In-depth analysis of the Android supply chain : Vendor customizations on critical networking components
Author(s)
Bandara, VinuriDate
2023-07-13Abstract
The openness and extensibility of the Android Open Source Project (AOSP) enable An-
droid device vendors (also known as Original Equipment Manufacturers) to introduce
customizations in their products for market differentiation and adding new capabili-
ties. However, these customizations can have significant and severe implications for
user’s security and privacy.
The security and privacy risks caused by the lack of control over the Android supply
chain have caught the attention of cybersecurity researchers. Previous studies have
focused on analyzing the security issues related to pre-installed applications and
modifications made to the Android root store or network configurations. However,
a significant research gap exists due to the lack of investigation into how vendor
customizations on Android’s network stack can hinder the establishment of secure
network communications.
To assess the threats to secure communication introduced by vendors, I study the
customizations on the TLS/SSL protocol stack. I employ advanced static analysis
techniques, specifically diffing on Android firmware data gathered through crowd-
sourcing campaigns. By applying my static analysis pipeline over a dataset of 48,520
devices from more than 300 vendors, I detect and analyze vendor’s deviations from
the official Android Open Source Project (AOSP), maintained by Google. By ana-
lyzing the identified customizations, I uncover critical security vulnerabilities that
can compromise users’ and application’s security. These range from poor vendor
practices such as using older Android platform releases, delayed critical security
patches, outdated cryptographic implementations, insecure distributions of crypto-
graphic providers like vulnerable versions of OpenSSL to the absence of advanced
security functions such as certificate validation, hostname verification, and priori-
tized ciphersuites due to vendors’ removal of standard public methods offering these
capabilities.
Notably these shortcoming are persistent both within Android certified vendors as
well as non-certified ones. This suggests a total lack of control over the supply chain
and their compliance with best practices that directly impact on app developers’ at-
tempts to secure their applications using the native protocol stack. The preliminary
findings reported in this dissertation, highlight the need for stricter controls over the
Android supply chain. In fact, I believe that regulators and certification authorities
can promote new initiatives to strengthen device security guarantees and control the
practices of the different actors in the Android supply chain.