Mobe-makers' BLOATWARE is Android's Achilles heel
Chocolate Factory mostly absolved for security failings, say researchers
Android's Achilles Heel is not Google, but vendors who pack their devices chock-full of dodgy software.
In the latest work, co-authored with Lei Wu, Michael Grace, Yajin Zhou and Chiachih Wu, the NCSU researchers analysed ten phones from five vendors. Their top-line results are:
- More than 85 per cent of pre-loaded smartphone apps carry excessive privileges;
- Most of those overprivileged apps were vendors' own customisations; and
- Between 64 per cent and 85 per cent of the vulnerabilities the researchers discovered arose directly from vendor customisations.
The vendor phones they examined included Google's own Nexus 4 and Nexus S; Samsung's Galaxy S2 and S3; HTC's Wildfire S and One X; LG's Optimus P350 and P880; and Sony's Xperia SL and Arc S variants.
In devices released before November 2012, the Nexus S and Wildfire S led the shame-walk. In both of these devices, more than 90 percent of pre-installed apps had excessive privileges (that is, they demanded access to features that were either unnecessary to the app, or exposed the users); while in post-2012 release kit, the worst offenders were the Optimus P880 (more than 90 per cent of apps) and the Galaxy S3 (more than 87 percent).
Considering that the best performer in the entire test sample, the HTC One X, still had more than 78 per cent of pre-loaded apps claiming excessive privilege, there's hardly any reason for any vendor to laugh-and-point at the worst offenders.
The One X had the best vulnerability performance, at just 1.79 per cent of pre-loaded apps, while the Wildfire S was the worst at 14.97 per cent of apps.
The researchers also noted that the number of vulnerabilities on devices had no correlation to the number of apps or the size of pre-loaded code on them: “both Sony devices perform very well, despite having a very large number of apps, while the LG devices do poorly on security even though they have the fewest apps of any non-reference device”, they write. ®