CR Innovation Initiative

Android Observatory

Understanding the Android Open Source Project Supply Chain

Problem

The Android Open Source Project (AOSP) was first released by Google in 2008, and has since become the most used operating system with more than 2.5 billion users worldwide as of 2019. Android is open source, so any device manufacturer can modify and adapt it to their specific needs, or add proprietary features before installing it on their devices. The purpose of doing so for Android vendors is mainly to add value to their products and distinguish themselves from the competition.

This has created a vast supply chain that is completely opaque to users which includes manufacturers, resellers, chipset manufacturers, network operators, and prominent actors of the online industry partnered with vendors. Each one of these stakeholders can pre-install extra applications, or implement proprietary features at the framework level. Pre-installing an application on the system can be very valuable, as these applications are privileged by the system and can therefore access system APIs or personal data more easily than applications installed in user-space. However, such customizations can create privacy and security threats. From a user perspective, this raises a certain number of questions: if I buy a new phone, who got access to it before me? Will my data stay private, or will it be shared with whoever has a partnership with my phone vendor? How can I know who has installed apps on my device, and how can I assert my digital rights?

Our Approach

The goal of the Android Observatory is to shed light on the Android supply chain and explore the attribution, privacy and security aspects of this ecosystem. This starts by improving the existing tools to make them able to work on pre-installed apps. Currently, there is no technical solution specifically designed to analyze the code of pre-installed applications, to run them in an emulated environment and inspect their network activity, or even to attribute a given pre-installed app to the company that developed it. Pre-installed apps differ from regular apps that you know from the Google Play store, in that they can rely on different, more obscure features of the Android operating system (for instance, custom permissions or shared user ID) that might be difficult to use for user-installed applications. This makes the current tools that are available to researchers difficult to use, at best.

At a glance information

Led by Innovation Lab Fellow, Julien Gamba, the Android Observatory is an academic project to develop tools and data-based evidence to study the prevalence of user tracking services and other unwanted and harmful apps in the Android ecosystem. This work is driven by the Internet Analytics Group at IMDEA Networks and the Computer Security laboratory at UC3M. The Android Observatory analyzes:

  • Mobile Tracking. We investigate the prevalence of tracking on Android applications and design privacy preserving solutions, with the overall goal of improving users safety on the Internet.
  • Pre-Installed Applications. Android phones come with a large number of applications already installed. We aim to gather as much of such apps as possible and study them from a privacy and security standpoint.
  • Regulatory Compliance. We study Android applications to verify their compliance with the legislations in place in Europe (General Data Protection Regulation) and the United States (Child Online Privacy Protection Act).
  • User Tracking in Sensitive Applications. We study applications designed for specific sensitive situations, such as parental control applications or VPN apps. We aim to understand how these apps work and study if they take appropriate care of all the private information they gather.

Check out the Android Observatory here.

Lessons Learned

Users tracking is prevalent in pre-installed Android applications

We collected more than a million pre-installed applications from thousands of volunteers that installed our app Firmware Scanner. This gave us an unprecedented view into the ecosystem of Android system apps, and allowed us to characterize the stakeholders involved in the supply chain of modern Android devices.

For most devices, the supply chain includes not only device and chipset manufacturers but also many third-party organizations, some of which specialize in advertising and tracking services, and social network platforms. These stakeholders can pre-installed their apps on users’ devices, which can give them easier access to personal data, including data normally protected by permissions. These apps cannot be removed easily and, in some cases, cannot be removed at all without bricking the device. All of this can (and does!) happen without users’ knowledge, much less consent.

Even more worrying, a large number of these apps also define their own custom permissions. These permissions can then be requested by other apps on the device, usually by other apps from the same developer. These permissions are completely documented and what they are giving access to is anybody’s guess. Again, all of this is happening under the hood with no user interaction whatsoever.

Hidden features in pre-installed apps

Knowing that pre-installed apps have hidden features, can we actually find out what these features are for, and who is using them? We found millions of such custom permissions, in all versions of Android, and across virtually all OEMs, including the largest ones. These permissions are then requested both by pre-installed apps and publicly available ones, which could be used as a way to bypass the permission system.

Most of the state-of-the-art tools are unable to analyze such custom permissions, so we went out and created our own static analysis tools. Specifically, we look at the components of the apps that handle such custom permissions, and find that about 11% of these components also access protected data, such as unique identifiers (which can be used to keep track of users), of the phone’s GPS location. In the majority of cases this private data is not “exfiltrated” directly; however it is still possible for the app to use this data to infer other things about the user (for instance, an app might just want to know if the user is within a certain distance of, say, a shopping mall, to then display ads about products they could buy there).

Where do we go from here?

There is still much we do not know about pre-installed apps and their risks for users’ privacy and security. However, our results already paint a worrying picture in which companies can buy their way into a user’s device without their knowledge or consent. Most of these apps operate without any user interaction, and can quietly gather data without any recourse for the user. Even identifying the company behind a given app or custom permissions is difficult, which in the end prevents users from exercising their digital rights: if you don’t know who is accessing and gathering your personal data, how can you lodge a complaint?

Back to all initiatives