• español
    • English
  • Login
  • español 
    • español
    • English
  • Tipos de Publicaciones
    • bookbook partconference objectdoctoral thesisjournal articlemagazinemaster thesispatenttechnical documentationtechnical report
Ver ítem 
  •   IMDEA Networks Principal
  • Ver ítem
  •   IMDEA Networks Principal
  • Ver ítem
JavaScript is disabled for your browser. Some features of this site may not work without it.

In-depth analysis of the Android supply chain : Vendor customizations on critical networking components

Compartir
Ficheros
VinuriBandara_MasterThesis.pdf (3.776Mb)
Identificadores
URI: https://hdl.handle.net/20.500.12761/1730
Metadatos
Mostrar el registro completo del ítem
Autor(es)
Bandara, Vinuri
Supervisor(es)/Director(es)
Vallina-Rodriguez, Narseo; Matic, Srdjan
Fecha
2023-07-13
Resumen
The openness and extensibility of the Android Open Source Project (AOSP) enable An- droid device vendors (also known as Original Equipment Manufacturers) to introduce customizations in their products for market differentiation and adding new capabili- ties. However, these customizations can have significant and severe implications for user’s security and privacy. The security and privacy risks caused by the lack of control over the Android supply chain have caught the attention of cybersecurity researchers. Previous studies have focused on analyzing the security issues related to pre-installed applications and modifications made to the Android root store or network configurations. However, a significant research gap exists due to the lack of investigation into how vendor customizations on Android’s network stack can hinder the establishment of secure network communications. To assess the threats to secure communication introduced by vendors, I study the customizations on the TLS/SSL protocol stack. I employ advanced static analysis techniques, specifically diffing on Android firmware data gathered through crowd- sourcing campaigns. By applying my static analysis pipeline over a dataset of 48,520 devices from more than 300 vendors, I detect and analyze vendor’s deviations from the official Android Open Source Project (AOSP), maintained by Google. By ana- lyzing the identified customizations, I uncover critical security vulnerabilities that can compromise users’ and application’s security. These range from poor vendor practices such as using older Android platform releases, delayed critical security patches, outdated cryptographic implementations, insecure distributions of crypto- graphic providers like vulnerable versions of OpenSSL to the absence of advanced security functions such as certificate validation, hostname verification, and priori- tized ciphersuites due to vendors’ removal of standard public methods offering these capabilities. Notably these shortcoming are persistent both within Android certified vendors as well as non-certified ones. This suggests a total lack of control over the supply chain and their compliance with best practices that directly impact on app developers’ at- tempts to secure their applications using the native protocol stack. The preliminary findings reported in this dissertation, highlight the need for stricter controls over the Android supply chain. In fact, I believe that regulators and certification authorities can promote new initiatives to strengthen device security guarantees and control the practices of the different actors in the Android supply chain.
Compartir
Ficheros
VinuriBandara_MasterThesis.pdf (3.776Mb)
Identificadores
URI: https://hdl.handle.net/20.500.12761/1730
Metadatos
Mostrar el registro completo del ítem

Listar

Todo IMDEA NetworksPor fecha de publicaciónAutoresTítulosPalabras claveTipos de contenido

Mi cuenta

Acceder

Estadísticas

Ver Estadísticas de uso

Difusión

emailContacto person Directorio wifi Eduroam rss_feed Noticias
Iniciativa IMDEA Sobre IMDEA Networks Organización Memorias anuales Transparencia
Síguenos en:
Comunidad de Madrid

UNIÓN EUROPEA

Fondo Social Europeo

UNIÓN EUROPEA

Fondo Europeo de Desarrollo Regional

UNIÓN EUROPEA

Fondos Estructurales y de Inversión Europeos

© 2021 IMDEA Networks. | Declaración de accesibilidad | Política de Privacidad | Aviso legal | Política de Cookies - Valoramos su privacidad: ¡este sitio no utiliza cookies!