Full Traceability for Android Supply Chain Security


What is product traceability?

Product supply chain traceability is a very important aspect of manufacturing as it directly contributes to product safety and quality and, as an emerging trend, to product sustainability and ethics.

In terms of safety, automakers routinely announce product recalls to protect their customers from the failure of defective parts, as well as to protect themselves by being compliant and avoiding litigation. In a recent example, Rivian, an electric car company, recently issued a recall of all of its vehicles due to a loose tether for its steering.

Brand reputation is also a major driver of product traceability. For example, luxury jewelers ensure that the diamonds they sell have a Kimberley Process certificate to ensure they are not blood diamonds (diamonds mined by exploiting workers and ‘environment).

In the software industry, however, traceability is currently still a weak point. For example, the Log4j vulnerability became a tricky problem for cybersecurity teams because the main challenge it presented to them was not patching and patching the vulnerability, but rather identifying which software in their environment was using Log4j by first place. This is why the idea of ​​having a software bill of materials (SBOM) is gaining momentum, so that the whole industry can establish traceability of software products.

Traceability in the Android ecosystem is an even greater challenge due to its open architecture, as Android is designed to run on a wide range of mobile devices and vendors are allowed to create their own variants of the operating system. Most smartphone brands also lack the in-house expertise to produce all the necessary components, such as hardware, firmware, apps, and infrastructure for system updates, so many Android smartphones are simply rebranded by OEMs. For this reason, many Android brands don’t have a clue what happened in the product they sell and have been caught off guard when unwanted apps and security issues have plagued their products.

The problem with the Android software supply chain

Suppose ACME telco (a fictitious company) wants to integrate a cheap smartphone into its subscription plans in order to bring a new 5G data plan to the market. As ACME telco is not a smartphone manufacturer, ACME will outsource the development and manufacturing of the device to an OEM supplier. All ACME needs to do is provide the expected specs, target price, and branding. This process is often referred to as “white labeling”, the name coming from the fact that the OEM takes full responsibility for the production of the device and simply leaves the “white label” label to be filled out by their customer.

Such convenience and cost reduction are not without risk. The OEM will of course try to use the least expensive components that meet the specifications. And since smartphones don’t just run on hardware, the device’s firmware and custom applications also have associated costs, which the OEM will also optimize. Firmware developers supplying the OEM might agree to supply the software at a lower cost, as they can make up for the shortfall through dubious means, such as quietly pre-installing apps from other app developers for a fee. There is a whole market built around this bundled service with prices ranging from 1 to 10 Chinese Yuan (about $0.14 to $1.37 at the time of this writing) per application per device. This is where the risk lies: as long as the firmware, packaged apps and update mechanisms of the device are not owned, controlled or audited by the smartphone brand itself, a dishonest supplier can hiding unauthorized code there.

Additionally, malicious or unwanted code does not necessarily need to be fully installed during manufacture. Since smartphones are connected to the internet anyway, the device’s firmware and app update mechanisms can be exploited by malicious vendors to install malicious or unwanted code later when the device is actually in use.

If the OEM lacks vendor visibility, component tracking, and integrity checks, it is difficult to track the malicious vendor responsible for the unauthorized code and determine when the code entered the product. Abuse of the firmware and application update mechanisms also means that the groups behind the operation can be selective in deploying the unauthorized application or code they want to inject into. the device at all times, making diagnostics, incident response and forensics much more complicated.

Why is Android supply chain security important?

Gone are the days when a smartphone was just a phone with a camera that you can use to play games, listen to music, and watch movies. A modern smartphone is almost always connected to the internet (thanks to ever-cheaper mobile data plans) and running productivity and business apps so you can work on them.

Additionally, smartphones have a mobile number which is then linked to online identities, either as part of two-factor authentication (2FA) or to verify the validity of an account. Apart from SMS-based 2FA, authenticator apps used in enterprise authentication systems are also made using smartphone apps.

What should we do?

As Android phone users, if the smartphone is so important to our daily tasks, shouldn’t we be more aware of where the components and software running in our smartphones come from?

Second, shouldn’t smartphone vendors be more diligent in sourcing their devices, deal only with approved OEMs, and require product traceability and an SBOM?

Third, as IT security professionals, shouldn’t we review and verify which brands and models are acceptable before allowing the installation of enterprise and authentication applications?

These are the questions we have to ask ourselves because currently there is no specific guideline or certification body to verify the integrity of Android smartphones and their firmware. We need to apply different levels of vendor and device accreditation based on risk appetite to ensure that all devices are sourced from reputable brands that secure their supply chains and vet their suppliers.

Government agencies can also help encourage manufacturers and retailers by creating programs that highlight products that comply with safe manufacturing and development practices. For example, Singapore and Finland have a cybersecurity labeling system that provides a simplified overview of a product’s cybersecurity resilience through a four-tier assessment that involves basic security checks, declaration developer compliance, third-party assessment, and penetration testing. While the current implementation only covers Internet of Things (IoT) devices such as routers and IP cameras, a similar scheme can be extended to cover smartphones.

To this day, rogue vendors can stay hidden and continue their unethical business practices because there is no visibility into them. And because there is no visibility, accountability is difficult to enforce. Increasing visibility through product traceability, an SBOM, and even government-backed assessment programs will effectively reduce the window of opportunity for these rogue suppliers to hide.

By Fyodor Yarochkin, Vladimir Kropotov, Zhengyu Dong, Paul Pajares and Ryan Flores

Source link

Comments are closed.