Android smartphone manufacturers that customize their devices to make them standout in the market are compromising security by building vulnerabilities into the products, a university study shows.
On average, 60 percent of the vulnerabilities in the 10 smartphone models evaluated by researchers at North Carolina State University came from the manufacturers. The study covered an old and a new model from each of five companies, including Samsung, HTC, LG, Sony and Google.
Device manufacturers preload on average 80 percent of the apps that come with a device. Models running Android version 2.x had an average of 22 vulnerabilities per device, while models powered by version 4.x had an average of 18 vulnerabilities, according to the study.
However, that did not mean newer models were more secure. Those with more serious vulnerabilities presented a higher risk to buyers, according to the study. Of the smartphones evaluated, Google's Nexus 4 had the least number of flaws.
Among the problems found were apps that could record audio and make phone calls without the user's permission. Some apps could wipe out the user's data. In general, a vulnerability was defined as being a flaw that an attacker could use to steal data or grab permissions to use phone services.
Depending on the model, from 65 percent to 85 percent of vulnerabilities were due to vendor customizations. The only exception were the Sony models, which had substantially fewer flaws.
Fully, 85 percent of the apps were over-privileged, meaning that they required users to give them permissions they did not use. While this may benefit developers who will have the option of using the permissions in future updates, it compromises user control.
Google produces a baseline version of Android, which the company makes freely available through the Android Open Source Project (AOSP). Device manufacturers and wireless carriers are free to customize the mobile operating system however they want.
The customizations have become increasingly sophisticated since the release of Android in 2007. The first phone based on the OS was the HTC Dream, released a year later.
"Flagship devices today often offer a substantially different look and feel (than the baseline version), along with a plethora of pre-loaded third-party apps," the study said.
Because so many players have their hands in the Android pie — Google, device manufacturers, carriers and third-party app developers it's important to identify who is responsible for any security issues, so they can be fixed.
"It is worrisome to notice that vendor customizations were, on the whole, responsible for the bulk of the security problems suffered by each device," the study said.
The researchers found that the number of vulnerabilities varied little between old and new models, with the exception being HTC. Security was markedly better in the new HTC smartphone.
In February, the Federal Trade Commission dropped the hammer on HTC for failing to protect consumers' personal data and privacy in software it designed and customized for millions of mobile devices. In settling the FTC complaint, HTC agreed to put in place a process for patching vulnerabilities, to make security part of the device development process and to take responsibility for securing customers' personal data.
At the time, industry observers saw the settlement as a warning to other manufacturers that failed to protect the privacy and data of customers. The FTC did not respond to a request for comment on the latest study.
Whether the commission will address the current problem is not known. However, manufacturers are unlikely to change as long as there is no financial incentive to do the development work needed to fit Android updates into their customized software, Christopher Soghoian, principal technologist for the American Civil Liberties Union's Project on Speech, Privacy and Technology, said.
Once a smartphone is sold, manufacturers no longer get any revenue from the device. On the other hand, carriers receive monthly income from smartphones, but have been unwilling to share any of it with manufacturers in return for security updates.
"For the market to deliver a solution, either consumers have to pay the handset manufacturers for the updates or the carriers are going to have to pay them for the updates," Soghoian said.
The NCSU study will be presented Wednesday at the ACM Conference on Computer and Communications Security in Berlin.