Capstone · GoogleTeam · CeterasRole · Product Design + ResearchYear · January 2025 to June 2025

Google Android Security

A capstone project with Google automating Android security patch porting — using LLMs and agentic workflows to cut patch deployment time by 83%, from 30 minutes to 5 minutes per vulnerability.

Google Android Security — patch porting automation
Redacted for NDA
Overview

Automating Android security patch porting with LLMs.

Google Android Security is a capstone project developed in partnership with Google, addressing the time-intensive and error-prone process of backporting security patches across the Android ecosystem. The system uses LLMs and agentic workflows to automate what engineers previously resolved by hand.

Built by team Ceteras — Carolyn Chen, Enrico Pratama, Eugene Wongso, and Theophila Setiawan — through the UW iSchool capstone program.

Team
Carolyn ChenEnrico PratamaEugene WongsoTheophila Setiawan
Partner
Google × UW iSchool
My role
Product Design · Research · Product Engineer
Year
January 2025 to June 2025
The problem

Security patch backporting is slow, manual, and inconsistent.

In the Android ecosystem, security patches developed upstream must be ported to dozens of downstream branches maintained by OEM partners. Tools like git cherry-pick handle simple cases, but many patches require manual resolution due to structural or API differences — a process that averages 30 minutes per vulnerability.

This manual effort slows patch deployment, increases the risk of inconsistent security coverage across devices, and places a heavy recurring burden on engineers across OEM partners at scale.

30minaverage time per patch, manually
128×Android downstream versions tested
262merge conflicts evaluated
Solution

A four-stage automated pipeline.

The pipeline ingests Vanir vulnerability reports and runs them through a sequential pipeline — parsing, applying, fixing, and validating — so engineers receive a ready-to-merge patch rather than a conflict to resolve by hand.

01Vanir ParserParses Vanir reports into structured format for pipeline processing.
02Patch AdopterApplies upstream diffs to downstream Android codebases for all vulnerabilities.
03LLMFixes failed patches using code context and iterative refinement with agentic workflows.
04ValidationChecks patch correctness via automated build and test.
Evaluation

Tested across 128 downstream versions.

Evaluated against 262 merge conflicts using a multi-dimensional metrics suite to measure patch quality and similarity to ground-truth human-resolved patches.

  • Length metricsCharacters, tokens, lines
  • Edit distanceToken-level edit distance
  • SimilarityNormalized edit similarity, cosine similarity, CodeBERT similarity
  • Manual handcheckHuman verification of patch correctness
Reduced average patch-porting time from ~30 min to ~5 min per vulnerability.
Key result · ±83% efficiency gain
Design process

Translating workflow into GUI.

10-stage patch-porting workflow diagram

Before designing any screens, I mapped the full workflow as ten distinct stages — from vulnerability ingestion through to patch validation. Laying them out sequentially made visible what the system was actually doing at each step, and where decisions were made by rules versus by the model.

Translating that into the GUI meant treating each stage as its own card in a stepper — scoped, legible, and unambiguous about what action, if any, the engineer needed to take.

Step types
Deterministic
Rule-based steps with predictable, traceable outputs.
AI-driven
Model-driven steps requiring reasoning over code context.
Each card answered one question: what does the engineer need to know, and what do they need to be able to do, at this exact step?
The interface

Three principles behind every screen.

GUI stepper interface for patch porting
Redacted for NDA
01TransparencyEach stage surfaced what the system was doing and why — the CVE being processed, conflict type detected, model selected, strategy applied. Nothing happened off-screen.
02Familiar workflowThe stepper mirrored the mental model engineers already had for patch porting — a structured version of their existing process, not a new one to learn.
03Always orientedA progress indicator at each card showed the exact step (4 of 8, 5 of 8) with status colors and timing — so engineers always knew what had finished, what was running, and what was next.
Usability testing

Tested against three principles. Then pivoted.

We ran usability testing sessions with Android security engineers, evaluating the GUI against the three design principles that guided every screen. The sessions confirmed what the design was doing right — and surfaced a more fundamental problem with the medium itself.

The GUI checked every box. But engineers live in the terminal — and pulling them out of it created friction no interface could fix.
The pivot
Engineers who tested the tool lived in their terminal — switching into a GUI interrupted that flow, no matter how well-designed. We rebuilt the interface as a CLI, and the tool finally felt like it belonged in their workflow.
Reflection

Good design is meeting people inside the workflows they already trust.

When I first took this role, I was genuinely excited because this would be the first time I'd work on the technical side of a project. I got to explore LLM prompting, feed context into the model to shape desired outputs for our AI tooling, and contribute to designing our evaluation metrics. Working closely with the same technology I'd been using every day, but now from the inside, was fascinating.

Early on, I designed a graphical user interface for our end users (Android security engineers), assuming a visual tool would make patch porting more approachable. But after gathering feedback, we pivoted to a command-line interface, because that was the environment they already lived in. Learning to build a CLI was a technical lift, but the bigger lesson was about design itself: good design isn't about introducing something better in the abstract; it's about meeting people inside the workflows they already trust. A polished GUI that pulls an engineer out of their terminal creates friction, no matter how well-crafted it looks.

This reframed how I think about AI tooling more broadly. When the underlying system is a black box, like an LLM making patch decisions, familiarity in the surrounding interface becomes a form of transparency. Engineers could read our tool's output, trace its reasoning, and intervene in the same environment where they'd normally review a diff. The CLI didn't just match their habits; it made the AI feel legible, like another tool in their pipeline rather than a separate system asking for their trust.

What's next

Research paper, further development, open sourcing.

The team is working toward publishing a research paper on the approach and results, continuing development of the pipeline, and open sourcing the tool so the broader Android security community can build on it.

For me, this project deepened my understanding of where design sits in systems-level engineering work — how to contribute meaningfully to a technically complex product without losing sight of the human judgment that still matters at each step.

thanks for sté-ing

Sté is short for Steven— and it's a small wink at stay. It's the thread running through my work: design that invites people to stay engaged, art that holds attention, fragrances that linger long after the wearer leaves the room. Welcome. Sté with me a while.

Sté — Resume