What's making your Android insecure? Blame those free apps you never asked for

Android vendors are free to pre-install apps to customise their phones, but new research finds they’re not doing a very good job securing them.
Written by Liam Tung, Contributing Writer

Android smartphone makers are not only slow to release security patches to end users, they're are also stuffing their phones with buggy software in the name of differentiation.

Vendor efforts to customise Android phones are unnecessarily introducing a host of potential security issues that don't seem to be improving over time, according to new research by the Department of Computer Science North Carolina State University.

The researchers looked at pre-installed apps across two generations of flagship phones from Google, HTC, Samsung, LG, and Sony, querying the number of pre-installed apps, which permissions they have, and whether they contain any vulnerabilities. 

The 10 devices studied were Google's Nexus S and Nexus 4, HTC's Wildfire S and One X, Samsung's Galaxy S2 and S3, Sony's Xpreia Arc S and Xperia SL, and LG's Optimus P350 and P8880.

In total, the devices had 1,548 pre-loaded apps and, while some were included in Android via the Android Open Source Project — the version of Android Google delivers to OEMs before they go about customising  it — 82 percent of preloaded apps were added by vendors to customise the device.

The biggest problem from a security perspective was that they behaved badly: the researchers noted that 86 percent of all pre-loaded apps requested more Android permissions than they actually use, which they term as "over-privileged". All vendors performed poorly in this metric, including Google's Nexus S handset, which was the second most "over-privileged" in its field.

The researchers' analysis of vulnerable apps gave mixed results for the best and worst performers. They looked at both the total number of vulnerable apps in each device and the proportion of vulnerable apps among each device's total app count.

Looking at the proportion of vulnerable apps, they found HTC's Wildfire S to be the worst performer of pre-2012 devices, and LG's Optimus P8880 the worst among post-2012 devices. Sony's Experia Arc S and the HTC One X had the least, while Google's Nexus 4 in particular performed well here.

Looking at the absolute number of the vulnerable apps produced a different story. The researchers note: "The HTC Wildfire S is still the least secure pre-2012 device, but only by a hair — the Samsung Galaxy S2 has only one fewer vulnerability. The Sony Xperia Arc S is tied with the Google Nexus S for the most secure pre-2012 device. Meanwhile, there is a complete shake-up among the post-2012 devices: the Samsung Galaxy S3 has 40 vulnerabilities to the LG Optimus P880's 26, while the HTC One X (at 15 vulnerabilities) falls to mid-pack, behind the Nexus 4 (at three) and the Sony Xperia SL (at eight)."

Google has been lauded for being responsive when new Android security flaws are reported to the company, as in the case of a flaw found earlier this year that could let hackers tamper with Android apps without breaking the signature Android uses to check their integrity. The problem for end users was that carriers and hardware vendors only rolled the fixes out to some devices.

It took vendors on average about half a year to deliver official updates for each of the devices in the study, the researchers found.

They also note geographical disparity Samsung’s updates for the Galaxy S3, which delivered the July 2012 Android 4.1.1 update to the UK in September 2012, but January 2013 in the US.

Further reading

Editorial standards