In-depth analysis of the Android supply chain: Vendor customizations on critical networking components

13 Sep
2023

Vinuri Bandara, PhD Student at IMDEA Networks Institute, Madrid, Spain

In-house Presentation

The openness and extensibility of the Android Open Source Project (AOSP) enable Android device vendors, also known as Original Equipment Manufacturers (OEMs), to introduce customizations in their products to differentiate themselves in the market and add new capabilities. However, these customizations can pose significant security and privacy risks to users.

To assess the threats to secure communication introduced by vendors, I have studied the customizations made to the TLS/SSL protocol stack. Through my analysis of these customizations, I have identified critical security vulnerabilities that could compromise both user and application security. These vulnerabilities range from poor vendor practices, such as using older Android platform releases and delaying the implementation of critical security patches, to outdated cryptographic implementations and insecure distributions of cryptographic providers. Additionally, some vendors may omit advanced security functions such as certificate validation and hostname verification.

In this presentation, we will delve into my findings and discuss the current limitations within the complex Android supply chain.

About Vinuri Bandara

Vinuri Bandara is a PhD student from the Internet Analytics group, supervised by Dr. Narseo Vallina Rodriguez. She recently completed her Master studies at University of Polytechnic Madrid. Her research interests include network security in Android and ios, privacy policy and regulation compliance in Android devices and security concerns within the Android supply chain.

This event will be conducted in English

  • Location: MR-A1 [Ramón] & MR-A2 [Cajal], IMDEA Networks Institute, Avda. del Mar Mediterráneo 22, 28918 Leganés – Madrid
  • Organization: IMDEA Networks Institute; NETCOM Research Group (Telematics Engineering Department, UC3M)
  • Time: 13:00
  • Add to Calendar: iCalendar Outlook Google