OTA Security / Contract Manufacture

User avatar
billiam
Posts: 5
Joined: Tue Jul 24, 2018 8:20 pm

OTA Security / Contract Manufacture

Postby billiam » Wed Mar 11, 2020 8:31 pm

We will be manufacturing our product offshore. The plan is to provide the manufacturer with a basic app binary that will enable secure boot and flash encryption then reboot and run some diagnostics, and then pull down our application binary from a secure server in the cloud using https.

My issue/question concerns the inital binary loaded on the factory floor. This binary, the first ever run on our hardware needs to be loaded in unencrypted form as far as I can tell from the docs. It seems like an unscrupulous CM could hex dump/dissassemble this binary and get ahold of our OTA url and auth strings. Then they could use wget and pull our unencrypted app binary which has valuable intellectual property within to their computer (the https tunnel provided by OTA serving only to validate our server is legit and protect the binary from prying eyes while in transit).

Has anybody solved this problem definitively? Am I missing an important detail?

Who is online

Users browsing this forum: Baidu [Spider] and 186 guests