In-depth analysis of the Android supply chain : Vendor customizations on critical networking components

Abstract

The openness and extensibility of the Android Open Source Project (AOSP) enable An- droid device vendors (also known as Original Equipment Manufacturers) to introduce customizations in their products for market differentiation and adding new capabili- ties. However, these customizations can have significant and severe implications for user’s security and privacy. The security and privacy risks caused by the lack of control over the Android supply chain have caught the attention of cybersecurity researchers. Previous studies have focused on analyzing the security issues related to pre-installed applications and modifications made to the Android root store or network configurations. However, a significant research gap exists due to the lack of investigation into how vendor customizations on Android’s network stack can hinder the establishment of secure network communications. To assess the threats to secure communication introduced by vendors, I study the customizations on the TLS/SSL protocol stack. I employ advanced static analysis techniques, specifically diffing on Android firmware data gathered through crowd- sourcing campaigns. By applying my static analysis pipeline over a dataset of 48,520 devices from more than 300 vendors, I detect and analyze vendor’s deviations from the official Android Open Source Project (AOSP), maintained by Google. By ana- lyzing the identified customizations, I uncover critical security vulnerabilities that can compromise users’ and application’s security. These range from poor vendor practices such as using older Android platform releases, delayed critical security patches, outdated cryptographic implementations, insecure distributions of crypto- graphic providers like vulnerable versions of OpenSSL to the absence of advanced security functions such as certificate validation, hostname verification, and priori- tized ciphersuites due to vendors’ removal of standard public methods offering these capabilities. Notably these shortcoming are persistent both within Android certified vendors as well as non-certified ones. This suggests a total lack of control over the supply chain and their compliance with best practices that directly impact on app developers’ at- tempts to secure their applications using the native protocol stack. The preliminary findings reported in this dissertation, highlight the need for stricter controls over the Android supply chain. In fact, I believe that regulators and certification authorities can promote new initiatives to strengthen device security guarantees and control the practices of the different actors in the Android supply chain.