Most Android Security Flaws Come from Phone-Maker Apps

Sixty percent of Android security vulnerabilities result from apps and customizations added by device makers, researchers from North Carolina State University have found.

"Vendor customizations are significant on stock Android devices and, on the whole, responsible for the bulk of the security problems we detected in each device," stated the academic paper published by the research team.

However, there was one exception to the rule. Sony, which added hundreds of apps to its Xperia phones, seemed to have kept them just as safe as Google's "pure" Android Nexus phones.

MORE: Mobile Security Guide: Everything You Need to Know

The research team studied 10 Android "images," or complete software bundles, made for phones from five major manufacturers. Half the phones were released in 2011 and ran Android 2.2 Froyo or 2.3 Gingerbread; the other half were released in 2012 and ran Android 4.0 Ice Cream Sandwich or 4.2 Jelly Bean.

Google creates raw Android builds with only a couple of dozen apps, then releases them free of charge to device makers to do with as they wish. Most manufacturers add dozens of additional apps, with some even changing the look and feel of the main user interface, before finalizing the Android image for a particular device.

"Sixty-four percent to 85 percent of vulnerabilities we detected in examined images from every vendor (except for Sony) arose from vendor customizations," stated the paper.

The jump from Android 2 to Android 4 didn't help matters, despite the many significant security improvements made by Google in the interim.

"Newer smartphones, we found, are not necessarily more secure than older ones," wrote the team, which was led by Associate Professor of Computer Science Xuxian Jiang, author of several groundbreaking research papers on Android.

In three out of five cases, the number of vulnerabilities stayed roughly the same between a manufacturer's older and newer devices.

"These patterns were stable over time," the paper noted, "highlighting the need for heightened focus on security by the smartphone industry."

More than 85 percent of all preloaded apps — those present upon purchase of the device — were "overprivileged," the N.C. State team found. Overprivileged apps demand more permissions than they truly need to access parts of the Android operating system.

MORE: The 15 Best Apps Found Only on Android

The two Samsung phones in the study, the Galaxy S II running Gingerbread and Galaxy S III running Ice Cream Sandwich, were among the worst in terms of sheer security flaws, incurring 39 and 40 vulnerabilities respectively.

LG and HTC were in the middle of the pack, but while HTC's score got better from 2011 to 2012, LG's got worse. The HTC Wildfire S, running Gingerbread, had a whopping 40 vulnerabilities, yet the HTC One X, running Ice Cream Sandwich, had only 15.

"HTC made considerable progress between the release of the HTC Wildfire S and the One X," the paper stated, "possibly due to early exposure of a large proportion of security vulnerabilities in earlier HTC devices and the efforts made by the corporation to take security to heart ever since."

By contrast, the LG Optimus Me P350, running Froyo, had 17 security flaws; the LG Optimus 4X HD P880, running Ice Cream Sandwich, had 26.

The number of additional vendor-specific and third-party apps didn't strictly correlate to vulnerability. HTC's more secure One X had twice as many added-on apps as the less secure Wildfire S, and both had many more apps than either LG phone. Meanwhile, Sony and Samsung had roughly the same number of added apps on each of four phones between them, yet Sony's phones were much safer.

Not surprisingly, Google's own Nexus S and Nexus 4, which purportedly run unaltered "pure" Gingerbread and Jelly Bean, had among the lowest number of vulnerabilities, at 8 and 3 respectively. (The researchers found that even the Google phones had dozens of unnecessary Google apps that don't come with the raw Android Open Source Project build, such as Gmail, Google Maps and YouTube.)

But the real breakout star was Sony. Its Xperia Arc S (Gingerbread) and Xperia SL (Ice Cream Sandwich) had only 8 vulnerabilities each, despite the presence of more than 150 additional apps on each phone.

In fact, on a per-app basis, Sony's phones were safer than Google's Nexus S, and just as safe as the Nexus 4.

"Sony's standout performance does not appear to be accidental," said the researchers' paper.

The researchers noted that Sony had taken meticulous care to secure its added apps, and had even fixed an Android vulnerability that Google overlooked.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.