A study analyzes pre-installed software on Android devices and its privacy risks for users

March 19, 2019

Universidad Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (USA), have carried out a study that encompasses 82,000 pre-installed apps in more than 1,700 devices manufactured by 214 brands, revealing the existence of a complex ecosystem of manufacturers, mobile operators, app developers and providers, with a wide network of relationships between them. This includes specialized organizations in user monitoring and tracking and in providing Internet advertising. Many of the pre-installed apps facilitate access to privileged data and resources, without the average user being aware of their presence or being able to uninstall them.

The study shows, on the one hand, that the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information. At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of the implications that this practice could have on their privacy. Furthermore, the presence of this privileged software in the system makes it difficult to eliminate it if one is not an expert user.

These results are detailed out in an article that will be made public on April 1 and which will be presented at one of the main cybersecurity and privacy conferences worldwide, the 41st IEEE Symposium on Security and Privacy, California (USA) under the title An Analysis of Pre-installed Android Software. The Agencia Española de Protección de Datos- AEPD (Spanish Data Protection Agency), which has contributed to the dissemination of this study because of the massive impact of the results on citizen privacy, will present the results before the European Commission for Data Protection.

Other findings

In addition to the standard permissions defined in Android and that can be controlled by the user, the researchers have identified more than 4,845 owner or personalized permissions by different actors in the manufacture and distribution of the terminals. This type of permission allows the apps advertised on Google Play to evade Android's permission model to access user data without requiring their consent upon installation of a new app.

As for pre-installed apps on devices, 1,200 developers have been identified behind the pre-installed software, as well as the presence of more than 11,000 third party libraries (SDKs) included in the same. An important part of the libraries is related to advertising services and online tracking for commercial purposes. These pre-installed apps are executed with privileged permission and without being able, in the majority of cases, to be uninstalled from the system. An exhaustive analysis of the behavior of 50% of the identified apps reveal that many of them display potentially dangerous or undesired behavior.

In relation to the information offered upon logging into a new terminal, the lack of the apps transparency and of the Android operating system itself is brought to light, upon showing the user a list of permissions different from the real ones, thereby limiting capacity for decision-making regarding personal data management.

AEPD course of action

In accordance with a press release from the AEPD, this national agency will present this study and its conclusions to the working subgroups of the European Commission for Data Protection (ECDP), a European Union entity that forms a part of the Agency, together with other European data protection authorities and the European Supervisor. Among the functions of the ECDP is the fostering of cooperation among data protection agencies.

The Agency includes in the second central axis of its Strategic Plan (Innovation and Data Protection) the establishment of channels of collaboration with research groups, industry, and developers, with the objective of fomenting confidence in the digital economy in line with what is set out in the General Data Protection Regulation (GDPR). According to the Spanish Data Protection Agency, this study contributes to enabling manufacturers, developers and distributors to apply the principles of Privacy by Default and Design established in the GDPR and aimed at safeguarding the rights and freedom of individuals. Dissemination of the study undertaken by IMDEA Networks and UC3M forms part of these actions, independent of possible actions that may result from the powers and the coherent framework established by the GDPR.
-end-
More information:

Preliminary version of the study available here:

An Analysis of Pre-installed Android Software

Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez

https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf

To appear in the 41st IEEE Symposium on Security and Privacy (IEEE S&P 2020)

IMDEA Networks Institute

Related Privacy Articles from Brightsurf:

Yale team finds way to protect genetic privacy in research
In a new report, a team of Yale scientists has developed a way to protect people's private genetic information while preserving the benefits of a free exchange of functional genomics data between researchers.

Researchers simulate privacy leaks in functional genomics studies
In a study publishing November 12 in the journal Cell, a team of investigators demonstrates that it's possible to de-identify raw functional genomics data to ensure patient privacy.

Some children at higher risk of privacy violations from digital apps
While federal privacy laws prohibit digital platforms from storing and sharing children's personal information, those rules aren't always enforced, researchers find.

COVID-19 symptom tracker ensures privacy during isolation
An online COVID-19 symptom tracking tool developed by researchers at Georgetown University Medical Center ensures a person's confidentiality while being able to actively monitor their symptoms.

New research reveals privacy risks of home security cameras
An international study has used data from a major home Internet Protocol (IP) security camera provider to evaluate potential privacy risks for users.

Researcher develops tool to protect children's online privacy
A University of Texas at Dallas study of 100 mobile apps for kids found that 72 violated a federal law aimed at protecting children's online privacy.

Do COVID-19 apps protect your privacy?
Many mobile apps that track the spread of COVID-19 ask for personal data but don't indicate the information will be secure.

COVID-19 contact tracing apps: 8 privacy questions governments should ask
Imperial experts have posed eight privacy questions governments should consider when developing coronavirus contact tracing apps.

New security system to revolutionise communications privacy
A new uncrackable security system created by researchers at King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Processes of Sciences (CUP Sciences) is set to revolutionize communications privacy.

Mayo Clinic studies patient privacy in MRI research
Though identifying data typically are removed from medical image files before they are shared for research, a Mayo Clinic study finds that this may not be enough to protect patient privacy.

Read More: Privacy News and Privacy Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.