Feeds

Mobe-makers' BLOATWARE is Android's Achilles heel

Chocolate Factory mostly absolved for security failings, say researchers

Securing Web Applications Made Simple and Scalable

Android's Achilles Heel is not Google, but vendors who pack their devices chock-full of dodgy software.

That's the conclusion reached by North Carolina State University researchers led by Xuxian Jiang, who has spent some time analysing Android security.

In the latest work, co-authored with Lei Wu, Michael Grace, Yajin Zhou and Chiachih Wu, the NCSU researchers analysed ten phones from five vendors. Their top-line results are:

  • More than 85 per cent of pre-loaded smartphone apps carry excessive privileges;
  • Most of those overprivileged apps were vendors' own customisations; and
  • Between 64 per cent and 85 per cent of the vulnerabilities the researchers discovered arose directly from vendor customisations.

The vendor phones they examined included Google's own Nexus 4 and Nexus S; Samsung's Galaxy S2 and S3; HTC's Wildfire S and One X; LG's Optimus P350 and P880; and Sony's Xperia SL and Arc S variants.

In devices released before November 2012, the Nexus S and Wildfire S led the shame-walk. In both of these devices, more than 90 percent of pre-installed apps had excessive privileges (that is, they demanded access to features that were either unnecessary to the app, or exposed the users); while in post-2012 release kit, the worst offenders were the Optimus P880 (more than 90 per cent of apps) and the Galaxy S3 (more than 87 percent).

Considering that the best performer in the entire test sample, the HTC One X, still had more than 78 per cent of pre-loaded apps claiming excessive privilege, there's hardly any reason for any vendor to laugh-and-point at the worst offenders.

The One X had the best vulnerability performance, at just 1.79 per cent of pre-loaded apps, while the Wildfire S was the worst at 14.97 per cent of apps.

The researchers also noted that the number of vulnerabilities on devices had no correlation to the number of apps or the size of pre-loaded code on them: “both Sony devices perform very well, despite having a very large number of apps, while the LG devices do poorly on security even though they have the fewest apps of any non-reference device”, they write. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.