The openness and extensibility of the Android Open Source Project (AOSP) enable Android device vendors, also known as Original Equipment Manufacturers (OEMs), to introduce customizations in their products to differentiate themselves in the market and add new capabilities. However, these customizations can pose significant security and privacy risks to users.
To assess the threats to secure communication introduced by vendors, I have studied the customizations made to the TLS/SSL protocol stack. Through my analysis of these customizations, I have identified critical security vulnerabilities that could compromise both user and application security. These vulnerabilities range from poor vendor practices, such as using older Android platform releases and delaying the implementation of critical security patches, to outdated cryptographic implementations and insecure distributions of cryptographic providers. Additionally, some vendors may omit advanced security functions such as certificate validation and hostname verification.
In this presentation, we will delve into my findings and discuss the current limitations within the complex Android supply chain.
About Vinuri Bandara
This event will be conducted in English