Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks.
“This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute,” Google’s product and security teams said.
The initiative builds upon the foundation of Pixel Binary Transparency, which Google introduced in October 2021 to bolster software integrity by ensuring that Pixel devices are only running verified operating system (OS) software by keeping a public, cryptographic log that records metadata about official factory images.
The verifiable security infrastructure mirrors Certificate Transparency, an open framework that requires all issued SSL/TLS certificates to be recorded in public, append-only, and cryptographically verifiable logs to help detect mis-issued or malicious certificates.
The move is aimed at countering the risks posed by binary supply chain attacks, which have found various ways to deliver malicious code by poisoning the software update channels, while keeping their digital signatures intact. The latest example is the compromise of Windows installers of the DAEMON Tools software to serve a lightweight backdoor, which then acts as a conduit for an implant dubbed QUIC RAT.
What’s more, the installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers.
“It is becoming insufficient to rely on the binary’s signature alone, as a signature cannot guarantee that this particular binary was the intended one to be released to the public by its author,” Google said. “Digital signatures are a certificate of origin, but binary transparency is a certificate of intent.”
By expanding Binary Transparency on Android, the company said the idea is to provide guarantees that the Google software on a user’s device is exactly what was intended to be built and distributed. To that end, Google’s production Android applications released after May 1, 2026, will have a corresponding cryptographic entry confirming their authenticity.
The initiative currently includes production Google applications, including both Google Play Services and standalone Google applications, as well as Mainline modules that are part of the OS and can be dynamically updated outside of the normal release cycle.
“This provides a transparent ‘Source of Truth’ that allows anyone to verify that the Google software on their Android device is a production version authorized by Google and has not been modified by an attacker,” Google noted. “If the software is not on the ledger, Google did not release it as production software. Any attempt to deploy a ‘one-off’ version will be detectable.”
As part of this effort, the tech giant is also making available verification tooling that users and researchers can…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
