Android Security Certification in Practice: Lessons from GMS, CTS, and VTS
ChengWig
9 views
34 slides
Nov 02, 2025
Slide 1 of 34
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
About This Presentation
In recent years, Android has not only continued to grow steadily in the consumer market, smartphones and tablets, but also established a strong presence in industrial, medical, and automotive sectors, with the automotive domain even having its own dedicated AAOS (Android Automotive OS) branch!
This...
Slide Content
Android Security Certification in Practice:
Lessons from GMS, CTS, and VTS
GDG-Devfest Taoyuan 2025
Wig Cheng, 11/1
Lessons from GMS, CTS, and VTS
GDG-Devfest Taoyuan 2025
Wig Cheng, 11/1
About Me
•Wig Cheng
•IEI Integration Corp., Android OS Manager
•Skills: Android / Linux BSP
•Open Source contributor
oLinux Kernel Upstream
oDenx U-boot
oGoogle AOSP
•Open Sourcecommunity maintainer
oOpenEPDTiny E-paper
oKakip-AI SBC
•Wig Cheng
•IEI Integration Corp., Android OS Manager
•Skills: Android / Linux BSP
•Open Source contributor
oLinux Kernel Upstream
oDenx U-boot
oGoogle AOSP
•Open Sourcecommunity maintainer
oOpenEPDTiny E-paper
oKakip-AI SBC
Agenda
•Android in different markets
•Android BSP Development Flow
•Long-Term Maintenance Strategies
•GMS Certification Challenges
•Summary
No hardware, coding 50%, architecture 50%
•Android in different markets
•Android BSP Development Flow
•Long-Term Maintenance Strategies
•GMS Certification Challenges
•Summary
No hardware, coding 50%, architecture 50%
Android in Different Markets
Normal Android (AOSP)
•Tablet (Google Tablet)
•Smart phone (Google phone)
Google
AOSP
ROM
compile
Oriole(Pixel6)
Raven(Pixel6 Pro)
aosp_raven-userdebug ROM
Supported version:
•Android 12
•Android 13
•Android 14
•Android 15
•NO Android 16
WITHOUT GMS services
•Tablet (Google Tablet)
•Smart phone (Google phone)
AOSP
ROM
compile
Oriole(Pixel6)
Raven(Pixel6 Pro)
aosp_raven-userdebug ROM
Supported version:
•Android 12
•Android 13
•Android 14
•Android 15
•NO Android 16
WITHOUT GMS services
Normal Android (AOSP)
•Non-Googlephone / Tablet
•Android TV
Google
AOSP
SoC vendor
Phone manufacturer
AndroidBSP
Hardware update: one year
Software update: by case
Example: Samsung S24, 7 times OS update, 7 years security update
GoogleGMS
certifications
Turn-key solution
Announced!
•Non-Googlephone / Tablet
•Android TV
AOSP
SoC vendor
Phone manufacturer
AndroidBSP
Hardware update: one year
Software update: by case
Example: Samsung S24, 7 times OS update, 7 years security update
GoogleGMS
certifications
Turn-key solution
Announced!
Automotive Android (AAOS)
•Google AOSP – Automotive branch
Google
AAOS
SoC vendor
manufacturer
AndroidBSP
GoogleGMS
certifications
Announced!
•Google AOSP – Automotive branch
AAOS
SoC vendor
manufacturer
AndroidBSP
GoogleGMS
certifications
Announced!
Industrial Android
•Industrial HMI / Medical HMI
•Vending machine
•Fitness
•Post-Of-Sell machine
•Digital Signage
•Kiosk
Google
AOSP
SoC vendor
manufacturerAndroidBSP
GoogleGMScertifications
Announced!
Me
FOSS app store
c
•Industrial HMI / Medical HMI
•Vending machine
•Fitness
•Post-Of-Sell machine
•Digital Signage
•Kiosk
AOSP
SoC vendor
manufacturerAndroidBSP
GoogleGMScertifications
Announced!
Me
FOSS app store
c
Android BSP Development Flow
Android OS layers
•Compile procedure
$ repo init <Android BSP link of manifest.xml>
$ repo sync
$ source build/envsetup.bash
$ lunch
$ make
(bootloader -> kernel image -> device tree -> Android
system -> make images)
Output images
<BSP source>/out/target/products/<lunch product name>/
•Compile procedure
$ repo init <Android BSP link of manifest.xml>
$ repo sync
$ source build/envsetup.bash
$ lunch
$ make
(bootloader -> kernel image -> device tree -> Android
system -> make images)
Output images
<BSP source>/out/target/products/<lunch product name>/
Different jobs
•App development
▪Android studio -><BSP source>/packages/apps/
Write anAndroid.bp is necessary
•Hardware Function porting
▪Kernel driver/dts -> <BSP source>/vendor/kernel
▪HAL driver -> <BSP source>/hardware/
▪Framework subsystem service -> <BSP source>/frameworks
•Device configuration
▪<BSP source>/device/<target device name>/
BoardConfig.mk -> partition layout, function enabling/disabling
framework overlays -> Customized launcher, Setting page
Different config files for function allocation
•App development
▪Android studio -><BSP source>/packages/apps/
Write anAndroid.bp is necessary
•Hardware Function porting
▪Kernel driver/dts -> <BSP source>/vendor/kernel
▪HAL driver -> <BSP source>/hardware/
▪Framework subsystem service -> <BSP source>/frameworks
•Device configuration
▪<BSP source>/device/<target device name>/
BoardConfig.mk -> partition layout, function enabling/disabling
framework overlays -> Customized launcher, Setting page
Different config files for function allocation
Super Partition?
•System/Vendor/Product partition
Cache
User data
boot
dtbo
Super
vbmeta
presister
Android 14 A/B
Partition layout
init_boot
vendor_boot
Bootloader
PartitionMaintainerContents Update
Frequency
Dependencies
system Google/AOSPAndroid
framework,
system apps
System
updates
Independent
vendor OEM/SoC
vendors
HAL, drivers,
kernel modules
Infrequent
updates
Hardware-bound
productOEM vendorsCustom apps,
regional settings
Frequent
updates
Independent
super System
management
Logical partition
container
- Contains above
Super partition has more flexible for OTA update
systemsystem
vendor
product
vendor
product
A B
•System/Vendor/Product partition
Cache
User data
boot
dtbo
Super
vbmeta
presister
Android 14 A/B
Partition layout
init_boot
vendor_boot
Bootloader
PartitionMaintainerContents Update
Frequency
Dependencies
system Google/AOSPAndroid
framework,
system apps
System
updates
Independent
vendor OEM/SoC
vendors
HAL, drivers,
kernel modules
Infrequent
updates
Hardware-bound
productOEM vendorsCustom apps,
regional settings
Frequent
updates
Independent
super System
management
Logical partition
container
- Contains above
Super partition has more flexible for OTA update
systemsystem
vendor
product
vendor
product
A B
Long-Term Maintenance Strategies
GKI Kernel
•Background & Problem Statement
oAndroid Kernel Fragmentation (Pre-2019)
▪Traditional Issues: Each OEM maintained their own kernel fork
▪Update Challenges: Severe delays in security updates and system upgrades
▪High Maintenance Cost: Vendors repeatedly modified the same kernel code
▪Ecosystem Fragmentation: Thousands of different kernel versions coexisted
•Google's Solution
oSplit kernel into Generic Kernel (GKI) and Vendor Modules
oGoal: Unified kernel interface and simplified update process
•Background & Problem Statement
oAndroid Kernel Fragmentation (Pre-2019)
▪Traditional Issues: Each OEM maintained their own kernel fork
▪Update Challenges: Severe delays in security updates and system upgrades
▪High Maintenance Cost: Vendors repeatedly modified the same kernel code
▪Ecosystem Fragmentation: Thousands of different kernel versions coexisted
•Google's Solution
oSplit kernel into Generic Kernel (GKI) and Vendor Modules
oGoal: Unified kernel interface and simplified update process
GKI Kernel: Pre-2019
GKI Kernel: Post-2019
•GKI Development Timeline
o2019 - Extension of Project Treble
▪Android 10: GKI concept introduced
▪Started separating HAL from kernel
o2020 - GKI 1.0 Launch
▪Android 11 (R): First introduction of GKI 1.0
▪Based on Linux Kernel 5.4 LTS
▪Defined stable KMI (Kernel Module Interface)
oMandatory Requirement Phase
▪Android 12 (S): GKI 2.0 with Linux Kernel 5.10 (2021)
▪Android 13 (S): GKI 2.0 withLinux Kernel 5.15 (2022)
▪Android 14 (S): GKI 2.0 withLinux Kernel 6.1 (2023)
▪Android 15 (S): GKI 2.0 withLinux Kernel 6.6 (2024)
•GKI Development Timeline
o2019 - Extension of Project Treble
▪Android 10: GKI concept introduced
▪Started separating HAL from kernel
o2020 - GKI 1.0 Launch
▪Android 11 (R): First introduction of GKI 1.0
▪Based on Linux Kernel 5.4 LTS
▪Defined stable KMI (Kernel Module Interface)
oMandatory Requirement Phase
▪Android 12 (S): GKI 2.0 with Linux Kernel 5.10 (2021)
▪Android 13 (S): GKI 2.0 withLinux Kernel 5.15 (2022)
▪Android 14 (S): GKI 2.0 withLinux Kernel 6.1 (2023)
▪Android 15 (S): GKI 2.0 withLinux Kernel 6.6 (2024)
GKI Kernel: Post-2019 (cont.d)
https://source.android.com/docs/core/architecture/kernel/gki-release-builds
https://source.android.com/docs/core/architecture/kernel/gki-release-builds
Security patches
•Android SecurityBulletins
WAFER-RK3588
$ adb shell getprop ro.build.version.security_patch =>security version
$ adb shell getprop ro.build.version.release => OS version
$ adb shell getprop ro.build.version.sdk => SDK version
$ adb shell getpropro.build.id=> build ID
https://source.android.com/docs/security/bulletin
item Description
CVE Vulnerabilities numbers
Type Vulnerability Category
Severity Critical, High, Moderate, Low
AOSP Version 13, 14, 15, etc.
Component Framework, Kernel, Media, etc.
Google
-Fix the CVE and
-Public to webpage
SOC vendor
-Get the CVE patches
from Google
-Add special chipset fix
-Release to OEM
Day 1
OEM vendor
-Merge CVE patches
from Google and vendor
-Make OTA package to
the end-user
End-User
-Fix the CVE and
-Public to webpage
Day 14 Day 30
Day 90
•Android SecurityBulletins
WAFER-RK3588
$ adb shell getprop ro.build.version.security_patch =>security version
$ adb shell getprop ro.build.version.release => OS version
$ adb shell getprop ro.build.version.sdk => SDK version
$ adb shell getpropro.build.id=> build ID
https://source.android.com/docs/security/bulletin
item Description
CVE Vulnerabilities numbers
Type Vulnerability Category
Severity Critical, High, Moderate, Low
AOSP Version 13, 14, 15, etc.
Component Framework, Kernel, Media, etc.
-Fix the CVE and
-Public to webpage
SOC vendor
-Get the CVE patches
from Google
-Add special chipset fix
-Release to OEM
Day 1
OEM vendor
-Merge CVE patches
from Google and vendor
-Make OTA package to
the end-user
End-User
-Fix the CVE and
-Public to webpage
Day 14 Day 30
Day 90
GMS Certification Challenges
FOSS case – MicroG Project
•Basically, there's no Google Play inside a device (no GMS certification)
•So no FCM(Firebase Cloud Message) API can be used for push service
•Port 3rd party solution such as MicroG project
MicroG
AOSP Google Service
FOSS app store
FCM API supporting
F-Droid
Aurora
•Basically, there's no Google Play inside a device (no GMS certification)
•So no FCM(Firebase Cloud Message) API can be used for push service
•Port 3rd party solution such as MicroG project
MicroG
AOSP Google Service
FOSS app store
FCM API supporting
F-Droid
Aurora
FOSS case –MicroGProject (cont.d)
•How to verify FCM API
oLazy way: install G-Mail apk manually (internal testing only)
oEasy way
Verified by LC Wang
<[email protected]>
•How to verify FCM API
oLazy way: install G-Mail apk manually (internal testing only)
oEasy way
Verified by LC Wang
<[email protected]>
GMS Certifications
•GMS = Google Mobile Service
oPhone
oTablet
•EDLA = Enterprise Devices Licensing Agreement
oAndroid TV
oAutomotive
oIndustrial PC
oPOS machine
CTS (Compatibility Test Suite)
-Test Framework
-100% PASS
VTS (Vendor Test Suite)
-Test HAL
(Hardware Abstraction Layer)
-Test SeLinux
-Test Kernel (GKI)
GTS (GMS Test Suite)
-Test GMS apps
-Test GMS services
STS(SecurityTest Suite)
-Check Security patches
•GMS = Google Mobile Service
oPhone
oTablet
•EDLA = Enterprise Devices Licensing Agreement
oAndroid TV
oAutomotive
oIndustrial PC
oPOS machine
CTS (Compatibility Test Suite)
-Test Framework
-100% PASS
VTS (Vendor Test Suite)
-Test HAL
(Hardware Abstraction Layer)
-Test SeLinux
-Test Kernel (GKI)
GTS (GMS Test Suite)
-Test GMS apps
-Test GMS services
STS(SecurityTest Suite)
-Check Security patches
CTS Testing
•Test procedure from Google
•All test cases must achieve a 100% pass rate.
•Test packages must be downloaded according to the specific Android version.
https://source.android.com/docs/compatibility/cts
Wrong case
•Test procedure from Google
•All test cases must achieve a 100% pass rate.
•Test packages must be downloaded according to the specific Android version.
https://source.android.com/docs/compatibility/cts
Wrong case
CTS Testing (cont.d)
•Test commands
# Import environment and into the CTS prompt
$ sudo env "PATH=$PATH" ./tools/cts-tradefed
# Runing CTS with all test items
cts-console > run cts => (one device)
cts-console > run cts --shard-count=2 => (two devices for parallel processing)
# Running specific test module
cts-console > run cts -m CtsMediaV2TestCases
# Check connected device
cts-console > l d
# Retry session 5 according to the session list
cts-console > run retry --retry=5
# Running specific test item
cts-console > run cts --include-filter "armeabi-v7a CtsDeqpTestCases dEQP-VK.api.command_buffers#secondary_execute_twice"
# Check the test results
cts-console > l r
# Output report path about test results
android-cts/results/*html
•Test commands
# Import environment and into the CTS prompt
$ sudo env "PATH=$PATH" ./tools/cts-tradefed
# Runing CTS with all test items
cts-console > run cts => (one device)
cts-console > run cts --shard-count=2 => (two devices for parallel processing)
# Running specific test module
cts-console > run cts -m CtsMediaV2TestCases
# Check connected device
cts-console > l d
# Retry session 5 according to the session list
cts-console > run retry --retry=5
# Running specific test item
cts-console > run cts --include-filter "armeabi-v7a CtsDeqpTestCases dEQP-VK.api.command_buffers#secondary_execute_twice"
# Check the test results
cts-console > l r
# Output report path about test results
android-cts/results/*html
CTS Testing – WAFER-RK3588 case
•Android 14 RKR6 (r6)
•Fixed list:
oEnable SELinux
oEnable Screen lock
oDisable sensor functions from BoardConfig.mk
oUpdate Mali GPU library
oManual copy CTS media files to the board
oCheck the WiFi firewall for any network ports
Verified by Howard Tsou
<[email protected]>
•Android 14 RKR6 (r6)
•Fixed list:
oEnable SELinux
oEnable Screen lock
oDisable sensor functions from BoardConfig.mk
oUpdate Mali GPU library
oManual copy CTS media files to the board
oCheck the WiFi firewall for any network ports
Verified by Howard Tsou
<[email protected]>
VTS Testing
•Test procedure from Google
•Same conditions as CTS testing => All PASS
•Since Android 12
•SELinux is necessary
•GKI Kernel is necessary
oAdopts GKI image is necessary
https://source.android.com/docs/core/architecture/kernel/gki-android14-6_1-release-builds
•GSI is necessary
o Adopts GSI image is necessary
https://developer.android.com/topic/generic-system-image/releases
https://source.android.com/docs/compatibility/vts
•Test procedure from Google
•Same conditions as CTS testing => All PASS
•Since Android 12
•SELinux is necessary
•GKI Kernel is necessary
oAdopts GKI image is necessary
https://source.android.com/docs/core/architecture/kernel/gki-android14-6_1-release-builds
•GSI is necessary
o Adopts GSI image is necessary
https://developer.android.com/topic/generic-system-image/releases
https://source.android.com/docs/compatibility/vts
VTS + GKI
•KMI (Kernel Module Interface)
o GKI Image -> KMI -> target drivers (need =M)
o Source code type
o Exported Symbols (EXPORT_SYMBOL API)
oData Structures (c code struct)
o Function Signatures
o Kernel Headers
•ABI (Application Binary Interface)
oBinary type
o Fixed Memory layout & calling conventions
o Runtime checking
Boot dmesg:
tc358775: Unknown symbol drm_of_get_data_lanes_count_ep
motorcomm: Unknown symbol phy_basic_ports_array (err -2)
motorcomm: Unknown symbol __mdiobus_modify_changed (err -2)
•KMI (Kernel Module Interface)
o GKI Image -> KMI -> target drivers (need =M)
o Source code type
o Exported Symbols (EXPORT_SYMBOL API)
oData Structures (c code struct)
o Function Signatures
o Kernel Headers
•ABI (Application Binary Interface)
oBinary type
o Fixed Memory layout & calling conventions
o Runtime checking
Boot dmesg:
tc358775: Unknown symbol drm_of_get_data_lanes_count_ep
motorcomm: Unknown symbol phy_basic_ports_array (err -2)
motorcomm: Unknown symbol __mdiobus_modify_changed (err -2)
Fix runtime ABI failed
•Temporary way
o Fix the ABI on local side
•Solution
o Submit your patches about ABI fix to Google AOSP!!
oRemember that VTS requires the pure GKI image from Google, not the local build.
o Need to push to the Gerrit server first for Google review.
kernel/common/android/abi_gki_aarch64_xxx
Manual add new ABI function
local GKI image
compiling
Boot with ABI
failed fixed!!
But VTS still be failed... WHY?
Verified by Jason Yang
<[email protected]>
•Temporary way
o Fix the ABI on local side
•Solution
o Submit your patches about ABI fix to Google AOSP!!
oRemember that VTS requires the pure GKI image from Google, not the local build.
o Need to push to the Gerrit server first for Google review.
kernel/common/android/abi_gki_aarch64_xxx
Manual add new ABI function
local GKI image
compiling
Boot with ABI
failed fixed!!
But VTS still be failed... WHY?
Verified by Jason Yang
<[email protected]>
ABI - Inside Google’s Review Process
apply for the AOSP Contributor
Program (individual/corporate)
Sign the agreement.
Register an AOSP developer account
on the Google Gerrit system
Corporate accounts are required to
registera company email address.
Submit your commit to specific
Android version of Gerrit server
Google review
Push to AOSP git server
PASS
apply for the AOSP Contributor
Program (individual/corporate)
Sign the agreement.
Register an AOSP developer account
on the Google Gerrit system
Corporate accounts are required to
registera company email address.
Submit your commit to specific
Android version of Gerrit server
Google review
Push to AOSP git server
PASS
ABI – Real case: Ethernet function
Platform: Rockchip RK3588
Ethernet PHY: Motorcomm YT8521
Add to android/abi_gki_aarch64_rockchip
Update the memory layout
WAFER-RK3588
motorcomm: Unknown symbol phy_basic_ports_array (err -2)
motorcomm: Unknown symbol __mdiobus_modify_changed (err -2)
# Update the layout file: android/abi_gki_aarch64.stg
$ tools/bazel run //common:kernel_aarch64_abi_update
# Re-build the GKI image (boot.img) for test again
$ tools/bazel run //common:kernel_aarch64_dist -- --dist_dir=out
Submit the commit to
Google Gerrit server
Platform: Rockchip RK3588
Ethernet PHY: Motorcomm YT8521
Add to android/abi_gki_aarch64_rockchip
Update the memory layout
WAFER-RK3588
motorcomm: Unknown symbol phy_basic_ports_array (err -2)
motorcomm: Unknown symbol __mdiobus_modify_changed (err -2)
# Update the layout file: android/abi_gki_aarch64.stg
$ tools/bazel run //common:kernel_aarch64_abi_update
# Re-build the GKI image (boot.img) for test again
$ tools/bazel run //common:kernel_aarch64_dist -- --dist_dir=out
Submit the commit to
Google Gerrit server
ABI - Results
https://android-review.googlesource.com/c/kernel/common/+/3782907
https://android.googlesource.com/kernel/common/+
/8267a85382f1a0408f762890ce6419407d53f6ef
https://android-review.googlesource.com/c/kernel/common/+/3782907
https://android.googlesource.com/kernel/common/+
/8267a85382f1a0408f762890ce6419407d53f6ef
Summary
Summary
•If your product is fitness machine / factory HMI
oMaybe FOSS way is enough!
•If your product is smart phone / tablet....
oMaybe GMS is necessary
•GMS's additionalcost
o3PL (3rd-party Lab) - about $80000 USD for one Model
o$2.5USD - $40USD for 1pc with mass production (by country)
oEvery OS version upgrade need PASS certification again ($15000USD)
•If your product is fitness machine / factory HMI
oMaybe FOSS way is enough!
•If your product is smart phone / tablet....
oMaybe GMS is necessary
•GMS's additionalcost
o3PL (3rd-party Lab) - about $80000 USD for one Model
o$2.5USD - $40USD for 1pc with mass production (by country)
oEvery OS version upgrade need PASS certification again ($15000USD)
Thank You!
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 9
- Slides 34
- Age 5 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
0 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
0 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
0 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
0 views
21
Know for Certain
0 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
0 views