Comprehensive Traceability for Android Supply-Chain Security
What is product traceability?
Product supply-chain traceability is a very important aspect in manufacturing as it contributes directly to product safety, quality, and, as an emerging trend, product sustainability and ethics.
In terms of safety, automotive manufacturers consistently announce product recalls to protect their customers from failure of faulty parts, as well as to protect themselves by being compliant and avoiding litigation. In a recent example, Rivian, an electric car company, recently issued a recall of all its vehicles due to a loose fastener for its steering.
Brand reputation is also a major driver for product traceability. For example, luxury jewelers make sure the diamonds they sell have a Kimberley Process Certificate to ensure that these are not blood diamonds (diamonds that are mined by exploiting workers and the environment).
In the software industry, however, traceability is still currently a weak point. For example, the Log4j vulnerability became a sticky issue for cybersecurity teams as the major challenge it presented them with was not to fix and patch the vulnerability, but rather to identify which software in their environment was using Log4j in the first place. This is the reason that the idea of having a software bill of materials (SBOM) is gaining traction — so that the whole industry can build traceability on software products.
Traceability in the Android ecosystem is an even bigger challenge due to its open architecture, as Android is designed to run on a wide range of mobile devices and vendors are allowed to create their own variants of the operating system. Most smartphone brands also do not have in-house expertise to produce all necessary components, such as the hardware, firmware, apps, and infrastructure for system updates, so many Android smartphone devices are just rebranded from OEMs. Because of this, many Android brands do not have the slightest idea what went into the product they are selling and have been caught unaware when unwanted apps and security issues affected their products.
The problem with the Android software supply chain
Suppose that ACME telco (a fictitious company) wants to package a cheap smartphone into their subscription plans in order to push a new 5G data plan to the market. As ACME telco is not a smartphone manufacturer, ACME will outsource development and manufacturing of the device to an OEM vendor. All ACME needs to do is provide the expected spec, target price, and branding. This process is often referred to as “white labeling,” with the name coming from the fact that the OEM takes complete responsibility for producing the device and simply leaves the brand label “white,” to be filled in by its customer.
Such convenience and cost cutting do not come without risks. The OEM will of course try to use the cheapest components that meet the specifications. And since smartphones don’t just run on hardware alone, firmware and custom apps in the device also have associated costs, which the OEM will cost-optimize as well. Firmware developers supplying the OEM might agree to provide the software at a lower cost because they can compensate the lost profit through questionable means, for example by discreetly pre-installing apps from other app developers for a fee. There is a whole market built around this bundling service with prices ranging from 1 to 10 Chinese yuan (approximately US$0.14 to US$1.37 as of this writing) per application per device. This is where the risk is: As long as the firmware, packaged apps, and update mechanisms of the device are not owned, controlled, or audited by the smartphone brand itself, a rogue supplier can hide unauthorized code therein.
Furthermore, the malicious or unwanted code does not necessarily need to be fully installed during manufacturing. As smartphones are internet-connected anyway, the firmware and app update mechanisms of the device can be leveraged by rogue suppliers to install the malicious or unwanted code later, when the device is in actual use.
If the OEM lacks supplier visibility, component tracking, and integrity checks, this makes it difficult to track the rogue supplier responsible for the unauthorized code and determine when the code was bundled into the product. The abuse of the firmware and app update mechanisms also means that the groups behind the operation can be selective in deploying whatever unauthorized app or code they want to inject into the device at whatever time they choose, which makes diagnostics, incident response, and forensics much more complicated.
Why is Android supply-chain security important?
Gone are the days when a smartphone is just a phone with a camera that you can use to play games, listen to music, and watch movies. A modern smartphone is almost always connected to the internet (thanks to mobile data plans getting cheaper and cheaper) and runs productivity and enterprise apps so you can do actual work on it.
Furthermore, smartphones have a mobile number that is then tied to online identities, either as part of two-factor authentication (2FA) or for checking the validity of an account. Aside from SMS-based 2FA, authentication apps used in corporate authentication systems are also done using smartphones apps.
What should we do?
As Android phone users, if the smartphone is so important to our day-to-day tasks, shouldn’t we be more aware of the provenance of the components and software running in our smartphones?
Second, shouldn’t smartphone vendors exercise greater due diligence in sourcing their devices, deal only with vetted OEMs, and require product traceability and an SBOM?
Third, as infosec professionals, shouldn’t we review and vet which brand and models are acceptable before allowing enterprise and authentication apps to be installed on them?
These are the questions that we need to ask ourselves as there is currently no specific guideline or certification body to ascertain the integrity of Android smartphones and their firmware. We need to apply various levels of vendor and device accreditation depending on risk appetite to make sure that all devices are purchased from reputable brands who secure their supply chains and vet their suppliers.
Government bodies can also help encourage manufacturers and retailers by creating schemes that highlight products that are compliant to secure manufacturing and development practices. For example, Singapore and Finland have a Cybersecurity Labeling Scheme that offers a simplified overview of a product’s cybersecurity resilience through a four-level rating that involves checks on basic security, developer’s declaration of conformance, third-party assessment, and penetration testing. While the current implementation only covers internet-of-things (IoT) devices such as routers and IP cameras, a similar scheme can be extended to cover smartphones.
As of today, rogue suppliers can remain hidden and continue their unethical business practices because there is no visibility over these. And because there is no visibility, accountability is difficult to enforce. Increasing visibility through product traceability, an SBOM, and even government-supported assessment schemes will effectively narrow the window of opportunity for these rogue suppliers to hide.
From Fyodor Yarochkin, Vladimir Kropotov, Zhengyu Dong, Paul Pajares, and Ryan Flores