:26:43,590
之前使用此设备的用户
trusted by default. The user on a device

619
00:26:43,590 –> 00:26:46,377
有权利在
has the ability to go in, add a certificate,

620
00:26:46,377 –> 00:26:48,210
应用与服务器
and, previously, had the ability to then man

621
00:26:48,210 –> 00:26:50,410
中间
in the middle, traffic between your application

622
00:26:50,410 –> 00:26:52,150
添加一个证书
and your server infrastructure.

623
00:26:52,150 –> 00:26:54,690
他们想那么做的原因有很多
There’s a lot of reasons why they might want to do that.

624
00:26:54,690 –> 00:26:56,231
同样地 你也有相当多的理由
And there’s a lot of reasons that you

625
00:26:56,231 –> 00:26:58,400
把这功能放到你的应用中
might want to enable it in your application as well.

626
00:26:58,400 –> 00:27:01,522
另一方面 我们发现在
On the other hand, we thought and we found in conversations

627
00:27:01,522 –> 00:27:03,730
开发者的对话中 绝大多数的开发者
with developers, that the vast majority of developers

628
00:27:03,730 –> 00:27:05,150
就这个没什么预期
don’t anticipate that.

629
00:27:05,150 –> 00:27:06,800
如果他们能连接到自己的服务器
And if they’re connecting to their own infrastructure

630
00:27:06,800 –> 00:27:09,091
又连接不到别的地方 那么他们就没有什么特殊的理由
and to nowhere else, they don’t see a particular reason

631
00:27:09,091 –> 00:27:10,020
这样做了
to enable that.

632
00:27:10,020 –> 00:27:12,994
所以这就有了用户在无意中
And so there was a risk of users unintentionally

633
00:27:12,994 –> 00:27:15,990
安装了有可能导致中间人攻击的证书
installing certificates that could allow for a man in the middle.

634
00:27:15,990 –> 00:27:19,530
所以我们改变了这种默认的安装方式
And so we’ve changed the default to no longer have

635
00:27:19,530 –> 00:27:22,160
在默认情况下 允许在
user certificates be, by default,

636
00:27:22,160 –> 00:27:26,002
应用与终端之间拦截通信
able to intercept traffic between your application and your endpoint.

637
00:27:26,002 –> 00:27:27,460
如果你愿意的话你也可以做出改变
You can change that if you want to.

638
00:27:27,460 –> 00:27:28,924
可能在你应用中的某些情况下
There may be situations where it’s

639
00:27:28,924 –> 00:27:31,340
是适用的
appropriate to do that in the context of your application.

640
00:27:31,340 –> 00:27:31,780
有些则不适用
There may not.

641
00:27:31,780 –> 00:27:35,630
这取决于你
It’s something for you to take a look at and make a determination for.

642
00:27:35,630 –> 00:27:38,840
我们致力的另一件事就是简化调试
The other thing that we’ve tried to do is simplify debugging.

643
00:27:38,840 –> 00:27:41,230
我们建议你可以试一试
So I would encourage you to go look at your application.

644
00:27:41,230 –> 00:27:45,170
如果你使用了任何的 SSL 操作
If you have any SSL handling that you’ve implemented

645
00:27:45,170 –> 00:27:48,300
比如说自定义操作 自定义认证 或其他自定义的 SSL 操作
that’s custom handling, custom cert verification, custom SSL

646
00:27:48,300 –> 00:27:52,110
你可以用网络安全配置替换之
handlers, you probably can replace that with network security config

647
00:27:52,110 –> 00:27:53,630
这样做将更简单
and make it much easier to make sure that you

648
00:27:53,630 –> 00:27:54,838
而且不容易出错
don’t make a mistake in that.

649
00:27:58,950 –> 00:28:01,760
如果你还想做的更多
If you want to do something and you

650
00:28:01,760 –> 00:28:04,460
而且你觉得有信心
feel confident in your ability to manage

651
00:28:04,460 –> 00:28:06,414
管理你自己的证书 我们同样
your own certificates, we’ve provided that

652
00:28:06,414 –> 00:28:08,830
提供更简单的做法
and try to make that a little bit simpler for you as well.

653
00:28:08,830 –> 00:28:13,094
不过就像我刚才说的 这么做可能更复杂
But as I mentioned, this is a little bit more difficult

654
00:28:13,094 –> 00:28:14,510
而且更容易出错
and a little bit more error prone.

655
00:28:14,510 –> 00:28:16,635
这是你需要想清楚的地方
So it’s something that you’d want to think through.

656
00:28:20,870 –> 00:28:22,930
上述就是网络相关的内容
So we talked about networking.

657
00:28:22,930 –> 00:28:25,370
下面我们来聊聊我们经常提到的加密技术
Now let’s get into the thing that we so often just refer

658
00:28:25,370 –> 00:28:30,980
2016年的大型加密讨论
to as encryption, the big encryption debates of 2016.

659
00:28:30,980 –> 00:28:32,920
我花费了很多时间来谈论
I’ve been spending a lot of my time talking

660
00:28:32,920 –> 00:28:35,390
为什么存储加密对
about why it is that storage encryption is

661
00:28:35,390 –> 00:28:38,060
用户数据的保护如此的重要
so important for protecting user data.

662
00:28:38,060 –> 00:28:41,320
我们用类似 Android Pay 这样的应用
The benefits that it has accrued on the ecosystem where we’re

663
00:28:41,320 –> 00:28:44,350
让开发者能够在 Android 生态系统中获得收益
now able to deliver applications like Android Pay, where it’s

664
00:28:44,350 –> 00:28:47,560
因此对开发者来说 设备信息的
possible for a developer to rely on the integrity

665
00:28:47,560 –> 00:28:49,530
完整性和机密性
and the confidentiality of information

666
00:28:49,530 –> 00:28:51,890
是相当关键的
that’s critical to the application on the device.

667
00:28:51,890 –> 00:28:54,430
这就是我们在所有装载有 Marshmallow
That’s one of the reasons among many

668
00:28:54,430 –> 00:28:58,690
系统的设备上开始推广加密技术
that we’ve moved towards requiring encryption on all capable devices

669
00:28:58,690 –> 00:29:00,170
的原因
starting with Marshmallow.

670
00:29:00,170 –> 00:29:02,010
这是强制执行的
We made that mandatory.

671
00:29:02,010 –> 00:29:04,980
我们会把它变得越来越健壮
And we’ve been making that more and more robust.

672
00:29:04,980 –> 00:29:07,522
因为我们认为直接对用户设备的物理威胁
Because we think direct physical threats to the user’s device

673
00:29:07,522 –> 00:29:09,896
也是我们需要考虑的事情
are one of the things that we need to be concerned about.

674
00:29:09,896 –> 00:29:12,350
这就是我们开始推广的设备名单
These are devices that we move around in the world with.

675
00:29:12,350 –> 00:29:14,520
这也包括手环之类的设备
They are sometimes attached to your wrist.

676
00:29:14,520 –> 00:29:16,400
也包括你车中的设备
They’re sometimes in your car.

677
00:29:16,400 –> 00:29:19,610
有多种强存储加密方式
There’s a lot of different ways that having strong storage

678
00:29:19,610 –> 00:29:22,540
对 Android 的安全来说是非常重要的
encryption is really fundamental to Android security.

679
00:29:22,540 –> 00:29:24,850
但这不意味着我们不能把它变得更好
But that doesn’t mean we can’t make it better.

680
00:29:24,850 –> 00:29:26,370
也不意味着我们不能在用户体验的角度上
It doesn’t mean that we can’t improve it from a user

681
00:29:26,370 –> 00:29:27,360
把它变得更好
experience standpoint.

682
00:29:27,360 –> 00:29:29,360
Android N 的一个重大变化就是
And so one of the big changes with the Android N

683
00:29:29,360 –> 00:29:31,950
直接启动
is what we refer to as Direct Boot.

684
00:29:31,950 –> 00:29:34,140
我将分别从用户和开发者的角度说
I’ll talk about it both from a user perspective

685
00:29:34,140 –> 00:29:37,730
不过在开发者的角度上会多说一点
and then I’ll get into it a little bit from a developer’s perspective.

686
00:29:37,730 –> 00:29:40,020
从用户的角度来说 直接启动
From a user perspective, direct boot basically

687
00:29:40,020 –> 00:29:44,700
意味着我不需要重复的输入密码了
means I don’t go through two times putting in my user’s password.

688
00:29:44,700 –> 00:29:46,330
我不必输入两次
I don’t have to double enter that.

689
00:29:46,330 –> 00:29:49,205
因为在设备开启的时候
Because currently, the first time the device comes up,

690
00:29:49,205 –> 00:29:50,080
就已经输入过了
you have to enter it.

691
00:29:50,080 –> 00:29:51,430
然后设备就被解锁了
The device is then decrypted.

692
00:29:51,430 –> 00:29:54,650
然后你就可以与应用交互了
And then you get it again as you’re interacting with it.

693
00:29:54,650 –> 00:29:56,110
这也意味着在你第一次进入之后
It also means that all of the data

694
00:29:56,110 –> 00:29:58,276
所有的数据都被解锁了
is decrypted after you’ve entered it the first time.

695
00:29:58,276 –> 00:30:00,620
我再简单说两句
So we’ll talk about that more in just a second.

696
00:30:00,620 –> 00:30:04,440
全盘加密的另一个挑战就是
Another challenge that exists with full disk encryption

697
00:30:04,440 –> 00:30:09,460
所有的数据都一直处于保护之中
is it means that, yes, all the data is protected all the time.

698
00:30:09,460 –> 00:30:15,460
直到用户输入了他们的密码 你就完蛋了
But until the user has entered their password, you’re stuck.

699
00:30:15,460 –> 00:30:18,090
因为没有应用能访问数据
No application has the ability to access data.

700
00:30:18,090 –> 00:30:22,272
所以其中一个重要的改变就是设备现在就被启动了
And so one of the important changes is the device will now come up.

701
00:30:22,272 –> 00:30:24,480
还有运行在后台的东西
And things that are running in the background, things

702
00:30:24,480 –> 00:30:30,479
像是来电 短信
like inbound calls, inbound SMS, your alarm

703
00:30:30,479 –> 00:30:32,020
你要早起赶上
clock in the morning for those of you

704
00:30:32,020 –> 00:30:34,270
6点从旧金山
who had to get up earlier than the six o’clock shuttle

705
00:30:34,270 –> 00:30:36,432
开来的公交车
coming down from San Francisco, who

706
00:30:36,432 –> 00:30:38,890
别人都不像我运气这么好
didn’t have the fortune that I did of having a two-year-old

707
00:30:38,890 –> 00:30:42,430
因为我在三点就醒了 而这种情况持续了两年
wake you up at 3:00 so you were already awake.

708
00:30:42,430 –> 00:30:43,980
你依赖你的闹钟吗
You rely on your alarm clock?

709
00:30:43,980 –> 00:30:48,350
我已经超过六个月没这么做了
I don’t have to do that for another six or so months.

710
00:30:48,350 –> 00:30:51,240
所以我们开始了这项工作
And so we move towards making that work,

711
00:30:51,240 –> 00:30:53,694
即使用户还没有把它们放进凭据里
even if the user hasn’t put in their credential.

712
00:30:53,694 –> 00:30:55,860
以上就是站在用户角度上的讨论
So that’s what it looks like from a user standpoint.

713
00:30:55,860 –> 00:30:57,630
那从开发者的角度来说呢
What’s it look like from a developer standpoint?

714
00:30:57,630 –> 00:31:01,340
我们介绍关于存储加密的两种不同观念
We introduced two different concepts in terms of storage encryption.

715
00:31:01,340 –> 00:31:04,020
第一种就是你最熟悉的
The first is the one that’s most familiar to you

716
00:31:04,020 –> 00:31:06,750
凭据加密
right now, credential encryption.

717
00:31:06,750 –> 00:31:10,660
这意味着只有用户进入了他们的凭据之后
That means this data is only available after the user has

718
00:31:10,660 –> 00:31:12,940
才能访问数据
entered their credential.

719
00:31:12,940 –> 00:31:16,070
还有一种就是我们刚才提到的设备加密数据
We also have what we refer to as device encrypted data.

720
00:31:16,070 –> 00:31:21,720
这种数据只有用 TrustZone 中存储的密钥才能访问
This is data that’s available with a key that’s stored in TrustZone.

721
00:31:21,720 –> 00:31:24,740
这就是防止数据泄露的
So it’s protected in a variety of different mechanisms

722
00:31:24,740 –> 00:31:25,820
各种手段
against extractions.

723
00:31:25,820 –> 00:31:27,560
数据仍然是被加密的
The data is still encrypted, but it’s

724
00:31:27,560 –> 00:31:30,810
不过是被与设备相关联的密钥加密了
encrypted with a key that’s only tied to the device.

725
00:31:30,810 –> 00:31:32,880
默认情况下 应用还是运行在
Applications by default are going

726
00:31:32,880 –> 00:31:34,700
凭据加密环境下
to run in credential encrypted environment.

727
00:31:34,700 –> 00:31:37,328
所以如果你不做出任何改变 你所要做的就是
So if you don’t change anything, the behavior you have is going

728
00:31:37,328 –> 00:31:39,240
弄懂你的应用是如何工作的
to be exactly the way your application works now,

729
00:31:39,240 –> 00:31:41,590
用户一旦登入设备
which is once the user logs in, you can access the data

730
00:31:41,590 –> 00:31:43,860
你就可以用上述方式访问数据了
and you can kind of proceed along your way.

731
00:31:43,860 –> 00:31:48,030
但是如果你的应用在用户解锁设备之前
But if you have an application that requires access

732
00:31:48,030 –> 00:31:50,800
就需要访问数据的话
to information potentially before the user had entered

733
00:31:50,800 –> 00:31:54,220
你可以把你的应用标记为直接启动感知
their credentials, you can declare yourself to be direct boot aware.

734
00:31:54,220 –> 00:31:56,705
这样你在被声明为
And then you have access to the data

735
00:31:56,705 –> 00:31:58,830
直接启动感知的 activity 中
in the context of the activity that’s been declared

736
00:31:58,830 –> 00:31:59,947
就可以直接访问数据了
to be direct boot aware.

737
00:31:59,947 –> 00:32:01,530
当然你也可以直接与之交互
And you can actually interact with it.

738
00:32:01,530 –> 00:32:03,080
这就是 TalkBack 的工作原理
So that’s how TalkBacks works.

739
00:32:03,080 –> 00:32:04,880
这就是短信的工作原理
That’s how a SMS’ works.

740
00:32:04,880 –> 00:32:07,890
这就是闹钟
That’s how alarms store, this is an alarm,

741
00:32:07,890 –> 00:32:09,510
尤其是在重启后
and immediately upon reboot, I want

742
00:32:09,510 –> 00:32:11,010
的工作原理
to be able to execute on that alarm.

743
00:32:13,979 –> 00:32:16,810
怎样声明直接启动感知呢
What does it mean to declare yourself to be direct boot aware?

744
00:32:16,810 –> 00:32:18,184
非常直观
Pretty straightforward.

745
00:32:18,184 –> 00:32:19,850
上半部分在 manifest 里
The top half of this is in the manifest.

746
00:32:19,850 –> 00:32:22,000
你只需要说 我是直接启动感知就行了
You just say, I’m direct boot aware.

747
00:32:22,000 –> 00:32:25,890
然后 receiver 就被触发了
OK, and then that receiver can be triggered.

748
00:32:25,890 –> 00:32:29,270
这样一个 intent 就被触发了
In the event that a particular intent is fired like,

749
00:32:29,270 –> 00:32:32,566
也许是叫 boot complete 吧
I don’t know, boot complete, then your application

750
00:32:32,566 –> 00:32:36,470
然后你的应用就会根据特定的 receiver 运行
will start running in the context of that particular receiver.

751
00:32:36,470 –> 00:32:38,862
为了使用存储 你最可能干的事情
To use storage, which presumably is one of the things

752
00:32:38,862 –> 00:32:40,320
就是你需要
that you’d want to do, you’re going

753
00:32:40,320 –> 00:32:44,550
在设备保护存储中
to need to create storage that’s in the context of device

754
00:32:44,550 –> 00:32:45,330
开辟一块存储空间出来
protected storage.

755
00:32:45,330 –> 00:32:47,340
这是底部的一小段代码
And so there’s a little snippet of code down there at the bottom.

756
00:32:47,340 –> 00:32:48,530
你创建你应用的 context
You create your app context.

757
00:32:48,530 –> 00:32:49,571
你使用你应用的 context
You use your app context.

758
00:32:49,571 –> 00:32:52,480
你创建一个设备保护与存储的 context
And then you create a device protect and storage context.

759
00:32:52,480 –> 00:32:53,860
然后只需把它打开就行了
And then you just open it.

760
00:32:53,860 –> 00:32:56,330
你可以用任何你喜欢的方式与之交互
You interact with it exactly like you would any other way.

761
00:32:56,330 –> 00:32:59,920
当你按我刚才说的那么做时
When you are running in what I refer to as the device context,

762
00:32:59,920 –> 00:33:02,100
与之相反的是凭据保护
as opposed to the credential protected context,

763
00:33:02,100 –> 00:33:05,680
你仍然可以创建凭据保护的文件
you can still create files that are credential protected.

764
00:33:05,680 –> 00:33:06,770
你只是不能读取它们
You just can’t read them.

765
00:33:09,401 –> 00:33:11,400
但你仍然可以做很多事情
But there are lots of ways that could be useful.

766
00:33:11,400 –> 00:33:12,150
你可以往后附加
You can append.

767
00:33:15,030 –> 00:33:17,560
如果你收到一封邮件
So if you receive an inbound mail message.

768
00:33:17,560 –> 00:33:20,460
那你就需要转换成一个很糟糕的邮件
And you’ve got a really horrible mail storage

769
00:33:20,460 –> 00:33:22,500
存储格式 然后附加在后面
format where you just append.

770
00:33:22,500 –> 00:33:25,291
你可以仅拿到标题然后展示在锁屏界面上
You could just grab the headers and display that on the lock screen.

771
00:33:25,291 –> 00:33:27,160
然后获取真实的内容
And then take the actual content and push it

772
00:33:27,160 –> 00:33:29,197
并把它放到凭据保护存储里
into credential protected storage.

773
00:33:29,197 –> 00:33:31,280
你可能只是因为缓存才这么做
You’d probably want to do that just for the cache,

774
00:33:31,280 –> 00:33:32,857
而非针对所有的邮件
not for all of your mail.

775
00:33:32,857 –> 00:33:34,440
在需要有精致的用户体验地方
But you could do those kinds of things

776
00:33:34,440 –> 00:33:35,898
为了维护最佳的安全
where you have a sophisticated user

777
00:33:35,898 –> 00:33:38,810
你也可以这样做
experience while maintaining optimal security.

778
00:33:38,810 –> 00:33:42,020
下面我们来谈谈最佳范例
So let’s talk about some of those best practices.

779
00:33:42,020 –> 00:33:44,870
第一个我想说的就是使用默认值
The first thing I want to do is point out, just use the defaults.

780
00:33:44,870 –> 00:33:46,320
绝大部分的应用
The vast majority of applications,

781
00:33:46,320 –> 00:33:47,861
你是不希望在用户登录之前
you’re not expecting your application

782
00:33:47,861 –> 00:33:50,925
做太多事情的
to do much, if anything, prior to the user logging in.

783
00:33:50,925 –> 00:33:53,170
这就跟默认模式非常匹配了
And so it’s perfectly appropriate to use the defaults.

784
00:33:53,170 –> 00:33:55,727
从安全的角度来说这也是比较理想的
And that sort of optimal from a security standpoint.

785
00:33:55,727 –> 00:33:58,310
这也使你的开发更简单
It also makes your life a little bit simpler because you don’t

786
00:33:58,310 –> 00:34:00,880
因为你不需要想 我现在是不是要接入设备的内容啦
have to think, is this available to me now in the device context?

787
00:34:00,880 –> 00:34:02,480
我能够接入凭据吗
Am I able to access credentials?

788
00:34:02,480 –> 00:34:04,050
如果你运行起来 那么数据就在这
It’s there if you’re running.

789
00:34:04,050 –> 00:34:08,750
如果你没有直接启动感知 那就是上述这样
If you aren’t direct boot aware, everything’s there if you’re running.

790
00:34:08,750 –> 00:34:10,333
如果你是直接启动感知的
If you are direct boot aware, then you

791
00:34:10,333 –> 00:34:12,850
那你就要明确在何时
have to be direct boot aware of which things are going

792
00:34:12,850 –> 00:34:15,510
什么数据是可以被访问的
to be available at that time.

793
00:34:15,510 –> 00:34:17,630
另一个最佳实践是 仔细想想
The other best practice is, think very carefully

794
00:34:17,630 –> 00:34:19,300
如果你是直接启动感知的
about if you are direct boot aware,

795
00:34:19,300 –> 00:34:21,674
哪些东西应该放入设备加密
which things do you want to put into the device encrypted

796
00:34:21,674 –> 00:34:23,830
或是设备保护存储中
or device protected storage?

797
00:34:23,830 –> 00:34:27,601
请不要把有效时间过长的凭据放进来
Please don’t put long live credentials into that area.

798
00:34:27,601 –> 00:34:29,100
如果你不想切断
So you don’t want to have off tokens

799
00:34:29,100 –> 00:34:31,266
用于连接 service 的 token 的话
that are sitting there that could be used to connect

800
00:34:31,266 –> 00:34:34,370
即使用户还没有
to a service, even though the user hasn’t authorized that

801
00:34:34,370 –> 00:34:36,855
进入凭据给它授权
by entering their credential.

802
00:34:36,855 –> 00:34:38,730
我们需要考虑的另一件事是
One of the things that we want to think about

803
00:34:38,730 –> 00:34:41,320
你能否限制 token 的范围
is, can you limit the scope of tokens?

804
00:34:41,320 –> 00:34:44,429
如果你有一个类似邮件接收器的东西
So if you have something like a mail receiver, maybe

805
00:34:44,429 –> 00:34:45,864
可能你只是想阅读邮件
you just want to read mail.

806
00:34:45,864 –> 00:34:49,370
但那并不意味着你将要发送邮件
But that doesn’t necessarily mean that you’re going to send it.

807
00:34:49,370 –> 00:34:50,750
如果你不希望用户
If you don’t expect the user ever

808
00:34:50,750 –> 00:34:52,270
在还没有登录设备的时候
to be able to send mail when they haven’t actually

809
00:34:52,270 –> 00:34:54,120
就能发送邮件
logged onto the device, you certainly

810
00:34:54,120 –> 00:34:55,661
你应该也不希望他们 嗯 比如说
don’t expect them to be able to like,

811
00:34:55,661 –> 00:34:58,740
删除他们的账户 删除他们所有的信息
I don’t know, delete their account, delete all of their messages.

812
00:34:58,740 –> 00:35:00,156
这些都是你不希望在用户登录之前
These are not tasks that you would

813
00:35:00,156 –> 00:35:02,650
看到的景象
expect to happen before the user has logged in.

814
00:35:02,650 –> 00:35:04,510
所以你想
And so you would want to limit the scope

815
00:35:04,510 –> 00:35:05,640
通过限制 token 的能力范围
of the ability of the application

816
00:35:05,640 –> 00:35:08,014
来限制应用
to perform those behaviors by limiting the authentication

817
00:35:08,014 –> 00:35:11,310
能力的范围
tokens that it has available inside that scope.

818
00:35:11,310 –> 00:35:12,810
还有我想提醒你的是
And then the other one that I hinted

819
00:35:12,810 –> 00:35:15,018
如果你收到了一些你认为是敏感的数据
at there, which is, if you receive some data that you

820
00:35:15,018 –> 00:35:18,030
接收它 然后加密
think is sensitive, receive it, put it somewhere that’s encrypted.

821
00:35:18,030 –> 00:35:20,519
你可以用类似公钥的非对称加密
You can either encrypt it locally using

822
00:35:20,519 –> 00:35:22,810
当然前提是你有
asymmetric cryptography like public key, where you just

823
00:35:22,810 –> 00:35:25,350
设备保护存储的公钥
have the key that you have the public key

824
00:35:25,350 –> 00:35:27,520
或是用凭据保护存储中的
in device protected storage and the private key

825
00:35:27,520 –> 00:35:31,554
私钥加密
to be able to decrypt it inside of the credential protected storage.

826
00:35:31,554 –> 00:35:33,970
所以你知道读取邮件的权限
So you know that that key and the ability to read the mail

827
00:35:33,970 –> 00:35:37,150
需要用户登录他们的设备
requires the user to have entered their password.

828
00:35:37,150 –> 00:35:40,830
你可以做很多的事情
There’s a variety of things you can do there as well.

829
00:35:40,830 –> 00:35:43,110
我们也正在努力中
OK, we’re making good progress.

830
00:35:43,110 –> 00:35:44,800
我还有十分钟就要离开了
We’ve got about 10 minutes left.

831
00:35:44,800 –> 00:35:47,405
下面我们将要谈一谈 verified boot 和沙盒
We’re going to barrel through verified boot and sandboxing.

832
00:35:47,405 –> 00:35:50,552
在最后会有两到三分钟的
And I think we’ll have two or three minutes to talk questions

833
00:35:50,552 –> 00:35:51,260
问答时间
there at the end.

834
00:35:51,260 –> 00:35:52,730
我会预留出来
And I’ll hang out for a while.

835
00:35:52,730 –> 00:35:56,200
享受在旧金山没有的阳光
Enjoy the sunshine, which we don’t have up in San Francisco.

836
00:35:59,020 –> 00:36:03,780
verified boot 已经被介绍过很多次了
Verified boot was introduced over a couple of releases

837
00:36:03,780 –> 00:36:06,810
而且在 M 版本上的设备装载
and then became required on M for devices

838
00:36:06,810 –> 00:36:10,070
有能力提供 verified boot 的硬件已经是必须的了
that had hardware capable of providing verified boot, which

839
00:36:10,070 –> 00:36:12,570
这在线性加密中基本相当于
basically amounts to devices that met a performance

840
00:36:12,570 –> 00:36:16,680
每秒50兆的高级加密标准
threshold of about 50 megabits per second AES in line encryption.

841
00:36:16,680 –> 00:36:18,680
顺便说 这包括了绝大多数的设备
That’s the vast majority of devices, by the way.

842
00:36:22,020 –> 00:36:26,690
在 N 中我们把所谓的强制模式
In N we moved from what we called enforcing mode

843
00:36:26,690 –> 00:36:29,010
转换成了严格强制模式
to strictly enforcing mode.

844
00:36:29,010 –> 00:36:32,200
在 M 中警告用户然后继续启动
With M it was acceptable for a device to warn the user

845
00:36:32,200 –> 00:36:35,017
是可以接受的
and then proceed to boot, as a mechanism

846
00:36:35,017 –> 00:36:37,100
这也是我们验证实际
for us to begin to validate how frequently were we

847
00:36:37,100 –> 00:36:38,100
出错率的一种机制
seeing errors in the field?

848
00:36:38,100 –> 00:36:39,520
我们看到了什么问题
What kinds of problems were we seeing?

849
00:36:39,520 –> 00:36:41,850
并确保这里将要出问题
And making sure that there was going to be disruption.

850
00:36:41,850 –> 00:36:44,010
我认为一个很有意思的特点是
One of, I think, the more intriguing features

851
00:36:44,010 –> 00:36:47,520
错误更正
that was introduced in verified boot was error correction.

852
00:36:47,520 –> 00:36:50,590
它是在 N 中被介绍的 它可以帮我们探测出
It was introduced with Android N. This gives us the ability

853
00:36:50,590 –> 00:36:54,760
位级错误 实际上是大量的位级错误
to detect bit level errors, and actually lots of bit level errors.

854
00:36:54,760 –> 00:36:57,760
实际上它们在内核层
And they actually get corrected at the time those blocks are

855
00:36:57,760 –> 00:37:00,290
被读取的时候就被纠正了
being read at the kernel level.

856
00:37:00,290 –> 00:37:03,430
所以 当你正用低端硬件处理问题时
And so, when you’re dealing with very low-end hardware,

857
00:37:03,430 –> 00:37:06,710
位级错误就是我们会遇到的问题了
bit level errors were a problem that we might run into.

858
00:37:06,710 –> 00:37:09,000
我们至少看到了一个实例
We’ve also seen at least one instance

859
00:37:09,000 –> 00:37:12,740
测试它们做出的改变
of testing where there were actually changes made

860
00:37:12,740 –> 00:37:15,740
在设备被 root 之后
that were– after a device had been rooted,

861
00:37:15,740 –> 00:37:17,349
通过增加 SU
there were changes made to allow it

862
00:37:17,349 –> 00:37:20,170
或是其他手段等等
to continue to be rooted by adding SU and a couple of other things.

863
00:37:20,170 –> 00:37:22,790
错误更正消除了这些改变
An error correction actually erased those changes.

864
00:37:22,790 –> 00:37:25,217
所以它们仍在那 但是你不能执行他们
So they were still there, but you couldn’t actually

865
00:37:25,217 –> 00:37:26,800
这很令人震惊吧
get them to execute, which is amazing.

866
00:37:26,800 –> 00:37:30,320
这是一次意外 但也足够让人兴奋
Totally an accident, but pretty exciting.

867
00:37:30,320 –> 00:37:33,470
我们开始留意到底有多少种检查
We’re beginning to see how those kinds of checks

868
00:37:33,470 –> 00:37:36,248
可以提高安全性 并且是在我们意料之外的
could actually improve security in more than the expected ways.

869
00:37:39,530 –> 00:37:42,720
verified boot 可以让开发者的你
Verified boot is part of making it easier for you

870
00:37:42,720 –> 00:37:44,480
更容易了解到你所运行的环境
as a developer to understand that you’re

871
00:37:44,480 –> 00:37:47,600
是一个非常安全的环境
running in an environment that is a strong secure environment.

872
00:37:47,600 –> 00:37:49,690
另一件
And so there’s one other thing that we

873
00:37:49,690 –> 00:37:52,320
我们要讨论的是 SafetyNet API
want to talk about in this context, which is the safety

874
00:37:52,320 –> 00:37:54,770
和补丁程序级别字符串
net API and patch level strings, which

875
00:37:54,770 –> 00:37:56,802
都是为了让开发者
are both mechanisms designed to make it easier

876
00:37:56,802 –> 00:37:58,260
更容易的弄明白
for you as an application developer

877
00:37:58,260 –> 00:38:01,310
什么是运行设备中的
to understand what is the security context of this device

878
00:38:01,310 –> 00:38:02,619
安全背景
that I’m running on?

879
00:38:02,619 –> 00:38:04,160
SafetyNet API
So the safety net API– I’ll give you

880
00:38:04,160 –> 00:38:07,090
我将用几秒钟的时间举一个示例代码
an example code in just a second– basically looks

881
00:38:07,090 –> 00:38:10,020
它基于设备的特性 而且适配到 Jelly Bean
at the device characteristics– and this goes back all the way

882
00:38:10,020 –> 00:38:15,070
来试着说明这是否是真实的设备
to Jelly Bean– and tries to understand whether this is a real device.

883
00:38:15,070 –> 00:38:17,990
它基于大量的硬件属性
It looks at a bunch of hardware characteristics,

884
00:38:17,990 –> 00:38:20,190
包括 GPU 是怎么工作的
including like how does the GPU work?

885
00:38:20,190 –> 00:38:21,910
GPU 的编号是什么
Not what is the GPU’s serial number?

886
00:38:21,910 –> 00:38:24,837
GPU 的执行操作是什么
Not what is– but performs operations on the GPU

887
00:38:24,837 –> 00:38:26,670
用于确保它是以一种
to make sure that it’s executing in a manner

888
00:38:26,670 –> 00:38:28,830
我们认为与
that we would expect to be consistent with a piece

889
00:38:28,830 –> 00:38:30,914
正在运行的操作系统的硬件
of hardware that matches this specification that’s

890
00:38:30,914 –> 00:38:33,760
相匹配的方式运行的
being provided by the operating system that’s running on top of it.

891
00:38:33,760 –> 00:38:35,740
所以我们收集了很多数据
So we aggregate a whole bunch of that,

892
00:38:35,740 –> 00:38:37,850
分析它们 然后反馈给你 yes
analyze that, and make a statement back to you

893
00:38:37,850 –> 00:38:40,225
这看起来像是一个
that yes, this looks like a real piece of hardware that’s

894
00:38:40,225 –> 00:38:43,190
运行某版本 Android 的兼容设备
running a version of Android that is a CTS compatible,

895
00:38:43,190 –> 00:38:45,894
由 OEM 检测 然后提交到 Google
tested by OEM, and then submitted to Google

896
00:38:45,894 –> 00:38:48,310
这样我们就能确定这是一个真实的硬件
so that we can confirm that it’s a real piece of hardware.

897
00:38:48,310 –> 00:38:50,102
因此 SafetyNet API 的
So that’s one of the goals of SafetyNet API

898
00:38:50,102 –> 00:38:52,900
一个目标就是让你对这个功能充满信心
is to make it possible for you to have that kind of confidence.

899
00:38:52,900 –> 00:38:54,608
另一个我们要介绍的是
And then another thing that we introduced

900
00:38:54,608 –> 00:38:56,980
Android 补丁程序级别字符串
was called the Android patch level string.

901
00:38:56,980 –> 00:39:00,500
补丁程序级别字符串非常非常的简单
The patch level string is really, really simple.

902
00:39:00,500 –> 00:39:02,900
你可以检测它 这样你就可以看到
You can check it, and you can see

903
00:39:02,900 –> 00:39:06,480
上次设备安全更新的时间
when is the last time this device got a security update?

904
00:39:06,480 –> 00:39:11,010
如果历史可以借鉴
If history is any guide, we’ve released now

905
00:39:11,010 –> 00:39:14,590
我们发布月度安全更新的次数已经有10次了
10 monthly security updates.

906
00:39:14,590 –> 00:39:16,590
如果这个字符串已经过期一个月了
If that string is more than a month out of date,

907
00:39:16,590 –> 00:39:19,160
那说明这个设备已经有安全问题了
there are publicly known security issues that affect that device.

908
00:39:19,160 –> 00:39:20,930
所以我们和设备制造商共同努力
So we’re working with OEMs and carriers

909
00:39:20,930 –> 00:39:23,430
确保升级推送能按时推送
to make sure that they’re able to deliver updates very, very quickly.

910
00:39:23,430 –> 00:39:25,510
但是作为应用开发者的你
But you as an application developer

911
00:39:25,510 –> 00:39:28,580
可能想评估
might want to look at that and evaluate

912
00:39:28,580 –> 00:39:30,800
你对具体设备的信任程度
how much trust you have in that particular device.

913
00:39:30,800 –> 00:39:32,400
尤其在企业的环境中
Especially in an enterprise context,

914
00:39:32,400 –> 00:39:34,734
我们看到越来越多的企业有类似这样的政策
we’re seeing more and more enterprises set policies that

915
00:39:34,734 –> 00:39:36,650
如果这个设备过期超过60天了
say things like, if this device is out of date

916
00:39:36,650 –> 00:39:39,780
那就不适合我的企业环境了
more than 60 days, it’s not appropriate for my enterprise environment.

917
00:39:39,780 –> 00:39:42,113
而且我们也想把这变得简单点
And we wanted to make that a really simple thing for you

918
00:39:42,113 –> 00:39:44,850
你不用安装一大批的热修复和补丁包
have to do so you don’t have a table of hot fixes and service

919
00:39:44,850 –> 00:39:47,530
来确保设备是安全的
packs to figure out whether a device is secure.

920
00:39:47,530 –> 00:39:50,790
如果这是在 KitKat 或是更高的版本 它有一个最近的安全补丁级别
If it’s on KitKat or above, and it has a recent security patch

921
00:39:50,790 –> 00:39:52,570
你就知道该升级了
level, you know it’s up to date.

922
00:39:52,570 –> 00:39:53,600
这是非常简便的
It’s pretty simple.

923
00:39:53,600 –> 00:39:57,684
正则表达式发挥了很大作用
Regular expressions help me to make that determination.

924
00:39:57,684 –> 00:40:00,620
让我们再用几秒钟谈论一下 SafetyNet
But let’s talk about SafetyNet for just a second.

925
00:40:00,620 –> 00:40:03,030
这不是一个由平台级别提供的 API
This is an API that’s not provided at the platform level.

926
00:40:03,030 –> 00:40:06,690
它是由 Google Play 服务提供的
It’s provided by a Google Play Services.

927
00:40:06,690 –> 00:40:08,460
相对来说比较直观
Relatively straightforward.

928
00:40:08,460 –> 00:40:09,590
你创建一个回调
You create a callback.

929
00:40:09,590 –> 00:40:10,440
你调用它
You invoke that.

930
00:40:10,440 –> 00:40:12,590
然后你拿到结果
And you get back the result. This is a result

931
00:40:12,590 –> 00:40:13,732
这就是要被签名的结果
that’s going to be signed.

932
00:40:13,732 –> 00:40:15,940
你想要看一下 SafetyNet 文件
You want to go to look at the SafetyNet documentation

933
00:40:15,940 –> 00:40:18,270
来确认 key 被签名成什么样了
to see what the key is that it’s been signed with.

934
00:40:18,270 –> 00:40:20,990
我们鼓励你做离线确认
We encourage you to do offline verification of this.

935
00:40:20,990 –> 00:40:23,210
然后你就在你的应用中接收到它了
So you receive it in the context of your application,

936
00:40:23,210 –> 00:40:25,090
之后你把它上传到服务器
but then you send it up to your server.

937
00:40:25,090 –> 00:40:26,690
然后服务器作出判断
And your server makes a determination

938
00:40:26,690 –> 00:40:29,640
判别这是否是从 Google 发来的
about whether this is a legitimate, signed statement

939
00:40:29,640 –> 00:40:30,896
合法的带签名陈述
that came back from Google.

940
00:40:30,896 –> 00:40:34,140
在带签名陈述中你要寻找什么呢
What are the things that you’re looking for in that signed statement?

941
00:40:34,140 –> 00:40:36,450
第一件事就是这是一个 nonce
The first is that there’s a nonce that

942
00:40:36,450 –> 00:40:39,480
它创建于服务器 下发到客户端
was created on your server, sent down to your client,

943
00:40:39,480 –> 00:40:40,780
再返回到服务器
comes back to your server.

944
00:40:40,780 –> 00:40:43,650
这和你递交的一样
And it’s the same as the nonce that you submitted.

945
00:40:43,650 –> 00:40:45,880
所以你想确保它确实经历了相同的过程
So you want to make sure that it actually went

946
00:40:45,880 –> 00:40:48,840
并且被 Google 签名了
through that same process and was signed by Google.

947
00:40:48,840 –> 00:40:51,580
然后它告诉你是不是有什么东西需要匹配 CTS
And then it tells you is this something that matches CTS?

948
00:40:51,580 –> 00:40:53,965
那么 是否匹配 CTS 呢
So, CTS profile match true or false?

949
00:40:53,965 –> 00:40:55,340
这将告诉你
That will give you a sense for is

950
00:40:55,340 –> 00:40:58,460
这是一个真实的硬件设备
this a device, a real hardware device, that

951
00:40:58,460 –> 00:41:01,390
已经经历了完整的 CTS 确认过程
has gone through the full CTS validation process

952
00:41:01,390 –> 00:41:03,220
并且正在以最初提交的
and is continuing to operate in the manner

953
00:41:03,220 –> 00:41:04,725
方式继续运行
that it was originally submitted.

954
00:41:04,725 –> 00:41:06,350
这是一群其他的环境
There’s a bunch of other context that’s

955
00:41:06,350 –> 00:41:09,710
你可以从中辨别这是不是你想要的
provided so you can validate that these are what you’re expecting.

956
00:41:09,710 –> 00:41:12,480
是不是你的应用给服务器提交的数据
Was it your app that sent up to the server?

957
00:41:12,480 –> 00:41:14,770
类似这样
Things like that.

958
00:41:14,770 –> 00:41:18,480
我最后想说的是沙盒
The last thing that I want to talk about is sandboxing.

959
00:41:18,480 –> 00:41:21,700
我们对 Android 中的沙盒寄予希望
Sandboxing is an area that we’ve been investing in in Android.

960
00:41:21,700 –> 00:41:23,742
每一次的发布都带来新的功能
With every release we introduce new capabilities.

961
00:41:23,742 –> 00:41:25,116
有一些事情
These are some of the things that

962
00:41:25,116 –> 00:41:27,240
在 Android M 和 N 中变化非常的大
have changed pretty significantly in Android M

963
00:41:27,240 –> 00:41:30,445
对 SELinux 有相当大的改进
and N. Significant improvements to SELinux, especially

964
00:41:30,445 –> 00:41:32,070
尤其是与驱动程序的交互
in the way that interacts with drivers.

965
00:41:32,070 –> 00:41:34,377
我们现在非常关心内核安全
We’re very concerned about kernel security right now.

966
00:41:34,377 –> 00:41:37,520
所以我们改变了使用 SELinux 的 ioctl 过滤方式
So we’ve made changes to the way ioctl’s are filtered with SELinux.

967
00:41:37,520 –> 00:41:43,160
Seccomp 同样考虑到
Seccomp, which also allows for filtering of interactions

968
00:41:43,160 –> 00:41:43,907
与内核的交互过滤
with the kernel.

969
00:41:43,907 –> 00:41:46,240
我将再多花一点时间谈论 Seccomp
Seccomp I’m going to I talk about more in just a moment.

970
00:41:46,240 –> 00:41:48,020
因为作为应用开发者的你
Because you, as an application developer,

971
00:41:48,020 –> 00:41:49,706
可以自己使用它
can actually use it yourself.

972
00:41:49,706 –> 00:41:51,580
这和 SELinux 有一点不同
Which is a little bit different from SELinux,

973
00:41:51,580 –> 00:41:54,410
我们所做的全都是直接适合你的配置
where we’ve done all the configuration for you directly.

974
00:41:54,410 –> 00:41:58,090
我们在 Android N 中用了两种工具使媒体服务器强化了很多
We’ve used those two tools to do a lot of mediaserver hardening

975
00:41:58,090 –> 00:42:01,780
而且我们同样也做了许多别的改变
in Android N. And then we’ve made a number of other changes

976
00:42:01,780 –> 00:42:06,430
为的是增强沙盒的健壮性
that we think increase the strength of the sandboxing.

977
00:42:06,430 –> 00:42:07,920
我们仅仅贴出了目录
We just put out a blog post.

978
00:42:07,920 –> 00:42:08,860
我知道它字很小
I know this is tiny.

979
00:42:08,860 –> 00:42:11,920
我也不认为你能阅读它
I don’t actually think you can read it.

980
00:42:11,920 –> 00:42:13,050
好吧 确实可以看到内容
It is actually readable.

981
00:42:13,050 –> 00:42:14,500
我不确定在投影仪上
All right, I wasn’t sure if it was even

982
00:42:14,500 –> 00:42:17,314
它能否显示清楚
going have enough pixels on the projector to be able to read it.

983
00:42:17,314 –> 00:42:18,730
我们贴出的目录
The blog post that we just put out

984
00:42:18,730 –> 00:42:21,680
描述了我们怎样使用这些性能
that describes how it is that we use some of these capabilities

985
00:42:21,680 –> 00:42:26,070
增强并拆解
to strengthen and really break down

986
00:42:26,070 –> 00:42:28,050
媒体服务器中的性能
the capabilities inside of mediaserver

987
00:42:28,050 –> 00:42:30,970
然后用 Seccomp 和 SELinux 把它们隔离起来
and isolate them using Seccomp and SELinux.

988
00:42:30,970 –> 00:42:34,310
所以如果一个区域出了问题 譬如说编码解码器
So that a compromise in one area, e.g. in the codec,

989
00:42:34,310 –> 00:42:36,420
在媒体服务器的环境中
doesn’t lead to a compromise in other areas

990
00:42:36,420 –> 00:42:37,700
不会导致在其他区域出问题
in the context of mediaserver.

991
00:42:37,700 –> 00:42:39,950
在你的应用中可以做同样的事情
But you can do the same thing inside your application.

992
00:42:39,950 –> 00:42:44,000
如果你有一个很复杂的金融业务
If you have a complex financial transaction that’s

993
00:42:44,000 –> 00:42:46,030
并且其中还有图像处理
based on image processing, you might

994
00:42:46,030 –> 00:42:48,152
你可能想把这两件事情分开
want to separate those two things apart.

995
00:42:48,152 –> 00:42:49,610
我不知道你为什么要这么做
I don’t know why you would do that.

996
00:42:49,610 –> 00:42:51,540
不过同时 这也有很多
But, at the same time, there are lots

997
00:42:51,540 –> 00:42:53,484
给信用卡拍照的应用
of apps that take pictures of credit cards

998
00:42:53,484 –> 00:42:55,150
之后试着处理信息
and then try to process that information

999
00:42:55,150 –> 00:42:56,830
然后支付
and then use that as a payment.

1000
00:42:56,830 –> 00:43:01,650
这是一个应用要做的事情
So it’s actually a thing that applications do do.

1001
00:43:01,650 –> 00:43:06,250
我们也把它广泛应用到了 Chrome 硬件中
We’ve also been using this pretty extensively to harden Chrome.

1002
00:43:06,250 –> 00:43:09,510
因为这里储存了你最敏感的凭据
Because that is something that stores your most sensitive

1003
00:43:09,510 –> 00:43:12,500
而且处理了很多
credentials and does a lot of processing of data

1004
00:43:12,500 –> 00:43:14,090
从互联网来的数据
that comes from the Internet.

1005
00:43:14,090 –> 00:43:16,040
在浏览器中这两件事
It’s ironic how close those two things

1006
00:43:16,040 –> 00:43:17,546
是非常紧密的
are in the context of a web browser.

1007
00:43:17,546 –> 00:43:19,920
所以这类平台级的性能很重要
So it’s really important that these kinds of capabilities

1008
00:43:19,920 –> 00:43:21,690
为的是
exist at the platform level to make

1009
00:43:21,690 –> 00:43:25,780
能够让应用更加健壮
it easy for that application to harden itself.

1010
00:43:25,780 –> 00:43:30,000
这是用 Seccomp 的一个范例
Here’s a sample of what it looks like to use Seccomp.

1011
00:43:30,000 –> 00:43:32,500
我们在媒体服务器的环境中开发了一个库
we actually created a library in the context of mediaserver.

1012
00:43:32,500 –> 00:43:33,958
所以如果你想深挖 Android 开源项目的话
So if you would dig around in AOSP,

1013
00:43:33,958 –> 00:43:37,800
你可能会发现一个叫 Mini Jail 的东西
you’ll be able to find something that’s called Mini Jail.

1014
00:43:37,800 –> 00:43:42,080
它讲述如何放置过滤器
And it describes how we set specific filters

1015
00:43:42,080 –> 00:43:46,030
来限制 Seccomp 中的
to limit the set of capabilities that each

1016
00:43:46,030 –> 00:43:48,170
或是硬件角度上的媒体服务器中的
of the different elements inside of Seccomp

1017
00:43:48,170 –> 00:43:52,645
每一个不同元素的性能
or inside of mediaserver have access to from hardware standpoint.

1018
00:43:52,645 –> 00:43:54,520
我们还做了很多别的事情
There are a bunch of other changes that we’ve

1019
00:43:54,520 –> 00:43:57,800
比如说让设备更难被破解
made as well, that make it more difficult for a device

1020
00:43:57,800 –> 00:43:59,400
以及其他我们谈论
to be compromised, things that we

1021
00:43:59,400 –> 00:44:02,859
关于沙盒强化时的一些想法
think about when we’re talking about hardening of sandbox.

1022
00:44:02,859 –> 00:44:04,650
它们也可能会对你的应用产生影响
They may have effects on your applications.

1023
00:44:04,650 –> 00:44:07,890
我也鼓励你看看那些
So I would encourage you to take a look at those

1024
00:44:07,890 –> 00:44:10,300
将要到来的改变
and be conscious that these changes are coming.

1025
00:44:10,300 –> 00:44:14,130
在这里也同样发生很多改变
So there are a couple of these changes here.

1026
00:44:14,130 –> 00:44:16,120
这是两个其他的 API
There are two other APIs that we’ve also

1027
00:44:16,120 –> 00:44:20,780
是关于抑制权限的
been very actively looking at to restrain the capabilities.

1028
00:44:20,780 –> 00:44:23,970
因为它们与滥用权限有关
Because they’ve been associated with abuse, basically.

1029
00:44:23,970 –> 00:44:27,150
我们给了设备管理很多权力
We gave a lot of power to device administrators.

1030
00:44:27,150 –> 00:44:29,224
比如说用户正在和
And it happens that that same power

1031
00:44:29,224 –> 00:44:31,140
他们的设备交互
to manage the way that the user is interacting

1032
00:44:31,140 –> 00:44:33,362
用勒索软件
with their device can be used to harm them

1033
00:44:33,362 –> 00:44:34,570
损害用户的利益
in the context of ransomware.

1034
00:44:34,570 –> 00:44:36,697
你改变了用户的密码然后说
You change the user’s password and then you say,

1035
00:44:36,697 –> 00:44:38,780
除非你付我钱否则我是不会让你登录回设备的
I’m not going to let you log back into your device

1036
00:44:38,780 –> 00:44:41,590
这是勒索软件的
until you pay me, is sort of the most fundamental way

1037
00:44:41,590 –> 00:44:42,922
常用做法
that ransomware can work.

1038
00:44:42,922 –> 00:44:45,796
所以我们做出了一些改变
And so we’re making changes to make it more difficult for applications

1039
00:44:45,796 –> 00:44:48,330
让这种应用不那么容易的能够访问这些API
to access those APIs.

1040
00:44:48,330 –> 00:44:49,850
同时我们也限制了
And then we’ve also limited the way

1041
00:44:49,850 –> 00:44:51,750
应用通过系统警告窗口
that applications can overlay content

1042
00:44:51,750 –> 00:44:55,230
覆盖在另一个应用上的方式
onto another application through system alert windows.

1043
00:44:55,230 –> 00:44:58,164
这也是我们强化了的地方
So that’s an area that we’ve been hardening as well.

1044
00:44:58,164 –> 00:45:00,580
抱歉两分钟的提问时间已经没有了
I lied when I said I would have two minutes for questions.

1045
00:45:00,580 –> 00:45:03,080
时钟告诉我还有五秒钟
The clock now says five seconds.

1046
00:45:03,080 –> 00:45:06,130
不过我们试着覆盖了所有的要点
But we managed to cover all of these key elements.

1047
00:45:06,130 –> 00:45:08,440
我不想在这多讲其他的了
I did want to leave you with a couple of pointers

1048
00:45:08,440 –> 00:45:10,690
以免你们陷入
to some additional information that you

1049
00:45:10,690 –> 00:45:14,250
过多的细节中
can look at to try to get into some more of the details here.

1050
00:45:14,250 –> 00:45:17,947
我将出去逛逛并乐于解答
And I will hang out outside and happy to answer any questions

1051
00:45:17,947 –> 00:45:18,780
你提出的所有问题
that you might have.

1052
00:45:18,780 –> 00:45:19,613
非常感谢
Thank you very much.

1053
00:45:19,613 –> 00:45:20,990
享受今天吧
Enjoy the rest of your day.

1054
00:45:20,990 –> 00:45:28,180
[MUSIC PLAYING]