The open nature of Google’s Android operating system means manufacturers can add their own software layer to the phone—helping them stand out from the pack with a different look and features. Yet new research shows such tailoring may also be responsible for a host of security weaknesses that could make phones more vulnerable to hackers.
According to a study conducted by computer science researchers at North Carolina State University, changes manufacturers made to the stock Android software were responsible for more than 60 percent of the security flaws uncovered in phones from different handset companies. A paper (pdf) on the work is slated to be presented Wednesday at the ACM Conference on Computer and Communications Security in Berlin.
“We were surprised by the overall insecurity,” says one of the authors, Xuxian Jiang, an associate professor of computer science at the university, who researches mobile malware. Jiang sees it as an indication that some phone vendors aren’t taking security seriously enough, and that they feel constant pressure to bring new software features to market.
In their study, researchers looked at 10 Android smartphones; five ran variations of the fourth generation of Android software, and five used the second generation (in between those two, Google released a version 3.2, also known as Honeycomb, that was intended for tablets). The researchers tested one handset with each of the two Android versions from Samsung, HTC, LG, and Sony—including the popular Samsung Galaxy S3 and HTC One X—as well as two Google-branded handsets (the Nexus S and Nexus 4, made by Samsung and LG, respectively) that served mainly as frames of reference, since they don’t include the same customized software skins found on many other Android handsets.
In order to figure out what the security vulnerabilities were and where they originated, researchers first separated the apps that came loaded on the smartphones into three categories, noting which came from Google’s Android Open Source Project, which were created or customized by the smartphone maker, and which came from outside programmers.
They then looked at the data and features that apps want to use—for example, the ability to access your photos or dial your contacts’ phone numbers—to figure out which apps requested permissions they weren’t actually using. Apps with more permissions than they need are problematic because they can put personal data like usernames and credit card numbers at greater risk of being compromised if that app is hacked.
The researchers found that 86 percent of the apps preloaded on these smartphones asked for more permissions than necessary, and most of the so-called “overprivileged” apps had been added by smartphone makers as part of their customization processes. Because they are integrated with the operating system at a low level, apps added by manufacturers may get greater permissions access than those made by outside app developers.
Marc Rogers, principal security researcher at the mobile security software company Lookout, says the problem of overprivileged apps is common to app developers in general, not just specific vendors. “If you look across the market, there are quite a few applications that have this problem where the app developer has said, ‘I’ll request as many permissions as possible just in case I need them,’” he says.
Researchers also hunted for security issues that might let apps act as if they have permission to do things they aren’t authorized to do, or that could let apps share sensitive user data without permission.
Overall, researchers determined that between 65 percent and 85 percent of the 177 security vulnerabilities on the Samsung, HTC, and LG smartphones originated from manufacturer customizations; 38 percent of the 16 weaknesses encountered on the Sony smartphones came from that source.
Rogers, who has seen vendor customizations produce security problems in the past (such as one that stemmed from Samsung’s customization of the Galaxy S3 lock screen), says regardless of where the problems originate, any change to Android software contributes to fragmentation of the operating system and can introduce vulnerabilities that aren’t tracked by Google.
The study researchers say they tried to reach smartphone makers to inform them of the security issues they found, but not all have responded. Smartphone makers and Google did not respond to requests for comment on this story.
Nevertheless, Jiang hopes the study will help vendors and users recognize such security problems. “Hopefully, the next generation of phones will become much more secure,” he says.