by Vinuri Bandara (IMDEA)

The research community has exhaustively analysed and put on the spotlight a lot of privacy and security abuses on applications published on mobile app markets like Google Play. However, pre-installed applications have not received so much attention despite their potential for causing security and privacy harm: they are privileged Operating System-level applications. In TRUST aWARE, we are actively developing new methodologies to gain a better understanding of the risks to which end-users can be exposed just by owning an Android handset.

The open-source nature of the Android operating system allows developers around the globe to implement their own custom versions of the Android OS. This openness gives the manufacturers (e.g., Samsung, LGE, Huawei) and even Mobile Network Operators (MNOs) the freedom to create their own versions of the Android operating system, including core applications that come pre-installed in any Android handset.

From a user experience point-of-view, we can see how device manufacturers can use the open source nature of the Android operating system as an opportunity to add more functionality to their core applications such as telephone, camera, contacts, etc. But from a security-point-of-view, customisation can introduce core applications with unnecessary permissions, trojans, and vulnerabilities such as backdoors. For example, in the year 2019, the Trissa Trojan malware was found embedded in one of the system libraries in several low-cost Android smartphones, such as Leagoo and Nomu [1]. 

The development practices, standards and security risks of different manufacturers have been studied in the research community [3][4] and all eventually reach the conclusion that there are significant privacy risks when it comes to Android OS customisation. Even Though the Android Compatibility Program [2] launched by Google is setting standards for the whole customisation process, it fails in acknowledging the over-the-top customisation some manufacturers might incorporate. 

Building on our prior experience in the analysis of mobile applications and the Android supply chain to measure and analyse the extent of the customisations applied by different android manufacturers. We examined core applications developed for some of the most sold handsets in the world, covering several android OS versions, and then quantified the amount of modifications done compared to the Android open source code.

In our analysis we are applying novel diffing techniques to identify these customisations at the source code level, by comparing the images of these handsets with a clean one that is obtained by compiling the Android Open Source project. Our results, while preliminary, show that most vendors actively customise Android core apps like the Telephony Manager.  

A first approximation, although simplistic, to measure how these customizations could affect users’ privacy is looking at the Android permissions requested by these pre-loaded apps. Simply, permissions of an application (or an apk) is how the application declares its need to access sensitive system resources or sensitive user data.

Looking at the above graph, it is clear that almost every top manufacturer in the world incorporates additional permissions into their core applications. For example, the email application by Xiami and SystemUI by Oppo seems to deviate from the Android open source project by a considerable amount, adding additional features and functionalities to the OS. 

These added permissions or services also reveal commercial relationships and partnerships that exist within the android supply chain. Within our analysis, we came across a popular Chinese brand that uses Sino sso (single Sign-on), which is a service by Sina Weibo. This service allows users to log into various 3rd-party applications without the hassle of creating new accounts for each one. They have integrated this service into their calendar core app, but this service requires ‘android.permission.dump’ service, which can be used to get low-level system information, such as device current status and information on its components. From a user and a security researcher standpoint, this may raise a red flag as an unnecessary and privacy intruding permission. 

We have only started to scratch the surface regarding the Android core application, which could pose severe security threats to end-users. Moderating these risks requires effective android compatibility validations and careful integration of third party libraries/SDKs, but most importantly a reminder on manufacturer’s responsibility for their customers.

[1] Dr. WEB. Trojan preinstalled on Android devices infects applications’ processes and downloads malicious modules. http://news.drweb.com/news/?i=11390&lng=en  [Online; accessed 23-March-2023]

[2] Android compatibility. http://source.android.com/compatibility/ 

[3] Liu H, Patras P, Leith DJ (2023) On the data privacy practices of Android OEMs. PLoS ONE 18(1): e0279942. https://doi.org/10.1371/journal.pone.0279942 

[4] Gamba, J., Rashed, M., Razaghpanah, A., Tapiador, J., & Vallina-Rodriguez, N. (2020, May). An analysis of pre-installed android software. In 2020 IEEE Symposium on Security and Privacy (SP) (pp. 1039-1055). IEEE.