Alec Guertin
Last known affiliation: Google
Bio: Alec is a researcher with Google’s Android Security team. His primary focus is on detecting and preventing malware and vulnerabilities in pre-installed code. Alec also works on promoting secure development practices and educating engineers on common causes of vulnerabilities. You can find more details of his work on the Android Partner Vulnerability Initiative website or his previous talks at the Virus Bulletin, MOSEC, CARO, DroidCon and Android Developer Summit conferences.
Łukasz Siewierski 🗣 | Alec Guertin 🗣
Abstract (click to view)
Over-the-air (OTA) updates are a crucial part of the Android operating system. The updates are signed and applied by the operating system, but the process of checking for new updates, downloading the files and handling the user interactions is done by a preinstalled application – an OTA provider. For the operating system’s update, the OTA application cannot interfere with the contents of the update in any way making the OTA system image update secure.
However, to provide lightweight updates to preloaded applications, OTA applications are often also able to download and install specific applications. Access to these privileges makes OTA applications a potentially interesting target for abuse.
We have identified several cases in which 3rd-party OTA solutions contained code used to secretly download additional apps without user consent during the device’s lifetime. This talk covers examples of the problematic additions, the downloaded applications and the steps we have taken to combat the problem by pre-scanning system images and the future of the Android OTA ecosystem.