Slashdot Mirror
Android Users' Security and Privacy At Risk From Shadowy Ecosystem of Pre-Installed Software, Study Warns (techcrunch.com)
Researchers behind a large-scale independent study of pre-installed Android apps "unearthed a complex ecosystem of players with a primary focus on advertising and 'data-driven services' -- which they argue the average Android user is likely to be unaware of (while also likely lacking the ability to uninstall/evade the baked in software's privileged access to data and resources themselves)," reports TechCrunch. From the report: The study, which was carried out by researchers at the Universidad Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (US), encompassed more than 82,000 pre-installed Android apps across more than 1,700 devices manufactured by 214 brands, according to the IMDEA institute. "The study shows, on the one hand, that the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information," it writes. "At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of the implications that this practice could have on their privacy. Furthermore, the presence of this privileged software in the system makes it difficult to eliminate it if one is not an expert user."
In all 1,200 developers were identified behind the pre-installed software they found in the data-set they examined, as well as more than 11,000 third party libraries (SDKs). Many of the preloaded apps were found to display what the researchers dub potentially dangerous or undesired behavior. The data-set underpinning their analysis was collected via crowd-sourcing methods -- using a purpose-built app (called Firmware Scanner), and pulling data from the Lumen Privacy Monitor app. The latter provided the researchers with visibility on mobile traffic flow -- via anonymized network flow metadata obtained from its users. They also crawled the Google Play Store to compare their findings on pre-installed apps with publicly available apps -- and found that just 9% of the package names in their dataset were publicly indexed on Play. Another concerning finding relates to permissions. In addition to standard permissions defined in Android (i.e. which can be controlled by the user) the researchers say they identified more than 4,845 owner or "personalized" permissions by different actors in the manufacture and distribution of devices. So that means they found systematic user permissions workarounds being enabled by scores of commercial deals cut in a non-transparency data-driven background Android software ecosystem. The researchers address the lack of transparency and accountability in the Android ecosystem by suggesting the introduction and use of certificates signed by globally-trusted certificate authorities, or a certificate transparency repository "dedicated to providing details and attribution for certificates used to sign various Android apps, including pre-installed apps, even if self-signed." They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software -- and do so in a manner that is "accessible and understandable to users."
In all 1,200 developers were identified behind the pre-installed software they found in the data-set they examined, as well as more than 11,000 third party libraries (SDKs). Many of the preloaded apps were found to display what the researchers dub potentially dangerous or undesired behavior. The data-set underpinning their analysis was collected via crowd-sourcing methods -- using a purpose-built app (called Firmware Scanner), and pulling data from the Lumen Privacy Monitor app. The latter provided the researchers with visibility on mobile traffic flow -- via anonymized network flow metadata obtained from its users. They also crawled the Google Play Store to compare their findings on pre-installed apps with publicly available apps -- and found that just 9% of the package names in their dataset were publicly indexed on Play. Another concerning finding relates to permissions. In addition to standard permissions defined in Android (i.e. which can be controlled by the user) the researchers say they identified more than 4,845 owner or "personalized" permissions by different actors in the manufacture and distribution of devices. So that means they found systematic user permissions workarounds being enabled by scores of commercial deals cut in a non-transparency data-driven background Android software ecosystem. The researchers address the lack of transparency and accountability in the Android ecosystem by suggesting the introduction and use of certificates signed by globally-trusted certificate authorities, or a certificate transparency repository "dedicated to providing details and attribution for certificates used to sign various Android apps, including pre-installed apps, even if self-signed." They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software -- and do so in a manner that is "accessible and understandable to users."
iOS has the preinstalled Weather Channel crapware
"Android Users' Security and Privacy At Risk From Shadowy Ecosystem of Pre-Installed Software"
Duh! No shit. We all already know this captain obvious, without the need of "a study."
I like the recommendation put forth in the summary:
They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software -- and do so in a manner that is "accessible and understandable to users."
This is why I'm kind of over Android.
It's so fragmented it isn't funny. Every OEM wants to put their own branded shit and get a cut of your money and track you. Every hardware manufacturer makes side deals with companies you will never know about and have no means to uninstall. You certainly don't have a chance to give your consent -- the assholes who built it took that away.
There is no single thing called Android, it's different from every source .. and most of those sources are greedy sacks of shit who care neither for your security nor your privacy.
The vanilla Nexus Android was a nice idea, but even Google seems to have abandoned that idea.
For me, Android is a pile of shit precisely because it is so fragmented and everything is full of proprietary and third party shit.
When my Nexus 7 tablet dies, either I won't replace it with anything, or I'll just buy a low-end iPad.
At the end of the day, mobile has just become a cesspool of tracking, ads, and analytics. And I really see little value in most of it -- not the apps and not the devices.
Until I can be sure I'm getting a clean device which isn't selling my information to a bunch of ad companies and parasites, I'll do without the fucking device entirely. But at this point, I'd never buy another Android device again.
At the end of the day, Android has really just ushered in a new era of shitty, privacy violating devices which steal your data and upload to who the fuck knows.
So, fuck Android. It has utterly failed in my opinion. All it's really done is welcome in more useless assholes to your mobile experience.
Android is pretty much at the vanguard of the race to the bottom which modern computers have become -- social media, ads, analytics, and stealing your personal data -- it's fucking parasites all the way down.
Fuck all of it. It's a marketing departments dream, and a privacy advocate's nightmare.
Google has damaged its reputation by allowing abuse associated with its Android operating system, in my opinion.
Cell phone companies want bad operation so they can sell more new cell phones.
Have an AT&T smartphone on contract that came with an At&t store app that allows me to download apps without having the data count against me. It is essentially cost free data connection (it uses At&t Lte connection when available).
They suggest apps to you as a feature and use that and the free data aspect to monitor everything you do on your phone and where you use it. They can sideload whatever they want even if you turn off that feature in Android OS.
You have to read all the legal stuff when you first get the phone (or after you have reset it) and opt out of one tiny check box in one of the twenty legal screens you have to read through.
And once you get that out of the way, you have to go BACK through and disable all the preinstalled At&t apps that allow others to track you. Family location apps made by At&t. Map apps. And on and on.
Android might be a decent OS but they have a long way to go to be secure.
Never attribute to malice that which is adequately explained by incompetence.
"Shoot, a fella could have a pretty good weekend in Vegas with all that stuff."
The more things change, the more they stay the same.
I remember the days when new PC's used to come laden with so much junk-ware that you had to format the hard drive just to make it usable. The same thing has happened to Android phones, except that most people can't wipe the slate clean and set up the phone cleanly.
You forget that there are negative infinities. Their reputation can always be damaged more.
Hanlon's Razor is for idiots. It is common for wilful criminals to hide behind the shield of innocent ignorance.
You'd excuse the tobacco industry for "not knowing" their cancer sticks caused cancer, while they hired researchers to defraud scientists who cited harm in their studies. You'd excuse the lead and petro industry who tried to keep putting lead in your gasoline and hired researchers to defraud a scientist who fought to show evidence of the harm it caused. All they'd have to do is keep you in the dark about the truth then say, "Sorry, I didn't know it was hurting anyone."
Occam's Razor is at least not absolutist nonsense like Hanlon's Razor is, i.e., words like "never" don't belong in such generalizations. Occam's Razor is also a weapon against the masses of clueless and uninformed public. If I showed you a video of a man knifing another you'd say it was murder, simplest answer. But with more context you may discover the killed man had just shot two others and was reaching for another weapon. So, to use Occam's Razor is also usually asinine unless you have the whole picture you can not determine the "simplest answer", but at least Occam says it is "likely" true, not "always" as an absolutist like Hanlon would have.
TL;DR: "Never"? Get your ignorance checked. The wise don't need such rhetorical gimmicks.
Any sufficiently advanced incompetence is indistinguishable from malice. Any sufficiently advanced malice is indistinguishable from incompetence.
Samsung Galaxy S8 on Verizon, purchased August 2018.
Got rid of that adware, spyware, crapware right away.
Hey Mr. Getangryoninternet, using an absolute word like "never" alongside a fuzzy word like "adequate" results in a fuzzy assertion. You have taken this very fuzzy assertion and constructed a silly straw man around it by pretending its some absolute statement of truth. Maybe read better, or learn how and when razors apply.
The article wasn't suggesting the problem was the existence of pre-installed software per se. It was about that pre-installed software behaving perniciously. The Weather app on iOS does not do that.
At the launch of the various Apple services yesterday, it was notable that security and privacy was discussed for each and every one, and the promises were pretty unequivocal: Apple will do as much as it can to not look at your data (e.g., on-device processing for categorising credit card transactions). Although this story is about third party pre-installed apps, there's a general principle thing going on: Apple makes its bucks from selling you devices, has a vested interest in getting app developers to behave, and has a notorious reputation for playing hardball with developers about a whole range of issues so insisting on the rules being followed for privacy and security is no biggie for it. The Android ecosystem makes its money in other ways, from Google to the carriers to the devs, and users pay the price with their privacy and security.
being the worst.
Or if that's too much work, root your phone and remove everything suspicious. I have found from experience that there is very little that is truly required, despite the dire warnings. For example, I removed all three browsers that came with my Galaxy, and replaced them with Firefox. Guess what happened? Nothing. You can also replace the google seach engine with duckduckgo, and gmail with K9 mail. If rooting is too much work, then go ahead and buy an iPhone. Their products are designed for the non-technically adept.
COE
nothing new here, i suppose everybody already knows this.
just another confirmation not to buy anything else but;
- an android one phone
- or a phone that allows custom roms
On a long enough timeline, the survival rate for everyone drops to zero.