Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Open Sources Security Patch Validation Tool for Android

Google has announced the open source availability of Vanir, a patch validation tool for Android platform developers.

Google on Thursday announced open sourcing a patch validation tool to help Android platform developers scan their code for missing security patches.

Called Vanir, the tool relies on automation to accelerate patch validation, helping original equipment manufacturers (OEMs) ensure that their devices receive security updates faster.

“By open sourcing Vanir, we aim to empower the broader security community to contribute to and benefit from this tool, enabling wider adoption and ultimately improving security across various ecosystems,” the internet giant says.

Vanir is meant to streamline the vulnerability mitigation workflow on Android, which is currently a multi-stage process where upstream AOSP developers push upstream patches and downstream manufacturers assess the impact and backport the fixes.

The process poses scalability challenges to manufacturers that manage a broad range of devices with complex update histories, and the new tool addresses them, ensuring devices receive protections in a timely manner, Google says.  

Vanir relies on source-code-based static inspection to analyze entire codebases against known vulnerable code patterns, has low false-alarm rates, and can handle broad classes of code changes, effectively identifying missing patches.

According to Google, which has been using the tool for two years, users can generate signatures for supported vulnerabilities by providing Vanir with source files with security patches.

“Android’s successful use of Vanir highlights its efficiency compared to traditional patch verification methods. A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across its downstream branches – all within just five days,” Google says.

Advertisement. Scroll to continue reading.

Now, Vanir supports C/C++ and Java, covering 95% of Android, Wear, and Pixel flaws in Android kernel and userspace that have public security patches. The signatures for Android flaws are published through the Open Source Vulnerabilities (OSV) database.

Fully open sourced under the BSD-3 license, Vanir is developed as a standalone application and a Python library and is integrated with a continuous testing pipeline in Google.

According to the internet giant, relatively small modifications could make Vanir suitable for other ecosystems as well, and for different purposes than security patch validation, such as licensed code detection or code clone detection.

Related: Android’s December 2024 Security Update Patches 14 Vulnerabilities

Related: GitHub Launches Fund to Improve Open Source Project Security

Related: Deepfence Open Sources Vulnerability Mapping Tool ‘ThreatMapper’

Related: Combating the Surge in Retail Theft and E-Commerce Fraud With Open Source Intelligence

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.