Many Android vulnerabilities can be traced to manufacturer modifications

Nov 05, 2013 by Matt Shipman

(Phys.org) —Computer security researchers have found that Android smartphone manufacturers are inadvertently incorporating new vulnerabilities into their products when they customize the phones before sale, according to a recent study. On average, the researchers found that 60 percent of the vulnerabilities found in the smartphone models they evaluated were due to such "vendor customizations."

A paper describing the study is being presented Nov. 6 at the ACM Conference on Computer and Communications Security in Berlin, Germany.

Although Google creates the base Android platform that all Android smartphones use to operate, vendors – such as Samsung, Sony, and HTC – customize that platform to integrate their hardware. These vendors also incorporate applications they or their partners have developed.

A team led by NC State computer security researcher Xuxian Jiang sought to determine whether these customizations posed a security threat. Jiang is senior author of a paper describing the study.

The researchers looked at 10 representative Android smartphone models. They looked at an older model (version 2.x) and a newer model (version 4.x) from each of five manufacturers: Samsung, HTC, LG, Sony and Google. For those 10 models, vendor customizations were responsible for an average of 80 percent of the apps that came preloaded onto the phones.

"All 10 devices were vulnerable, based purely on the preloaded apps," Jiang says. "The older versions had an average of 22.4 vulnerabilities per device, while the newer versions had an average of 18.4 vulnerabilities per device. And the newer versions weren't always more secure. Some of the more recent models were actually less secure than their predecessors." Of the 10 models evaluated, the most recent Google device they looked at, the Nexus 4, had the fewest vulnerabilities.

Jiang's team discovered vulnerabilities including the ability to record audio without the user's permission, the ability to make phone calls without the user's permission, and the ability to wipe out the user's data.

"We also found that 85 percent of the preloaded apps were overprivileged," Jiang says. An app is considered "overprivileged" if it requires users to give it permissions that the app does not actually use. "Seeing this many overprivileged apps indicates that the programmers developing the vendors' apps are violating a well-known principle, i.e., the 'least privilege principle.'"

Lei Wu, a Ph.D. student at NC State, is lead author of the paper, "The Impact of Vendor Customizations on Android Security." Co-authors are NC State Ph.D. students Michael Grace, Yajin Zhou, and Chiachih Wu.

Explore further: Singapore moves to regulate taxi booking apps

Related Stories

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Android mug shots have no lock and key

Mar 04, 2012

(PhysOrg.com) -- If Google loyalists will persist that this Internet Goliath can do no evil, they at least need to admit, based on new evidence this week, that Google can do a lot of mindless harm. A security ...

Get dialed in on how to safeguard your smartphones

Sep 02, 2013

Remember the sneaky trick played by software makers? Download a free program and somehow it would automatically install an unwanted "search toolbar" on your computer's Internet browser. That annoying ploy hasn't disappeared ...

Recommended for you

Singapore moves to regulate taxi booking apps

Nov 21, 2014

Singapore on Friday announced new rules for mobile taxi booking apps, including US-based Uber, in the latest move by governments around the world to regulate the increasingly popular services.

Protecting personal data in the cloud

Nov 20, 2014

IBM today announced it has patented the design for a data privacy engine that can more efficiently and affordably help businesses protect personal data as it is transferred between countries, including across private clouds.

Gift Guide: Dragons, aliens, heroes for the gamer

Nov 19, 2014

Sony's PlayStation 4 video-game console has built an impressive lead over its competitors. That's good news for holiday shoppers because it has driven Microsoft and Nintendo to offer more budget-friendly ...

User comments : 5

Adjust slider to filter visible comments by rank

Display comments: newest first

VendicarE
1 / 5 (1) Nov 05, 2013
Remember. Corporations have your best interest at heart.

VENDItardE
1 / 5 (11) Nov 05, 2013
Remember...Scott is "truly stupid".
VendicarE
1 / 5 (1) Nov 05, 2013
VendiTard is not named VendiTard on a whim. As a Tard, he chooses to refer to himself as a Tard.

Why this is, only Tard's know or care.

Remember. Corporations have your best interest at heart.
julianpenrod
1 / 5 (11) Nov 05, 2013
This is only the tip of an ugly iceberg. In fact, hackers and programmers and software engineers are one and the same. They congregate at the same computer shows, communicate over the net, swap information and techniques. They all know each other's identity. No hacker ever attacked another hacker's computer and , likewise, no project for computer companies seems to have been affected by attacks. Software engineers inform hackers of vulnerabilities deliberately built into new software and operating systems and hackers exploit them. Often, they tell the engineers what to program in. There are any of a number of ways of protecting a system, but none of them have ever been utilized, because the corrupt forced consumption imperative is to force the gullible into buying ever larger systems. DOS systems never really erased files, but they never told the public. As a result, immense amounts of personal information are on old systems endangering security.
LagomorphZero
1 / 5 (10) Nov 05, 2013
Obviously, kwality is job number one!

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.