The smartphone market has grown explosively in recent years, as more and more consumers are attracted to the sensor-studded multipurpose devices. According to IDC, smartphone vendors shipped a total of 482.5 million mobile phones in the fourth quarter of 2012 – levels nearly equal to those of feature phones. Meanwhile, among smartphones, Google’s Android captured almost 70% of the global smartphone market share last year, compared to about 50% the year before.
Android’s popularity is due in part to it being an open platform. Google produces a baseline version of Android, then makes it freely available in the form of the Android Open Source Project (AOSP).
Manufacturers and carriers are free to build upon this baseline, adding custom features in a bid to differentiate their products from their competitors. These customizations have grown increasingly sophisticated over time, as the hardware has grown more capable and the vendors more adept at working with the Android framework. Flagship devices today often offer a substantially different look and feel, along with a plethora of pre-loaded third-party apps.
From another perspective, vendor customizations will inherently impact overall Android security. Past work has anecdotally shown that Android devices had security flaws shipped in their pre- loaded apps. Note that stock images include code from potentially many sources: the AOSP itself, the vendor, and any third-party apps that are bundled by the vendor or carrier. It is therefore important to attribute each particular security issue back to its sourcefor possible bug-fixes or improvements.
In this paper, we study vendor customizations on stock Android devices and assess the impact on overall Android security. Especially, we intend to determine the source of the security issues that trouble Android smartphone images, then further determine how the situation is evolving over time.
To that end, we developed a three-stage process to evaluate a given smartphone’s stock firmware image. First, we perform provenance analysis, aiming to classify each pre-loaded app into three categories: apps origi- nating from the AOSP, apps customized or written by the vendor, and third-party apps that are simply bundled into the stock image. We then analyze, in two different ways, the security implications of each app:
(1) Permission usage analysis compares the permissions requested by the app with those that it actually uses, looking for apps that request more permissions than they use. This situation is known as permission overprivilege, and it indicates a poor understanding of the Android security model; and
(2) Vulnerability analysis, in comparison, looks for two general types of actual security vulnerabilities: permission re-delegation attacks and content leaks. Permission re-delegation attacks allow unprivileged apps to act as though they have certain sensitive permissions, while content leaks allow such apps to gain (unauthorized) access to private data.
To facilitate our analysis, we implement a Security Evaluation Framework for Android called SEFA to evaluate stock smartphone images. Given a particular phone firmware image, SEFA first pre- processes it and imports into a local database a variety of information about the image, including the number of apps and numerous information about each app, such as the list of requested permis- sions, declared components, and the set of used Android APIs.
Then SEFA compares each pre-loaded app with various ones in the original AOSP to determine its source and further performs a system-wide data-flow analysis to detect possible vulnerabilities.
In our study, we have applied SEFA to ten flagship phone models from five popular vendors: Google, Samsung, HTC, LG, and Sony. For each vendor, we selected two phones: one from the current crop of Android 4.x phones, and one from the previous generation of 2.x devices.
This slate of devices allows us to do two compara- tive analyses: horizontal differential analysis compares the various manufacturers’ offerings for a given generation, while vertical differential analysis studies the evolution of any given vendor’s security practices chronologically.
Our evaluation results show that more than 81.78% of pre-loaded apps (or 76.34% of LOC) on stock Android devices are due to vendor customizations. It is worrisome to notice that vendor customizations were, on the whole, responsible for the bulk of the security problems suffered by each device. On average, 85.78% of all pre-loaded apps in examined stock images are overprivileged with a majority of them directly from vendor customizations.
To read this external content in full, download the complete paper from the author archives at North Carolina State University.