For understanding how strong data should be secured on an Android device I want to understand which attacks are possible. I started to write down my knowledge and hope that I get corrections, where I'm wrong or where I'm missing something. I first assume that Google don't be evil, so will ignores attacks from google themselves.

Each application is signed and runs under his own user-id, so an app can only reads data which belongs to him, except the app creates a public storage. Furthermore app which are sign with the same key can share data. If an application want to get special rights like reading or writing to calendar or contacts the user must accept it.

So by default it's a secure design. Unfortunately every system can have security issues, so that the system become corrupted. On Desktop-Systems regular updates are common practice. On the android it depends on the vendor and is except the Nexus mostly bad. So it could be that there are security holes open for a long period.

So how could an android phone be attacked?

1. Google can delete and install apps silently (Link). If someone hacks this mechanism, an attacker can install arbitrary apps on a device. Unsure if this app has automatically all rights it wants to have. This doesn't happens till now, but it's possible. You can only protect your phone by checking regularly all installed apps and there rights. This mechanism can be misused by a hacker.

2. Malicious applications can do a lot evil things, but if you don't give every app the rights the apps wanted and think a little bit, you can protect your phone.

3. Some security holes in the browser or the system allows an app to get root-access. In this case the app can do everything it wanted. I don't know any protection against this. As far as I know android has such security holes, so this is the most dangerous issue.

So in summary the only secure protection of data seems to be encryption. Depending on how secure your data must be with a default key or an individual key (in other words a password).

Some time ago I've found these PDF's, maybe they can help: slides, paper (more than 2 years old).

edit:

• a new link for the slides
• a new link for the paper

Google can delete and install apps silently. If someone hacks this mechanism, an attacker can install arbitrary apps on a device. Unsure if this app has automatically all rights it wants to have. This doesn't happens till now, but it's possible. You can only protect your phone by checking regularly all installed apps and there rights.

Delete may be silent, but the only push-install mechanism I know about is to use the firmware update mechanism, and that is not silent - the phone reboots twice.

Malicious applications can do a lot evil things, but if you don't give every app the rights the apps wanted and think a little bit, you can protect your phone.

Unfortunately, you cannot decline to grant permissions, you can only decline to install an app that requests more than you want to grant. And some permissions are quite broad, so an app may legitimately need a tiny part of some permission, but get the whole thing.

Some security holes in the browser or the system allows an app to get root-access. In this case the app can do everything it wanted. I don't know any protection against this. As far as I know android has such security holes, so this is the most dangerous issue.

On the other hand, these security holes are unfortunately what the owners of most devices must rely on in if they wish to to be able to install custom firmware, since most consumer phones were not designed to permit this. Knowledge about android security exploits is not much behind that of conventional linux distributions (most of the root exploit are inherited linux kernel exploits, not android exploits, since android has few components with root authority).