On November 30, 2022, the Android Security and Privacy Team project published a vulnerability report as part of the Android Partner Vulnerability Initiative, which tracks security issues for Android Original Equipment Manufacturers (OEMs).
As attackers increase their sophistication, our defensive technologies for software signing must grow more sophisticated as well. This post focused primarily on the Android ecosystem in light of recent events, but the lessons learned apply to all systems for distributing software securely, including the internal software supply chain of any organization.
To protect yourself, it’s best to use tools with these principles built-in. For instance, Sigstore has transparency as a fundamental component, and uses TUF to manage its own root of trust, ensuring that if the worst were to happen, the project can safely recover.
As attackers increase their sophistication, our defensive technologies for software signing must grow more sophisticated as well. This post focused primarily on the Android ecosystem in light of recent events, but the lessons learned apply to all systems for distributing software securely, including the internal software supply chain of any organization.
To protect yourself, it’s best to use tools with these principles built-in. For instance, Sigstore has transparency as a fundamental component, and uses TUF to manage its own root of trust, ensuring that if the worst were to happen, the project can safely recover.