Security overview

The information below applies to Chrome for Android only.

A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.

Because Android sandboxes applications from each other, applications must explicitly share resources and data. They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox. Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security.

Chrome for Android complements this security framework with a solid multi-process architecture that is designed from the ground up to improve robustness, responsiveness and security. As more and more content on the Internet moves to be active web content, it is necessary to deliver a browser that inherently keeps these separate from each other, in most situations. The multi-process architecture in Chrome for Android, in conjunction with UID isolation across processes, establishes clear boundaries between web page content.

Chrome for Android is in early stages of its evolution to gain an understanding of the key areas and features that will be important on the new platform. Safe Browsing is not supported currently and is being evaluated for upcoming revisions.

Another aspect of browsing with control is to ensure the user is aware of the site they are visiting and what is being expected of them. On mobile devices many sites are prone to redirect navigations to mobile-friendly pages. Making the current site evident in the Omnibox with the relevant connection details through the security indicator ensures that the user can easily understand if a fully secured connection is established. This also allows malicious websites to be flagged when masquerading as reputable sites.

Please follow along the Chromium blog for updates.