Simple Opinionated AOSP builds by an external Party (SOAP)

The SOAP project aims to build AOSP in a reproducible manner and identify differences to the reference builds provided by Google. As reference builds we track a selection of the following:

• Factory images for phones by Google
• Generic system images as provided by Android CI

The project enables the broader Android community, as well as any interested third parties, to track differences differences between AOSP and official Google builds. Furthermore, it can act as basis for future changes improving the reproduceability of Android.

Reproducible builds in general

Reproducible builds in general have been widely recognized as an important step for improving trust in executable binaries. More general information on reproducible builds can be found at . More specifically for Android, increased reproduceability bridges the gap between source code provided by the AOSP and the factory images running on millions of Google phones today.

Project goals

Our first primary goal, building AOSP in a reproducible manner, should be achieved (or at least we attempt to) by a collection of simple shell scripts that are based on the official instructions from the Android source documentation. These will be released as open source, enabling verification of our process. Furthermore, it should allow third parties (even without the technical knowhow) to create their own Android images that match ours. We anticipate (and this appears to be the initial result of preliminary testing) that there are still some differences that can’t be trivially accounted for.

Thus, our second goal, analyzing the differences between our builds and reference ones, plays an important role as well. Uncovered diffs between aforementioned builds are made accessibly via a web interface. Furthermore we aggregate these diffs (number of added/deleted lines). Such a quantitative analysis allows a big picture view of trends of this subject. Note that some differences are expected (e.g. due to signing keys), all of these instances will be documented.

Project results

Our build and comparison environment has initially been created by Manuel Pöll during his bachelor thesis project and is available on Github under the Apache License, Version 2.0.

Detailed design decisions, results, and interpretations can be found in our paper and in the bachelor thesis:

• Manuel Pöll and Michael Roland: “Automating the Quantitative Analysis of Reproducibility for Build Artifacts derived from the Android Open Source Project”, in WiSec ‘22: 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, San Antonio, TX, USA, ACM, 2022 (accepted for publication).
• Manuel Pöll: “An Investigation into Reproducible Builds for AOSP”, Bachelor’s thesis, Johannes Kepler University Linz, Institute of Networks and Security, 2020.

Reports

Results for builds performed by us can be found here. The links contain the AOSP source tag (or Google build id), build target and build environment for both the reference AOSP build and ours. For each of these we provide the following reports for all analyzed build artifacts:

• Detailed reports show unified diffs between builds, while
• Diff change visualizations provide a simple treemap visualization highlighting the distribution of changes within an artefact.