Android Users' Security and Privacy At Risk From Shadowy Ecosystem of Pre-Installed Software, Study Warns
Monday March 25, 2019. 11:20 PM , from Slashdot
In all 1,200 developers were identified behind the pre-installed software they found in the data-set they examined, as well as more than 11,000 third party libraries (SDKs). Many of the preloaded apps were found to display what the researchers dub potentially dangerous or undesired behavior. The data-set underpinning their analysis was collected via crowd-sourcing methods -- using a purpose-built app (called Firmware Scanner), and pulling data from the Lumen Privacy Monitor app. The latter provided the researchers with visibility on mobile traffic flow -- via anonymized network flow metadata obtained from its users. They also crawled the Google Play Store to compare their findings on pre-installed apps with publicly available apps -- and found that just 9% of the package names in their dataset were publicly indexed on Play. Another concerning finding relates to permissions. In addition to standard permissions defined in Android (i.e. which can be controlled by the user) the researchers say they identified more than 4,845 owner or 'personalized' permissions by different actors in the manufacture and distribution of devices. So that means they found systematic user permissions workarounds being enabled by scores of commercial deals cut in a non-transparency data-driven background Android software ecosystem. The researchers address the lack of transparency and accountability in the Android ecosystem by suggesting the introduction and use of certificates signed by globally-trusted certificate authorities, or a certificate transparency repository 'dedicated to providing details and attribution for certificates used to sign various Android apps, including pre-installed apps, even if self-signed.' They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software -- and do so in a manner that is 'accessible and understandable to users.'
Read more of this story at Slashdot.
Apr, Fri 19 - 04:53 CEST