The Russian Association of Software Product Developers (ARPP) " Отечественный софт " has proposed establishing trust criteria for mobile operating systems based on the Android Open Source Project (AOSP) when used in critical information infrastructure facilities and for state corporations. The main goal of this proposal is to minimize the risks associated with the security and confidentiality of data on such platforms.
The main risks associated with AOSP include the lack of regular security updates, the possible placement of builds on foreign servers, the risk of data leaks due to built-in Google services, and licensing risks when using AOSP without agreement with the American corporation. These problems, according to ARPP, may threaten the security of critical infrastructure, including energy, finance, transport and communications facilities, as well as state information systems.
According to experts, including the head of the ARPP committee on ecosystems of Russian mobile products, Oleg Karpitsky, these risks are particularly relevant for systems operating under increased security requirements. Karpitsky also emphasized that the risks arise due to the peculiarities of the AOSP development model, which does not provide for a system of constant security updates, and the development process itself has limitations. To solve these problems, ARPP proposed amending the regulation and creating new trust criteria for operating systems based on AOSP for use in such areas.
Representatives of companies developing operating systems based on AOSP in Russia, such as Yadro (KvadraOS), «Ред софт» («РЕД ОС М») and «Атол» (ATOL OS), support the introduction of criteria to improve security. For example, «РЕД ОС М» already fully complies with the stated requirements, as the development and assembly of the system is carried out in Russia, without the use of foreign services, and it supports Russian information security tools.
Some experts note that the main risk lies in the insufficient qualifications of specialists who may not notice malicious code in the system. In turn, specialists in the development of ATOL OS emphasized that their system offers the possibility of completely disabling Google Mobile Services, which increases the security of devices, and also allows flexible configuration of security policies, which is important for critical infrastructure facilities.
The introduction of new trust criteria for AOSP systems can significantly improve security when used in state information systems and at critical infrastructure facilities, minimizing potential threats.
Read materials on the topic:
Russian state-owned companies may be required to fully switch to domestic software
Microsoft Replacement: Russian RED SOFT talks about future plans
