As if the threat of malware wasn't enough, Android smartphone users now have to contend with vulnerabilities researchers say device manufacturers are building into their preloaded apps.
A study done at North Carolina State University (NCSU) found that, on average, 60% of the vulnerabilities discovered in smartphones from Samsung, HTC, LG, Sony and Google originated with the manufacturers. In addition, 85% of manufacturers' software was over-privileged, meaning the apps required users to permit access to phone services not required to handle the functions of the app.
Researchers analyzed the customized apps that manufacturers build on top of the baseline version of Android shipped from Google. The apps provide unique features and a look and feel that's meant to make the smartphone stand out in the market. Eighty percent of the apps that come with devices are created by the manufacturers, not Google.
"It is worrisome to notice that vendor customizations were, on the whole, responsible for the bulk of the security problems suffered by each device," the study said.
The NCSU research team looked at two smartphones from each vendor. For each pair, one phone ran Android version 2.x and the other ran version 4.x. The older models had an average of 22 vulnerabilities, while the newer models had 18.
Despite having fewer vulnerabilities, the newer models were not necessarily more secure. Some flaws were more serious than others, according to the study, recently presented at the ACM Conference on Computer and Communications Security in Berlin.
App behavior deemed problematic by the researchers included the ability to delete user data, record audio and make phone calls without permission. In general, a vulnerability was defined as a flaw an attacker could use to steal data or bypass permissions to access services.
With the exception of the Sony models, 65% to 85% of the vulnerabilities found in each of the phones were due to manufacturer customizations. The Sony phones had fewer flaws from the manufacturer.
Complexity breeds mistakes
Phone customizations have become increasingly more elaborate since the release of Android in 2007, due to the highly competitive market.
"Flagship devices today often offer a substantially different look and feel (than the baseline Android version), along with a plethora of preloaded third-party apps," the study said.
Xuxian Jiang, lead researcher and associate professor at NCSU, said the study is a warning to Android users that vulnerabilities exist the moment they unpack a new phone.
"Users should be cautious when they try to download apps, particularly from unregulated, third-party online stores," Jiang said. "The vulnerabilities are there and they can be exploited by untrustworthy apps."
In the U.S., the majority of Android users download apps from Google Play, which scans for malware. As a result, the chance of installing malicious code has been very low to date.
Malware is a much bigger problem in Asia and the Russian republic, where people often visit third-party app stores.
While overall infection rates remain low, experts agree that software tools capable of developing and distributing Android malware are evolving in the criminal underground. In June, there were 204 malware families, a 69% increase from the same month a year ago, according to the latest Mobile Adware and Malware Analysis from Symantec. The number of malware samples nearly quadrupled.
The NCSU research team didn't find a significant difference in the vulnerabilities found in older and newer phone models. The exception was HTC, which showed a marked improvement.
In February, HTC settled a Federal Trade Commission complaint that accused the company of placing customers' personal data and privacy at risk through the software it designed and customized for millions of mobile devices. Under the settlement, HTC agreed to take responsibility for securing customers' personal data, to put in place a system for patching vulnerabilities, and to make security part of its device development process.
At the time, industry observers said the agreement was an FTC warning to other Android device manufacturers that security needed to be prioritized.
Many of the security problems that exist today on Android devices could be fixed through regular updates to the operating system and to manufacturers' preloaded apps. Nevertheless, regularly patching is unlikely to happen, unless device makers and wireless carriers work together, Christopher Soghoian, principal technologist for the American Civil Liberties Union's Project on Speech, Privacy and Technology, said.
Manufacturers have not prioritized updates because profits come from selling new phones, not fixing old ones. On the other hand, carriers get money each month from a phone through subscription fees to wireless services.
Unless carriers or consumers agree to pay manufacturers for regular updates, it's unlikely they will provide a dependable, effective service, Soghoian said. That's because the customization of apps has made the development of updates complex and expensive.
"If you paid a $5 a month Android fee to Samsung and Google, I'm sure you'd get more regular updates," Soghoian said.