Abstract
Recently, Android is expanding its application area including vehicle infotainment system, smart TV, AI speaker as IoT devices as well as mobile terminals. To maintain and support these systems, the manufacturer distributes the firmware through the Android firmware build framework and updates after evaluating firmware integrity by a signature verification process. However, attackers potentially falsify the firmware and raise critical security problems on mobile terminals in cases that developers use the public test key or SDK key to sign the firmware for release, due to lack of security readiness of mobile manufacturers. This paper analyzes the firmware signing, verification and update process of the Android platform, introduces vulnerabilities invented when an unsafe key is used and implements an evaluation tool for signature verification to find the firmware features if signed by an unsafe key.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
STATECOUNTER, Mobile Operating System Market Share Worldwide (2017). http://gs.statcounter.com/os-market-share/mobile/worldwide
Android Open Source Project. https://source.android.com/devices/tech/ota/sign_builds#sign-ota-packages
Boie, A.: Android Software Updates, Embedded Linux Conference (2015)
Bisson, G.: Android OTA update, NXP FTF (2016)
Jeong, E.: FOTA Vulnerability Analysis on Android-based Mobile Devices (2017)
Ferreira, A.M.: Android OTA Update Another Security Evaluation. University of Systems and Networks (2013)
Zheng, M., Sun, M., Lui, J.C.S.: DroidRay: a security evaluation system for customized android firmwares. In: ACM Symposium on Information, Computer and Communications Security, pp. 471–482 (2014)
Jo, H.J., Choi, W., Na, S.Y., Woo, S., Lee, D.H.: Vulnerabilities of Android OS-based telematics system, pp. 1511–1530. Springer, New York (2016)
Zetter, K.: Attackers stole certificate from foxconn to hack Kaspersky With Duqu 2.0, Wired (2015). https://www.Wired.Com/2015/06/Foxconn-Hack-Kaspersky-Duqu-2
Dai, L.: ASN.1 Editor, Code Project (2008). https://www.codeproject.com/Articles/4910/ASN-Editor
Acknowledgments
This research was supported by the MSIT (Ministry of Science, ICT), Korea, under the ITRC (Information Technology Research Center) support program (IITP-2018-2015-0-00403) supervised by the IITP (Institute for Information & communications Technology Promotion).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Jeong, E., Park, J., Son, B., Kim, M., Yim, K. (2019). Study on Signature Verification Process for the Firmware of an Android Platform. In: Barolli, L., Xhafa, F., Javaid, N., Enokido, T. (eds) Innovative Mobile and Internet Services in Ubiquitous Computing. IMIS 2018. Advances in Intelligent Systems and Computing, vol 773. Springer, Cham. https://doi.org/10.1007/978-3-319-93554-6_52
Download citation
DOI: https://doi.org/10.1007/978-3-319-93554-6_52
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93553-9
Online ISBN: 978-3-319-93554-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)