University Crest

[wlug] Android Users' Security and Privacy At Risk From Shadowy Ecosystem of Pre-Installed Software, Study Warns

wlug archive index About the wlug list Mailing lists home
To The University of Waikato HomepageWaikato Home > Waikato Mailing Lists > wlug Info > wlug archives
Peter Reutemann fracpete@w...
Tue Mar 26 12:16:35 NZDT 2019

'Researchers behind a large-scale independent study of pre-installed
Android apps "unearthed a complex ecosystem of players with a primary
focus on advertising and 'data-driven services' -- which they argue
the average Android user is likely to be unaware of (while also likely
lacking the ability to uninstall/evade the baked in software's
privileged access to data and resources themselves)," reports
TechCrunch. From the report:

The study, which was carried out by researchers at the Universidad
Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in
collaboration with the International Computer Science Institute (ICSI)
at Berkeley (USA) and Stony Brook University of New York (US),
encompassed more than 82,000 pre-installed Android apps across more
than 1,700 devices manufactured by 214 brands, according to the IMDEA
institute. "The study shows, on the one hand, that the permission
model on the Android operating system and its apps allow a large
number of actors to track and obtain personal user information," it
writes. "At the same time, it reveals that the end user is not aware
of these actors in the Android terminals or of the implications that
this practice could have on their privacy. Furthermore, the presence
of this privileged software in the system makes it difficult to
eliminate it if one is not an expert user."

In all 1,200 developers were identified behind the pre-installed
software they found in the data-set they examined, as well as more
than 11,000 third party libraries (SDKs). Many of the preloaded apps
were found to display what the researchers dub potentially dangerous
or undesired behavior. The data-set underpinning their analysis was
collected via crowd-sourcing methods -- using a purpose-built app
(called Firmware Scanner), and pulling data from the Lumen Privacy
Monitor app. The latter provided the researchers with visibility on
mobile traffic flow -- via anonymized network flow metadata obtained
from its users. They also crawled the Google Play Store to compare
their findings on pre-installed apps with publicly available apps --
and found that just 9% of the package names in their dataset were
publicly indexed on Play. Another concerning finding relates to
permissions. In addition to standard permissions defined in Android
(i.e. which can be controlled by the user) the researchers say they
identified more than 4,845 owner or "personalized" permissions by
different actors in the manufacture and distribution of devices. So
that means they found systematic user permissions workarounds being
enabled by scores of commercial deals cut in a non-transparency
data-driven background Android software ecosystem.

The researchers address the lack of transparency and accountability in
the Android ecosystem by suggesting the introduction and use of
certificates signed by globally-trusted certificate authorities, or a
certificate transparency repository "dedicated to providing details
and attribution for certificates used to sign various Android apps,
including pre-installed apps, even if self-signed." They also suggest
Android devices should be required to document all pre-installed apps,
plus their purpose, and name the entity responsible for each piece of
software -- and do so in a manner that is "accessible and
understandable to users."'

-- source:

Cheers, Peter
Peter Reutemann
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174

More information about the wlug mailing list
NOTICE: This is an archive of a public mailing list. The University of Waikato is not responsible for its contents.

The University of Waikato - Te Whare Wananga o Waikato