The openness and extensibility of the Android Open Source Project (AOSP) enable Android device vendors, also known as Original Equipment Manufacturers (OEMs), to introduce customizations in their products to differentiate themselves in the market and add new capabilities. However, these customizations can pose significant security and privacy risks to users.

To assess the threats to secure communication introduced by vendors, I have studied the customizations made to the TLS/SSL protocol stack. Through my analysis of these customizations, I have identified critical security vulnerabilities that could compromise both user and application security. These vulnerabilities range from poor vendor practices, such as using older Android platform releases and delaying the implementation of critical security patches, to outdated cryptographic implementations and insecure distributions of cryptographic providers. Additionally, some vendors may omit advanced security functions such as certificate validation and hostname verification.

In this presentation, we will delve into my findings and discuss the current limitations within the complex Android supply chain.

About Vinuri Bandara

Vinuri Bandara is a PhD student from the Internet Analytics group, supervised by Dr. Narseo Vallina Rodriguez. She recently completed her Master studies at University of Polytechnic Madrid. Her research interests include network security in Android and ios, privacy policy and regulation compliance in Android devices and security concerns within the Android supply chain.

This event will be conducted in English