What's making your Android insecure? Blame those free apps you never asked for

What's making your Android insecure? Blame those free apps you never asked for

Summary: Android vendors are free to pre-install apps to customise their phones, but new research finds they’re not doing a very good job securing them.

SHARE:
28

Android smartphone makers are not only slow to release security patches to end users, they're are also stuffing their phones with buggy software in the name of differentiation.

Vendor efforts to customise Android phones are unnecessarily introducing a host of potential security issues that don't seem to be improving over time, according to new research by the Department of Computer Science North Carolina State University.

The researchers looked at pre-installed apps across two generations of flagship phones from Google, HTC, Samsung, LG, and Sony, querying the number of pre-installed apps, which permissions they have, and whether they contain any vulnerabilities. 

The 10 devices studied were Google's Nexus S and Nexus 4, HTC's Wildfire S and One X, Samsung's Galaxy S2 and S3, Sony's Xpreia Arc S and Xperia SL, and LG's Optimus P350 and P8880.

In total, the devices had 1,548 pre-loaded apps and, while some were included in Android via the Android Open Source Project — the version of Android Google delivers to OEMs before they go about customising  it — 82 percent of preloaded apps were added by vendors to customise the device.

The biggest problem from a security perspective was that they behaved badly: the researchers noted that 86 percent of all pre-loaded apps requested more Android permissions than they actually use, which they term as "over-privileged". All vendors performed poorly in this metric, including Google's Nexus S handset, which was the second most "over-privileged" in its field.

The researchers' analysis of vulnerable apps gave mixed results for the best and worst performers. They looked at both the total number of vulnerable apps in each device and the proportion of vulnerable apps among each device's total app count.

Looking at the proportion of vulnerable apps, they found HTC's Wildfire S to be the worst performer of pre-2012 devices, and LG's Optimus P8880 the worst among post-2012 devices. Sony's Experia Arc S and the HTC One X had the least, while Google's Nexus 4 in particular performed well here.

Looking at the absolute number of the vulnerable apps produced a different story. The researchers note: "The HTC Wildfire S is still the least secure pre-2012 device, but only by a hair — the Samsung Galaxy S2 has only one fewer vulnerability. The Sony Xperia Arc S is tied with the Google Nexus S for the most secure pre-2012 device. Meanwhile, there is a complete shake-up among the post-2012 devices: the Samsung Galaxy S3 has 40 vulnerabilities to the LG Optimus P880's 26, while the HTC One X (at 15 vulnerabilities) falls to mid-pack, behind the Nexus 4 (at three) and the Sony Xperia SL (at eight)."

Google has been lauded for being responsive when new Android security flaws are reported to the company, as in the case of a flaw found earlier this year that could let hackers tamper with Android apps without breaking the signature Android uses to check their integrity. The problem for end users was that carriers and hardware vendors only rolled the fixes out to some devices.

It took vendors on average about half a year to deliver official updates for each of the devices in the study, the researchers found.

They also note geographical disparity Samsung’s updates for the Galaxy S3, which delivered the July 2012 Android 4.1.1 update to the UK in September 2012, but January 2013 in the US.

Further reading

Topics: Security, Android, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • 4 ever android is jerkware & Bloatware mobile OS

    android 4ever jerkware and bloatware mobile OS
    Anonymous1511
    • It's the carriers/manufactuers

      Not Android. Pure android is clean, just like iOS. Compare it to Windows vs Mac OS X. You never get crapware on a new OS X system but Windows machines are loaded with them.

      Know what you're talking about before you speak.
      unaligned
      • Wow

        Wow you're denying the fact.Every OS has their own disadvantages and advantages
        Anonymous1511
      • Well clean Windows system straight from Microsoft

        also doesn't include Crapware. I think you conveniently omitted that part.
        Ram U
        • I agree

          Ram U was right. Everytime I bought a new computer, I reformat my hard drive to take all the crapware off my computer. The only reason Mac users are not getting crapware from Apple is because they also build the hardware and OS. Imagine if Microsoft started building its hardware, the crapware days will be over.
          Ulysses21
          • The crapware days will be over, at least until

            You open IE.
            anothercanuck
      • Bull

        Windows machines purchased from directly Microsoft are pristine.
        louishelps
        • Really ...?

          When have you ever bought a PC directly from MS?
          MS does not manufacture their own PCs... So ..
          CND-Dude
          • Go to the Microsoft Store online

            You'll be able to buy computers free of crapware. :|
            Michael Alan Goff
      • But

        Isn't the Nexus supposed to BE pure clean Android?
        athynz
      • Mac and Crapware

        My Macbook Pros have been full of crapware(*): App Store.app; Calendar.app; Comic Life.app; Contacts.app; Facetime.app; Game Centre.app; GarageBand.app; iBooks.app; iPhoto.app; iWeb.app; Launchpad.app; Messages.app; OmniOutliner.app.

        * My definition of crapware is stuff that's installed that I neither want nor use, and which can be downloaded separately if desired. My definition includes all of the above pieces of software provided by Apple.
        DJL64
  • It's not just the fact you never asked for the 'shonky' software ...

    It's the fact that you can't uninstall it!

    I was my primary reason for finally going Nexus, and now I have - it's difficult to see myself going back to carrier bloat-ware.
    5hagg1
    • Yes you can..

      You can root the device and gain access to remove what ever you want..
      CND-Dude
  • Mobile Phone Security

    I don't understand why many people are using Android phones for their client and personal business. The IOS phones also have their serious issues.

    From personal experience with working in the IT and communications media industry, the only very secure phone I could find was the Blackberry. It is not as elaborate with software and gadgets, but the security risk with this phone is the lowest in the communications industry. It is impossible to externally monitor the contents of email, files, and phone calls from and to the Blackberry phones. That is why governments and industries that need high level of communications industries use Blackberry phones. It is the only phone I would use.

    If something happened and there were no longer any Blackberry phones available, many of the industries and people who require a high secure phone would be at great risk using the other types.
    jerryg50
    • Even BB came with carrier crapware

      My last BB was a bold 9700 and it had junk from AT&T that would get re-pushed every time my device got "re-registered". I have to admit that having the same experience across all iOS devices was one of the chief selling points when I hit my breaking point with my BB9700. I really liked the device in spite of the carrier crap but when even mobile web pages would crash the browser on BB6.0, I just threw up my hands and moved to iPhone instead.
      dferguson75@...
      • All of my BB devices

        Came preloaded with VZW crapware that I could not get rid of. That's one of many reasons why I switched to the iPhone.
        athynz
        • my new BlackBerry came with reasonable aps - could remove any easily

          Maybe you weren't running BB10? I actually find the base aps high quality and useful. The few aps I have not needed I easily deleted. Was pretty easy. Find associates with iPhone rely on more third party aps. Would recommend Z10 as a cheaper and more intuitive iPhone alternative
          HenselM
      • BB10 does not have same issues

        I was a surprisingly late BlackBerry convert, but with bad experiences with Windows phone, have to say, the latest iteration of BlackBerry is very solid, with no "junk" aps, reliable performance and good enough built in function (ie reliable talking gps that uses minimal battery and data) that I don't need the third party junk that Android relies on and Windows hopes to have someday.

        The BlackBerry Z10 is a grown up and very well built iPhone alternative, now free on most "plans"
        HenselM
  • The problem is knowing which ones you need.

    There are two or three different Google/Android apps that sync files with computers using the cloud, but there is always the USB cord to sync up ONLY with my OWN PC. But the phones do not come with a list of which app does what, and which apps can be safely uninstalled, and each one seems to come with its own "cloud account" and login credentials that have to be set up. Even a GPS route tracer app to measure walking distance comes with a login account that has to be set up to get their spam on other exercise gadgets and "collaborate" with friends on who's getting fit the fastest! That one doesn't come with the phone, but the redundant file syncing apps do (but there are no apps for printing included at all). I suppose I'll have to build my own list and call customer service weekly about a couple at a time till the inventory gets reasonable.
    jallan32
    • I agree. While agreeing that part

      I can tell you this with my experience on every major platform (from Windows Mobile to Web OS to iOS to Android to Windows Phone), you could uninstall "every" app that came with your phone on Windows Phone with your choice.
      Ram U