Mobile devices are designed, manufactured, distributed, used, and disposed of in a manner similar to other commercial electronics. Unique threats to mobile devices exist at every part of this lifecycle. Supply chain threats are particularly difficult to mitigate because mobile device components are under constant development and are sourced from tens of thousands of original equipment manufacturers (OEMs). Some subcomponents of mobile devices (e.g., baseband processors) require matched firmware developed by the OEM. This firmware can itself contain software vulnerabilities and can increase the overall attack surface of the mobile device.
Of the layers presented in the mobile device technology stack, a variety of different organizations own or control different parts. In the case of Apple’s highly vertically integrated iOS devices, Apple develops the mobile operating system, as well as the majority of the specialized firmware and hardware components. In contrast, Google’s Android ecosystem is almost completely vertically sliced with both hardware and software components being supplied by tens of thousands of vendors. Google does not manufacture any hardware components, although they do form partnerships to create the Google-branded Nexus series of Android reference devices. An independent handset manufacturer may design a majority of the hardware and firmware to operate an Android device, and even customize the Android user interface; however, they still need Google’s core Android OS to be part of the massive Android application ecosystem. This entire design and manufacturing process has the potential to markedly influence the security architecture of the resulting mobile device.