The Build Test Suite (BTS) operates directly on software builds. It scans device images for preloaded malware and other Potentially Harmful Applications (PHAs) that may have been introduced by OEMs’ vendors and suppliers. BTS incorporates the same technology currently used for security scanning and analysis of applications installed via Google Play.
Starting April 1st, 2018, all partners MUST begin uploading their software builds to Google as described in their partnership agreements. Submission of software builds will be in addition to the existing test reports required for Google build approval.
Note: Partners are still responsible for vetting and reviewing all software that is distributed on their devices. Google continuously updates our databases and detection techniques for malware and security threats, but we may not always be able to detect an issue at the time of your build submission.
Submitting builds for BTS
Partners must submit whole software builds. Submissions of individual APKs are not supported. Google only scans APKs in the context of the whole build. As BTS develops, we will look beyond just the APKs in the filesystem images.
Enrollment for MADA partners
Partners can upload software builds in one of the following ways:
- Google Drive: Your TAM will share a Google Drive folder that you can copy your builds to.
- SFTP Dropbox: You can ask your TAM to set up a Secure File Transfer Protocol (SFTP) account for you so that you can upload your build software.
- Submission via 3PL: Submit firmware to your 3PL certifier using one of the supported formats.
Caution: Submitting software builds using Google Drive will affect your Google Drive storage quota. Files placed in Google Drive are copied into the BTS pipeline once per day. Once the results show up in APFE, you can delete old images to recover the quota. If you are submitting a lot of images at the same time, you may need to purchase additional Google Drive quota or ask you TAM to set up an SFTP dropbox.
Submit software builds
For each build that you submit to APFE, you should upload a single compressed archive (.zip, .rar, or .tgz) containing the Software Build in a supported format. The archive should be named according to the build fingerprint, substituting forward slashes (“/”) and colons (“:”) with tildes (“~”). This helps reconcile the file with the reports in APFE.
If you have a zip file containing partition images that can be flashed using fastboot for a build with the fingerprint:
the file should be named:
Partners may submit additional software builds, although these submissions should be accompanied by at least a signature CTS report in APFE so that the results are available. Early submissions may help identify issues early on in the build process. We discourage submitting daily or continuous integration builds as those provide limited usefulness.
Build Test Suite analysis
BTS runs automatically on Google’s infrastructure in the background. The process depends on internal services that cannot be made available offline.
When BTS finishes, the results appear on APFE.
If BTS does not detect any issues, then the build approval process will proceed as normal, subject to the results of other test reports uploaded.
Any suspected PHAs or other issue will be treated as test failure and will prevent build approval. Google can only share the package name and class of malware for any PHA. We cannot provide details on the possible impact of the PHA, its behavior, or how that behavior was detected.
If Google finds an issue after the build has been approved, your TAM will contact you. Partners must address new issues promptly and release an updated build that fixes the issue in accordance with their partnership agreements. New builds that still contain the issue will not be approved.
If you believe that an APK was incorrectly flagged, escalate to your TAM and provide as much detail as possible about the intended functionality of the app. Include details about the file’s origin, particularly if it was made in-house or by a supplier. Google will investigate and deal with these apps on a case-by-case basis.
Supported software build formats
BTS requires the following partition images in a .zip (PKZIP) or .tgz (gzipped unix .tar) file:
- system.img – The filesystem image mounted at /system on the device.
- vendor.img – The filesystem image mounted at /vendor on the device.
- oem.img – The filesystem image mounted at /oem on the device.
- userdata.img – The filesystem image mounted at /data on the device. This is especially important if you pre-load or cache applications in the data partition to improve the out-of-box (OOB) boot time.
- boot.img – The Linux Kernel and Ramdisk used to boot Android.
- recover.img – The recovery image that the Linux Kernel and Ramdisk use for the device to boot to during recovery or to handle the command adb reboot recovery.
Note: The vendor.img and oem.img are only required if the build uses separate vendor and oem partitions, otherwise it is expected this content is part of the system image.
The images and filenames above are produced by the AOSP build system, and they can be applied to an unlocked OEM device using fastboot if the device’s bootloader support fastboot.
These filesystem images should be in Ext4, SquashFS, or F2FS format. Partners should use the sparse format for the partition image to reduce the space and upload size for filesystems with free space on them.
Other firmware formats
Google supports the following firmware formats used by various OEM, ODM, and SOC flashing tools:
- Mediatek firmware used with Mediatek’s spflashtool
- Spreadtrum PAC file format1
- Qualcomm’s QFIL format
- .NB0 format
Partners whose firmware is available in one of these formats may upload those formats, in a .zip, .tgz, or .rar file, instead of a fastboot archive. If you cannot provide firmware in one of the known formats, reach out to your TAM.
Note: Google does not accept firmware in self-extracting executables and does not accept password protected archive files.
Requesting an SFTP account
Larger OEMs may prefer submitting builds using SFTP because
- SFTP does not require Google Drive quota.
- BTS begins as soon as the upload completes.
- Partners can use a wide range of SFTP client software.
- SFTP is easier to integrate into automated build, QA review, and submission processes.
Contact your TAM to set up an SFTP account for uploading firmware images. You will need to generate an SSH2 RSA identity key pair for authentication and share the public key with your TAM. Once your SFTP account and dropbox have been configured, your TAM will provide you with the connection details for your SFTP account.
Generating an SSH Identity key pair
On Linux, use the following command, replacing “my_key” with a suitable key name:
$ ssh-keygen -t rsa -f my_key
This command will generate a private key,
my_key, and a public key,
my_key.pub. Your TAM will need the public key to set up your SFTP account.
Partners using a Microsoft Windows system can use the PuTTY client to generate SSH keys following these instructions.