Davi Primo

Davi Primo

AOSP & Embedded Android Engineer

Case study

Hardened Android OS with custom provisioning and app ecosystem

Developed a custom hardened OS with encrypted provisioning, custom app store, secure updater infrastructure, and SystemUI modifications for secure deployments.

Security hardening · Device Management / Kiosk / Provisioning · SystemUI & Features

Problem

The client needed a hardened Android OS for secure applications where standard Android security wasn't sufficient. They required custom app delivery outside of Google Play, secure OTA infrastructure they controlled, encrypted device provisioning, and UI modifications that fit their security requirements.

Work

Security hardening:

  • Disabled Bluetooth and NFC at the platform level to reduce attack surface
  • Blocked USB access in specific scenarios to prevent data exfiltration
  • Applied additional security patches to close off known attack vectors
  • Hardened SELinux policies for the custom system components

Custom provisioning system:

  • Built encrypted QR code provisioning during device setup
  • Stored provisioning data (device expiration, configuration) that client apps could access later
  • Implemented secure key handling for the provisioning credentials

App ecosystem and updates:

  • Developed a custom app store with server backend integration
  • Built secure OTA updater infrastructure with client side verification
  • Ensured updates could be delivered and validated without relying on Google's infrastructure

SystemUI and framework modifications:

  • Modified keyguard, SystemUI, and Settings app to match client UI requirements
  • Added custom APIs for EUICC provisioning (eSIM management)
  • Implemented various UI changes while maintaining security posture

Result

The client deployed a hardened Android distribution with full control over app delivery, updates, and device provisioning. The custom OS met their security requirements while providing the flexibility to manage devices independently of Google services.

Deliverables

  • Hardened Android OS build with disabled attack surfaces
  • Custom app store client and server integration
  • Secure OTA updater infrastructure and client implementation
  • Encrypted QR code provisioning system
  • Custom EUICC provisioning APIs
  • Modified SystemUI, keyguard, and Settings components
  • Security documentation and hardening checklist
Start a projectarrow_forwardmailEmail me

I reply within 24h.

Back to case studies →