Sign in with
Sign up | Sign in

Most Android Security Flaws Come from Phone-Maker Apps

By - Source: Tom's Guide US | B 7 comments

Sixty percent of Android security vulnerabilities result from apps and customizations added by device makers, researchers from North Carolina State University have found.

"Vendor customizations are significant on stock Android devices and, on the whole, responsible for the bulk of the security problems we detected in each device," stated the academic paper published by the research team.

However, there was one exception to the rule. Sony, which added hundreds of apps to its Xperia phones, seemed to have kept them just as safe as Google's "pure" Android Nexus phones.

MORE: Mobile Security Guide: Everything You Need to Know

The research team studied 10 Android "images," or complete software bundles, made for phones from five major manufacturers. Half the phones were released in 2011 and ran Android 2.2 Froyo or 2.3 Gingerbread; the other half were released in 2012 and ran Android 4.0 Ice Cream Sandwich or 4.2 Jelly Bean.

Google creates raw Android builds with only a couple of dozen apps, then releases them free of charge to device makers to do with as they wish. Most manufacturers add dozens of additional apps, with some even changing the look and feel of the main user interface, before finalizing the Android image for a particular device.

"Sixty-four percent to 85 percent of vulnerabilities we detected in examined images from every vendor (except for Sony) arose from vendor customizations," stated the paper.

The jump from Android 2 to Android 4 didn't help matters, despite the many significant security improvements made by Google in the interim.

"Newer smartphones, we found, are not necessarily more secure than older ones," wrote the team, which was led by Associate Professor of Computer Science Xuxian Jiang, author of several groundbreaking research papers on Android.

In three out of five cases, the number of vulnerabilities stayed roughly the same between a manufacturer's older and newer devices.

"These patterns were stable over time," the paper noted, "highlighting the need for heightened focus on security by the smartphone industry."

More than 85 percent of all preloaded apps — those present upon purchase of the device — were "overprivileged," the N.C. State team found. Overprivileged apps demand more permissions than they truly need to access parts of the Android operating system.

MORE: The 15 Best Apps Found Only on Android

The two Samsung phones in the study, the Galaxy S II running Gingerbread and Galaxy S III running Ice Cream Sandwich, were among the worst in terms of sheer security flaws, incurring 39 and 40 vulnerabilities respectively.

LG and HTC were in the middle of the pack, but while HTC's score got better from 2011 to 2012, LG's got worse. The HTC Wildfire S, running Gingerbread, had a whopping 40 vulnerabilities, yet the HTC One X, running Ice Cream Sandwich, had only 15.

"HTC made considerable progress between the release of the HTC Wildfire S and the One X," the paper stated, "possibly due to early exposure of a large proportion of security vulnerabilities in earlier HTC devices and the efforts made by the corporation to take security to heart ever since."

By contrast, the LG Optimus Me P350, running Froyo, had 17 security flaws; the LG Optimus 4X HD P880, running Ice Cream Sandwich, had 26.

The number of additional vendor-specific and third-party apps didn't strictly correlate to vulnerability. HTC's more secure One X had twice as many added-on apps as the less secure Wildfire S, and both had many more apps than either LG phone. Meanwhile, Sony and Samsung had roughly the same number of added apps on each of four phones between them, yet Sony's phones were much safer.

Not surprisingly, Google's own Nexus S and Nexus 4, which purportedly run unaltered "pure" Gingerbread and Jelly Bean, had among the lowest number of vulnerabilities, at 8 and 3 respectively. (The researchers found that even the Google phones had dozens of unnecessary Google apps that don't come with the raw Android Open Source Project build, such as Gmail, Google Maps and YouTube.)

But the real breakout star was Sony. Its Xperia Arc S (Gingerbread) and Xperia SL (Ice Cream Sandwich) had only 8 vulnerabilities each, despite the presence of more than 150 additional apps on each phone.

In fact, on a per-app basis, Sony's phones were safer than Google's Nexus S, and just as safe as the Nexus 4.

"Sony's standout performance does not appear to be accidental," said the researchers' paper.

The researchers noted that Sony had taken meticulous care to secure its added apps, and had even fixed an Android vulnerability that Google overlooked.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -1 Hide
    _Cosmin_ , November 8, 2013 3:31 AM
    The whole article was just to praise Sony?
    How about Motorola?
  • 0 Hide
    house70 , November 8, 2013 4:50 AM
    " (The researchers found that even the Google phones had dozens of unnecessary Google apps.)"

    What/who dictates necessity? What is necessary for you may be useless for me and viceversa.
  • 0 Hide
    DarkSable , November 8, 2013 11:20 AM
    Mmm, glad to be reading this - my nexus 5 should be getting here sometime today!
  • Display all 7 comments.
  • 0 Hide
    rwinches , November 8, 2013 11:21 AM
    Never mind all that crap.
    Where can I get those Cool Collectable Android Figures?!!!
    Inquiring minds want to know.
    They are the new Beanie Babies - must have them all.
  • 0 Hide
    rwinches , November 8, 2013 11:24 AM
    I found them and more on Amazon of course
    http://www.amazon.com/s/ref=a9_sc_1?rh=i%3Atoys-and-games%2Ck%3Aandroid+collectible+figures&keywords=android+collectible+figures&ie=UTF8&qid=1383938636
  • 0 Hide
    MackenzieNFisher , November 10, 2013 9:43 AM
    just before I saw the bank draft which was of $4589, I have faith ...that...my brothers friend could actually making money part time on their laptop.. there uncles cousin haz done this 4 less than twenty three months and recently paid for the depts on there home and got Mercedes-Benz S-class. their explanation ...WWW.Works23.COM
  • 0 Hide
    hoofhearted , November 15, 2013 7:00 AM
    Where oh where is Android DeCrapifier. I'd buy that for a dollar!
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS