Should Users Trust Their Android Devices? A Scoring System for Assessing Security and Privacy Risks of Pre-Installed Applications

Year 2024, Volume: 1 Issue: 1, 9 - 28, 30.09.2024

Abdullah Özbay , Kemal Bıçakcı

Abstract

Android devices are equipped with many pre-installed applications which have the capability of tracking and monitoring users. Although applications coming pre-installed pose a great danger to user security and privacy, they have received little attention so far among researchers in the field. In this study, we collect a dataset comprising such applications and make it publicly available. Using this dataset, we analyze tracker Software Development Kits, manifest files and the use of cloud services and report our results. We also conduct a user survey to understand concerns and perceptions of users. Finally, we present a risk scoring system which assigns scores for smart phones consolidating our findings based on carefully weighted criteria. With this scoring system, users could give their own trust decisions based on the available concise information about the security and privacy impacts of applications pre-installed on their Android devices.

Keywords

Mobile Security, Privacy, Pre-installed Apps, Scoring System, Android

Kullanıcılar Android Cihazlara Güvenmeli mi? Ön-yüklü Uygulamaların Güvenlik ve Gizlilik Risklerini Değerlendirmek İçin Bir Puanlama Sistemi

Abstract

Android cihazlarda, kullanıcıları izleme ve gözlemleme yeteneğine sahip birçok ön-yüklü uygulama bulunmaktadır. Ön-yüklü uygulamalar kullanıcı güvenliği ve gizliliği için büyük bir tehlike oluşturmasına rağmen, şimdiye kadar bu uygulamalar araştırmacıların kısıtlı ilgisini çekmiştir. Bu çalışmada, böyle uygulamaları içeren bir veri kümesi oluşturduk ve bunu herkese açık hale getirdik. Bu veri kümesini kullanarak, takipçi Yazılım Geliştirme Kitleri, manifest dosyalarını ve bulut hizmetlerinin kullanımını analiz ettik ve sonuçlarımızı raporladık. Ayrıca, kullanıcıların endişelerini ve algılarını anlamak için bir kullanıcı anketi gerçekleştirdik. Son olarak, bulgularımıza dayanan dikkatlice ağırlıklandırılmış kriterlere dayalı olarak akıllı telefonlar için risk puanlama sistemi sunuyoruz. Bu puanlama sistemi ile, kullanıcılar Android cihazlarındaki ön-yüklü uygulamaların güvenlik ve gizlilik etkileri hakkında mevcut bilgilerini kullanarak bu uygulamalara güvenip güvenemeyeceklerine karar verebilirler.

Keywords

Mobil güvenlik, mahremiyet, Android, ön-yüklü uygulamalar, skorlama sistemi

References

• “Mobile operating system market share worldwide |statcounter global stats,” https://gs.statcounter.com/os-market-share/mobile/worldwide, (Accessed on 29/11/2022).
• “Android open source project,” https://source.android.com/, (Accessed on 29/11/2022).
• “Android compatibility program overview – android open source project,” https://source.android.com/compatibility/overview?hl=en, (Accessed on 29/11/2022).
• “Android compatibility definition document,” https://source.android.com/compatibility/cdd, (Accessed on 29/11/2022).
• “Compatibility test suite - android open source project,” https://source.android.com/compatibility/cts, (Accessed on 29/11/2022).
• “Android - certified,” https://www.android.com/certified/, (Accessed on 29/11/2022).
• “Android certified partners,” https://www.android.com/certified/partners/, (Accessed on 29/11/2022).
• “Securing the system: A deep dive into reversing android preinstalled apps,” https://i.blackhat.com/USA-19/Thursday/us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstalled-Apps.pdf, (Accessed on 29/11/2022).
• “Android firmware sending private information without consent -kryptowire,” https://www.kryptowire.com/kryptowire-discovers-mobile-phone-firmware-transmitted-personally-identifiable-information-pii-without-user-consent-disclosure/, (Accessed on 29/11/2022).
• “Google android security 2018 report final.pdf,” https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf, (Accessed on 29/11/2022).
• “Two weeks of securing samsung devices: Part 1 - oversecured blog,” https://blog.oversecured.com/Two-weeks-of-securing-Samsung-devices-Part-1/, (Accessed on 29/11/2022).
• “Facebook app can’t be deleted from certain samsung phones - bloomberg,” https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-a-shock-they-can-t-delete-facebook, (Accessed on 29/11/2022).
• “Facebook gave device makers deep access to data on users and friends - the new york times,” https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html?mtrref=undefined&gwh=DFAE7B3996870E0D2452CDBF4B2F1154&gwt=pay&assetType=PAYWALL, (Accessed on 29/11/2022).
• J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, and N. Vallina-Rodriguez, “An analysis of pre-installed android software,” in 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1039–1055.
• “Pre-app collector application - google play,” https://play.google.com/store/apps/details?id=com.preappcollector, (Accessed on 29/11/2022).
• “Android pre-installed applications | kaggle,” https://www.kaggle.com/abdullahzbay/android-preinstalled-applications, (Accessed on 29/11/2022).
• “Pre-app collector website,” https://preappcollector.com/, (Accessed on 29/11/2022).
• “Google play store,” https://play.google.com/store,(Accessed on 29/11/2022).
• “Galaxy store apps - the official samsung galaxy site,” https://www.samsung.com/global/galaxy/apps/galaxy-store/, (Accessed on 29/11/2022).
• “The amazon app,” https://www.amazon.com/gp/mas/get/amazonapp, (Accessed on 29/11/2022).
• “F-droid - free and open source android app repository,” https://f-droid.org/en/, (Accessed on 29/11/2022).
• “Apkpure.com,” https://apkpure.com/, (Accessed on 29/11/2022).
• K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, “Pscout: Analyzing the android permission specification,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS’12. New York, NY, USA: Association for Computing Machinery, 2012, pp. 217–228. [Online]. Available: https://doi.org/10.1145/2382196.2382222
• A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM Conference on Computer and Communications Security, ser. CCS ’11. New York, NY, USA: Association for Computing Machinery, 2011, pp. 627–638. [Online]. Available: https://doi.org/10.1145/2046707.2046779
• C. Gibler, J. Crussell, J. Erickson, and H. Chen, “Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale,” in Trust and Trustworthy Computing, S. Katzenbeisser, E. Weippl, L. J. Camp, M. Volkamer, M. Reiter, and X. Zhang, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 291–307.
• G. Tuncay, S. Demetriou, K. Ganju, and C. Gunter, “Resolving the predicament of android custom permissions,” 01 2018.
• B. Liu, J. Lin, and N. Sadeh, “Reconciling mobile app privacy and usability on smartphones: Could user privacy profiles help?” in Proceedings of the 23rd International Conference on World Wide Web, ser. WWW ’14. New York, NY, USA: Association for Computing Machinery, 2014, pp. 201–212. [Online]. Available: https://doi.org/10.1145/2566486.2568035
• A. Razaghpanah, R. Nithyanand, N. VallinaRodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill, “Apps, trackers, privacy, and regulators:A global study of the mobile tracking ecosystem,” in NDSS, 2018.
• R. Binns, U. Lyngs, M. Van Kleek, J. Zhao, T. Libert, and N. Shadbolt, “Third party tracking in the mobile ecosystem,” in Proceedings of the 10th ACM Conference on Web Science, ser. WebSci ’18. New York, NY, USA: Association for Computing Machinery, 2018, pp. 23–31. [Online]. Available: https://doi.org/10.1145/3201064.3201089.
• H. Wang, H. Li, and Y. Guo, “Understanding the evolution of mobile app ecosystems: A longitudinal measurement study of google play,” in The World Wide Web Conference, ser. WWW ’19. New York, NY, USA: Association for Computing Machinery, 2019, pp. 1988–1999. [Online]. Available: https://doi.org/10.1145/3308558.3313611
• B. Hu, Q. Lin, Y. Zheng, Q. Yan, M. Troglia, and Q. Wang, “Characterizing location-based mobile tracking in mobile ad networks,” in 2019 IEEE Conference on Communications and Network Security (CNS), 2019, pp. 223–231.
• “Unsecured cloud configurations exposing information in thousands of mobile apps,” https://blog.zimperium.com/unsecured-cloud-configurations-exposing-information-in-thousands-of-mobile-apps/, (Accessed on 29/11/2021).
• “Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed - check point research,” https://research.checkpoint.com/2021/mobile-app-developers-misconfiguration-of-third-party-services-leave-personal-data-of-over-100-million-exposed/, (Accessed on 29/11/2021).
• “Mobile security testing guide,” https://mobile-security.gitbook.io/mobile-security-testing-guide/, (Accessed on 29/11/2021).
• D. Barrera, J. Clark, D. McCarney, and P. C. van Oorschot, “Understanding and improving app installation security mechanisms through empirical analysis of android,” in Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, ser. SPSM ’12. New York, NY, USA: Association for Computing Machinery, 2012, pp. 81–92. [Online]. Available: https://doi.org/10.1145/2381934.2381949
• E. Ratazzi, Y. Aafer, A. Ahlawat, H. Hao, Y. Wang, and W. Du, “A systematic security evaluation of android’s multi-user framework,” ArXiv, vol. abs/1410.7752, 2014.
• S. M. Dye and K. Scarfone, “A standard for developing secure mobile applications,” Computer Standards & Interfaces, vol. 36, no. 3, pp. 524–530, 2014. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0920548913001268
• H. Elahi, G. Wang, and J. Chen, “Pleasure or pain? an evaluation of the costs and utilities of bloatware applications in android smartphones,” J. Netw. Comput. Appl., vol. 157, no. C, May 2020. [Online]. Available: https://doi.org/10.1016/j.jnca.2020.102578
• M. Elsabagh, R. Johnson, A. Stavrou, C. Zuo, Q. Zhao, and Z. Lin, “FIRMSCOPE: Automatic uncovering of privilege-escalation vulnerabilities in pre-installed apps in android firmware,” in 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Aug. 2020, pp. 2379–2396. [Online]. Available: https://www.usenix.org/conference/usenixsecurity20/presentation/elsabagh
• E. Blázquez, S. Pastrana, A. Feal, J. Gamba, P. Kotzias, N. Vallina-Rodriguez, and J. Tapiador, “Trouble over-the-air: An analysis of fota apps in the android ecosystem,” in 2021 IEEE Symposium on Security and Privacy (SP), 2021, pp. 1606–1622.
• A. Ozbay and K. Bicakci, “Android pre-installed appli- cations effects on user’s privacy,” in 2021 International Conference on Information Security and Cryptology (ISCTURKEY), 2021, pp. 12–17.
• “ethical_approval.pdf,” https://preappcollector.com/st atic/ethical_approval.pdf, (Accessed on 29/11/2022).
• “Androguard,” https://github.com/androguard/androg uard, (Accessed on 29/11/2022).
• “Application signing,” https://developer.android.com/st udio/publish/app-signing, (Accessed on 29/11/2022).
• “exodus,” https://reports.exodus-privacy.eu.org/en/, (Accessed on 29/11/2022).
• “exodus-standalone,” https://github.com/Exodus-Priva cy/exodus-standalone, (Accessed on 29/11/2022).
• “Google advertising id - play console help,” https://su pport.google.com/googleplay/android developer/ans wer/6048248, (Accessed on 29/11/2022).
• “General data protection regulation (gdpr),” https://gd pr-info.eu/, (Accessed on 29/11/2022).
• “California consumer privacy act (ccpa),” https://oag. ca.gov/privacy/ccpa, (Accessed on 29/11/2022).
• “Crunchbase: Discover innovative companies and the people behind them,” https://www.crunchbase.com/, (Accessed on 29/11/2022).
• “Why do you even need the imei?” https://blog.appce nsus.io/2019/04/26/why-do-you-even-need-the-imei/, (Accessed on 29/11/2022).
• “Exclusive: Warning over chinese mobile giant xiaomi recording millions of people’s ’private’ web and phone use,” https://www.forbes.com/sites/thomasbrewster/20 20/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web -and-phone-use/?sh=7579d95c1b2a, (Accessed on 29/11/2022).
• “Baidu’s and don’ts: Privacy and security issues in baidu browser,” https://citizenlab.ca/2016/02/priv acy-security-issues-baidu-browser/, (Accessed on 29/11/2022).
• “Data leakage found from android apps on google play with millions of downloads,” https://unit42.paloaltonet works.com/android-apps-data-leakage/, (Accessed on 29/11/2022).
• “Dji releases security findings it hopes will quash ’chi- nese spying’ fears,” https://gizmodo.com/dji-release s-security-findings-it-hopes-will-quash-chin-1825469 976, (Accessed on 29/11/2022).
• “Privacy policy - mintegral,” https://www.mintegral.co m/en/privacy/, (Accessed on 29/11/2022).
• “Privacy policy - moengage,” https://www.moengage.c om/privacy-policy/, (Accessed on 29/11/2022).
• “Report: Aurora mobile’s jpush sdk - the appcensus blog,” https://blog.appcensus.io/2020/09/15/report-aur ora-mobiles-jpush-sdk/, (Accessed on 29/11/2022).
• “Industry collaborations - mopub,” https://www.mopub. com/en, (Accessed on 29/11/2022).
• Z. Wang, “Systematic government access to private- sector data in China,” International Data Privacy Law, vol. 2, no. 4, pp. 220–229, 07 2012. [Online]. Available: https://doi.org/10.1093/idpl/ips017
• “App manifest overview | android developers,” https://developer.android.com/guide/topics/manifest/manife st-intro, (Accessed on 29/11/2022).
• “Nvd - cve-2018-14825,” https://nvd.nist.gov/vuln/deta il/CVE-2018-14825, (Accessed on 29/11/2022).
• “Android debug bridge (adb) | android developers,” https://developer.android.com/studio/command-line/adb, (Accessed on 29/11/2022).
• “Android developers blog: Protecting against uninten- tional regressions to cleartext traffic in your android apps,” https://android-developers.googleblog.com/2016/04/protecting-against-unintentional.html, (Accessed on 29/11/2022).
• “jdb - the java debugger,” https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jdb.html, (Accessed on 29/11/2022).
• “Firebase,” https://firebase.google.com/, (Accessed on 29/11/2022).
• “Amazon web services (aws) - cloud computing ser- vices,” https://aws.amazon.com/, (Accessed on 29/11/2022).
• “Cloud computing services | microsoft azure,” http s://azure.microsoft.com/en- us/, (Accessed on 29/11/2022).
• “Google maps platform | google developers,” https://developers.google.com/maps, (Accessed on 29/11/2022).
• “dwisiswant0/apkleaks: Scanning apk file for uris, end- points & secrets.” https://github.com/dwisiswant0/apk leaks, (Accessed on 29/11/2022).
• “skylot/jadx: Dex to java decompiler,” https://github.c om/skylot/jadx, (Accessed on 29/11/2022).
• “Apktool - a tool for reverse engineering 3rd party, closed, binary android apps.” https://ibotpeaches.gi thub.io/Apktool/, (Accessed on 29/11/2022).
• “gmapsapiscanner,” https://github.com/ozguralp/gmap sapiscanner, (Accessed on 29/11/2022).
• “Sending messages using incoming webhooks | slack,” https://api.slack.com/messaging/webhooks, (Accessed on 29/11/2022).
• “Oauth 2.0 - oauth,” https://oauth.net/2/, (Accessed on 29/11/2022).
• “Billing: Mapping previous skus to new skus | google maps platform,” https://developers.google.com/ma ps/billing/sku-mapping-old-to-new, (Accessed on 29/11/2022).
• “Google maps platform billing | google developers,” https://developers.google.com/maps/billing/gmp-billing, (Accessed on 29/11/2022).
• “Global cloud infrastructure market share 2021 | statista,” https://www.statista.com/statistics/967365/worldwide-cloud-infrastructure-services-market-share-vendor/, (Accessed on 29/11/2022).
• “Aws general reference - reference guide,” https://do cs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-access-keys-best-practices, (Accessed on 29/11/2022).
• “Authenticating users of aws mobile applications with a token vending machine - aws articles,” https://aws.amazon.com/tr/articles/authenticating-users-of-aws -mobile-applications-with-a-token-vending-machine/, (Accessed on 29/11/2022).
• “Protecting mobile apps with pkce - oauth 2.0 simplified,” https://www.oauth.com/oauth2-servers/pkce/, (Accessed on 29/11/2022).
• “Amazon suspends sales of blu phones for including preloaded spyware, again - the verge,” https://www.theverge.com/2017/7/31/16072786/amazon-blu-suspended-android-spyware-user-data-theft, (Accessed on 29/11/2022).
• “Buying a smart phone on the cheap? privacy might be the price you have to pay - privacy international,” https://privacyinternational.org/long-read/3226/buying-smart-phone-cheap-privacy-might-be-price-you-have-pay, (Accessed on 29/11/2022).
• “Mobile security updates: Understanding the issues,” https://www.ftc.gov/system/files/documents/reports/mobile-security-updates-understanding-issues/mobile_security_updates_understanding_the_issues_publication_final.pdf, (Accessed on 29/11/2022).
• “Kişisel verileri koruma kurumu | kvkk | personal dataprotection authority,” https://www.kvkk.gov.tr/en/, (Accessed on 29/11/2022).
• “What are cvss scores | balbix,” https://www.balbix.com/insights/understanding-cvss-scores/, (Accessed on 29/11/2022).
• M. U. Aksu, M. H. Dilek, E. I. Tatli, K. Bicakci, H. I. Dirik, M. U. Demirezen, and T. Aykir, “A quantitative cvss-based cyber security risk assessment methodology for it systems,” in 2017 International Carnahan Conference on Security Technology (ICCST). IEEE, 2017, pp. 1–8.
• “Runtime permissions | android open source project,” https://source.android.com/devices/tech/config/runtime_perms?hl=en#creating-exceptions, (Accessed on 29/11/2022).
• “Privileged permission allowlisting | android open source project,” https://source.android.com/devices/tech/config/perms-allowlist?hl=en, (Accessed on 29/11/2022).
• H. Harkous, K. Fawaz, R. Lebret, F. Schaub, K. G. Shin, and K. Aberer, “Polisis: Automated analysis andpresentation of privacy policies using deep learning,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 531–548.