Binaries Under Doormats: Defeating the Covert Update

We recently published a post on the Google Security Blog detailing a major expansion of our long-standing support for Android binary transparency. This framework has protected the primary Android system image for years. Now, we expanded this coverage to include the apps and systems services — particularly the privileged and sensitive apps on a Google-certified device – that are independently updated outside of the boot image.

Google Android production software is tied to an unmodifiable, independently witnessed, public cryptographic log. If any modification occurs, there is permanent and provable evidence. If an update ships to your phone, its exact cryptographic signature must exist in the public record for the world to verify. This absolute public accountability elevates the security and integrity posture across the entire consumer ecosystem.

Here, I want to provide a bit more depth regarding the “why” and the overall impact of this change. This is not merely an incremental update; it constitutes one of the most important privacy infrastructure improvements in history, fundamentally altering the threat model of software distribution.

Without binary transparency, how can software be modified to undermine security and privacy? Supply chain compromise or insider threat have allowed adversaries to add arbitrary malicious code. Similarly, a secretly compelled legal order or court mandate requiring the provider to push a targeted, backdoored update could also cause this. The severe systemic risks of such mandated exceptional access have been thoroughly documented by security researchers, demonstrating that introducing compelled backdoors inevitably compromises the entire consumer ecosystem.

Full binary transparency makes covert distribution infeasible.

Signal implemented binary transparency using reproducible builds to prove their compiled application matches their public source code. However, this verification is only supported on Android; Apple makes reproducible builds impossible for apps.

To date, no other consumer operating system has embraced Android’s level of binary transparency. While TEE-based transparency is gaining traction within cloud environments (tech Google has also pioneered in global scale consumer AI platforms), the absence of device-side verification creates a critical vulnerability. If the software on your device is compromised, it doesn’t just undermine local privacy, it can surreptitiously intercept and replace the very cloud services your device relies upon. Without this end-to-end audit trail, users remain vulnerable to covert modifications that jeopardize their entire privacy posture. Ultimately, providing binary transparency for cloud services without extending it to the device and client software users directly interact with is security theater.

Eventually all major platforms and consumer-scale applications that process sensitive data will support binary transparency; it’s the right thing to do for privacy. And we’ll look back on Android full binary transparency as the bellwether for this paradigm shift in scaled consumer privacy.