The Android ecosystem’s open-source nature allows Original Equipment Manufacturers (OEMs) to tailor the platform to their specific needs, resulting in a fragmented landscape of device implementations. While Google enforces compliance through the Compatibility Definition Document (CDD) and the Compatibility Test Suite (CTS), the effectiveness of these measures in ensuring OEM adherence to AOSP standards remains uncertain.

In this presentation, I will focus on our findings from the first large-scale analysis of OEM customizations in the Android TLS protocol stack, examining deviations across thousands of models from hundreds of manufacturers. Approximately 80% of the analyzed devices reveal modifications to TLS functions such as endpoint and certificate verification, with profound implications for app developers and user security. By exploring these deviations’ root causes—including supply chain dynamics, patching strategies, and legacy system requirements—I will highlight the security challenges they pose. Lastly, I will discuss the need for improved compliance frameworks and supply chain oversight to mitigate the risks of fragmentation and safeguard Android’s security ecosystem.

 About Vinuri Bandara

Vinuri Bandara is a PhD student from the Internet Analytics group, supervised by Dr. Narseo Vallina Rodriguez. Her research interests include network security in Android and iOS, privacy policy and regulation compliance in Android devices and security concerns within the Android supply chain.

This event will be conducted in English