Nav: Home

A study analyzes pre-installed software on Android devices and its privacy risks for users

March 19, 2019

Universidad Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (USA), have carried out a study that encompasses 82,000 pre-installed apps in more than 1,700 devices manufactured by 214 brands, revealing the existence of a complex ecosystem of manufacturers, mobile operators, app developers and providers, with a wide network of relationships between them. This includes specialized organizations in user monitoring and tracking and in providing Internet advertising. Many of the pre-installed apps facilitate access to privileged data and resources, without the average user being aware of their presence or being able to uninstall them.

The study shows, on the one hand, that the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information. At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of the implications that this practice could have on their privacy. Furthermore, the presence of this privileged software in the system makes it difficult to eliminate it if one is not an expert user.

These results are detailed out in an article that will be made public on April 1 and which will be presented at one of the main cybersecurity and privacy conferences worldwide, the 41st IEEE Symposium on Security and Privacy, California (USA) under the title An Analysis of Pre-installed Android Software. The Agencia Española de Protección de Datos- AEPD (Spanish Data Protection Agency), which has contributed to the dissemination of this study because of the massive impact of the results on citizen privacy, will present the results before the European Commission for Data Protection.

Other findings

In addition to the standard permissions defined in Android and that can be controlled by the user, the researchers have identified more than 4,845 owner or personalized permissions by different actors in the manufacture and distribution of the terminals. This type of permission allows the apps advertised on Google Play to evade Android's permission model to access user data without requiring their consent upon installation of a new app.

As for pre-installed apps on devices, 1,200 developers have been identified behind the pre-installed software, as well as the presence of more than 11,000 third party libraries (SDKs) included in the same. An important part of the libraries is related to advertising services and online tracking for commercial purposes. These pre-installed apps are executed with privileged permission and without being able, in the majority of cases, to be uninstalled from the system. An exhaustive analysis of the behavior of 50% of the identified apps reveal that many of them display potentially dangerous or undesired behavior.

In relation to the information offered upon logging into a new terminal, the lack of the apps transparency and of the Android operating system itself is brought to light, upon showing the user a list of permissions different from the real ones, thereby limiting capacity for decision-making regarding personal data management.

AEPD course of action

In accordance with a press release from the AEPD, this national agency will present this study and its conclusions to the working subgroups of the European Commission for Data Protection (ECDP), a European Union entity that forms a part of the Agency, together with other European data protection authorities and the European Supervisor. Among the functions of the ECDP is the fostering of cooperation among data protection agencies.

The Agency includes in the second central axis of its Strategic Plan (Innovation and Data Protection) the establishment of channels of collaboration with research groups, industry, and developers, with the objective of fomenting confidence in the digital economy in line with what is set out in the General Data Protection Regulation (GDPR). According to the Spanish Data Protection Agency, this study contributes to enabling manufacturers, developers and distributors to apply the principles of Privacy by Default and Design established in the GDPR and aimed at safeguarding the rights and freedom of individuals. Dissemination of the study undertaken by IMDEA Networks and UC3M forms part of these actions, independent of possible actions that may result from the powers and the coherent framework established by the GDPR.
-end-
More information:

Preliminary version of the study available here:

An Analysis of Pre-installed Android Software

Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez

https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf

To appear in the 41st IEEE Symposium on Security and Privacy (IEEE S&P 2020)

IMDEA Networks Institute

Related Privacy Articles:

COVID-19 contact tracing apps: 8 privacy questions governments should ask
Imperial experts have posed eight privacy questions governments should consider when developing coronavirus contact tracing apps.
New security system to revolutionise communications privacy
A new uncrackable security system created by researchers at King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Processes of Sciences (CUP Sciences) is set to revolutionize communications privacy.
Mayo Clinic studies patient privacy in MRI research
Though identifying data typically are removed from medical image files before they are shared for research, a Mayo Clinic study finds that this may not be enough to protect patient privacy.
Researchers uncover privacy flaw in e-passports
Researchers at the University of Luxembourg have discovered a flaw in the security standard used in biometric passports (e-passports) worldwide since 2004.
How cities can leverage citizen data while protecting privacy
In a new study, MIT researchers find that there is, in fact, a way for Indian cities to preserve citizen privacy while using their data to improve efficiency.
Cell-mostly internet users place privacy burden on themselves
Do data privacy concerns disproportionately affect people who access the internet primarily through cell phones?
Anonymizing personal data 'not enough to protect privacy,' shows new study
Current methods for anonymizing data leave individuals at risk of being re-identified, according to new research from University of Louvain (UCLouvain) and Imperial College London.
Study finds Wi-Fi location affects online privacy behavior
Does sitting in a coffee shop versus at home influence a person's willingness to disclose private information online?
Putting data privacy in the hands of users
MIT and Harvard University researchers have developed Riverbed, a platform that ensures web and mobile apps using distributed computing in data centers adhere to users' preferences on how their data are shared and stored in the cloud.
Social media privacy is in the hands of a few friends
New research has revealed that people's behavior is predictable from the social media data of as few as eight or nine of their friends.
More Privacy News and Privacy Current Events

Trending Science News

Current Coronavirus (COVID-19) News

Top Science Podcasts

We have hand picked the top science podcasts of 2020.
Now Playing: TED Radio Hour

Making Amends
What makes a true apology? What does it mean to make amends for past mistakes? This hour, TED speakers explore how repairing the wrongs of the past is the first step toward healing for the future. Guests include historian and preservationist Brent Leggs, law professor Martha Minow, librarian Dawn Wacek, and playwright V (formerly Eve Ensler).
Now Playing: Science for the People

#566 Is Your Gut Leaking?
This week we're busting the human gut wide open with Dr. Alessio Fasano from the Center for Celiac Research and Treatment at Massachusetts General Hospital. Join host Anika Hazra for our discussion separating fact from fiction on the controversial topic of leaky gut syndrome. We cover everything from what causes a leaky gut to interpreting the results of a gut microbiome test! Related links: Center for Celiac Research and Treatment website and their YouTube channel
Now Playing: Radiolab

The Flag and the Fury
How do you actually make change in the world? For 126 years, Mississippi has had the Confederate battle flag on their state flag, and they were the last state in the nation where that emblem remained "officially" flying.  A few days ago, that flag came down. A few days before that, it coming down would have seemed impossible. We dive into the story behind this de-flagging: a journey involving a clash of histories, designs, families, and even cheerleading. This show is a collaboration with OSM Audio. Kiese Laymon's memoir Heavy is here. And the Hospitality Flag webpage is here.