Comprehensive traceability of supply chain security in Android

Comprehensive traceability of supply chain security in Android

What is product tracking?

Product supply chain tracking is a very important aspect of manufacturing as it directly contributes to product safety and quality and as an emerging trend, product sustainability and ethics.

In terms of safety, auto manufacturers are constantly advertising product recalls to protect their customers from the failure of faulty parts, as well as to protect themselves through compliance and avoid litigation. In a recent example, Rivian, an electric car company, recently issued a recall of all of its vehicles due to a loosened steering lock.

Brand reputation is also a major driver of product traceability. For example, fine jewelers make sure that the diamonds they sell have a Kimberley Process certificate to ensure that they are not blood diamonds (diamonds that are mined through the exploitation of workers and the environment).

However, in the software industry, traceability is still a weakness for now. For example, the Log4j vulnerability became a difficult problem for cybersecurity teams as the main challenge I presented to them was not to fix and patch the vulnerability, but rather to identify the programs in their environment that were using Log4j in the first place. This is why the idea of ​​a Software Material List (SBOM) is gaining traction – so that the entire industry can build traceability on software products.

Traceability in the Android ecosystem is an even bigger challenge due to its open architecture, as Android is designed to run on a wide range of mobile devices and vendors are allowed to create their own variants of the operating system. Most smartphone brands also do not have in-house expertise to produce all the necessary components, such as hardware, firmware, apps, and infrastructure for system updates, so many Android smartphone devices have been rebranded from OEMs. For this reason, many Android brands have no idea what went into the product they are selling and have been caught unaware when unwanted apps and security issues affected their products.

Android software supply chain problem

Let’s say ACME telco (a shell company) wants to put a cheap smartphone in their subscription plans in order to push a new 5G data plan to market. Since ACME telco is not a manufacturer of smartphones, ACME will outsource the development and manufacture of the device to the OEM vendor. All ACME needs is to provide expected specifications, target price and brand. This process is often referred to as “white label”, as the name comes from the fact that the OEM takes full responsibility for producing the device and simply leaves the “white” branding to be filled in by the customer.

This convenience and cost reduction do not come without risks. The original manufacturers will of course try to use the cheapest components that meet the specifications. And since smartphones don’t just run on hardware alone, the firmware and custom apps in the device also have associated costs, which the OEM will optimize for cost as well. Firmware developers who supply the OEM may agree to provide the software at a lower cost because they can make up for lost profit through questionable means, for example by pre-installing apps from other app developers for a fee. There is an entire market built around this collection service with prices ranging from 1 to 10 CNY (about $0.14 to $1.37 as of this writing) For every app for every device. This is where the risks lie: as long as the firmware, packaged apps, and update mechanisms of the device are not owned, controlled, or audited by the smartphone brand itself, the fraudulent supplier can hide an unauthorized code in it.

Furthermore, malicious or potentially unwanted code does not necessarily need to be fully installed during manufacture. Since smartphones are connected to the internet anyway, the device’s firmware and app update mechanisms can be taken advantage of by fraudulent vendors to install malicious or unwanted code later, when the device is in actual use.

If the OEM lacks supplier visibility, ingredient tracking, and safety checks, this makes it difficult to trace the fraudulent supplier responsible for the unauthorized code and determine when the code was bundled into the product. Abusing software and application update mechanisms also means that the groups behind the process can be selective in deploying any unauthorized application or code they want to insert into the device at any time they choose, making diagnosis, incident response, and forensics a lot more complex.

Why is supply chain security important to Android?

Gone are the days when a smartphone was just a phone with a camera that you could use to play games, listen to music, and watch movies. A modern smartphone is always online (thanks to mobile data plans that are getting cheaper and cheaper) and running productivity and business apps so you can do the actual work on them.

Furthermore, smartphones contain a mobile phone number which is then associated with online identities, either as part of two-factor authentication (2FA) or for account validation. Apart from SMS-based 2FA, the authentication applications used in corporate authentication systems are also done using smartphone applications.

what should we do?

As Android phone users, if a smartphone is so important to our daily tasks, shouldn’t we be more aware of the source of the components and software running in our smartphones?

Second, shouldn’t smartphone vendors exercise greater due diligence in sourcing their devices, dealing only with vetted OEMs, requiring product traceability and SBOM?

Third, as IT professionals, shouldn’t we review and check acceptable brand and models before allowing authentication and enterprise applications to be installed on them?

These are the questions we need to ask ourselves as there is currently no specific guidelines or certification body to ensure the safety of Android smartphones and their firmware. We need to implement different levels of vendor and hardware certification depending on risk appetite to ensure all hardware is procured from reputable brands that secure their supply chains and vet their suppliers.

Government agencies can also help encourage manufacturers and retailers by creating charts that highlight compatible products to secure manufacturing and development practices. For example, Singapore and Finland have a cybersecurity labeling scheme that provides a simplified overview of a product’s cybersecurity resiliency through a four-tier rating that includes basic security checks, developer declaration of conformity, third-party assessment, and penetration testing. While the current implementation only covers Internet of Things (IoT) devices such as routers and IP cameras, a similar scheme could be extended to smartphones.

As of today, fraudulent suppliers can remain hidden and continue their unethical business practices because there is no visibility of these practices. Because of the lack of visibility, it is difficult to enforce accountability. Increased visibility through product traceability, SBOM, and even government-backed evaluation schemes will narrow the window of opportunity for these rogue suppliers to hide.

By Fyodor Yaroshkin, Vladimir Kropotov, Zhengyu Dong, Paul Bagaris, Ryan Flores

#Comprehensive #traceability #supply #chain #security #Android

Leave a Comment

Your email address will not be published. Required fields are marked *