jerdog · Nov 14, 2013 at 11:00 am

Shock and Awe: OEMs Cause Android Security Issues

It should come as no surprise that here at XDA, we are always calling on the OEMs to do a better job of removing the bloat of their custom UIs (Samsung – we’re looking at you and your now insane TouchWiz size) and improving the overall user experience. What may come as a shock to some, though, is that a recent study by researchers at North Carolina State University says that those same OEMs, and their incessant need to have a custom UI as some sort of “branding,” are directly responsible for most of the security issues found with Android. Cue Home Alone face.

In all honesty, we really shouldn’t be all that surprised. XDA Elite Recognized Developer jcase gave a great talk at XDA:DevCon13 where he discussed “Android Security Vulnerabilites and Exploits.” There, he identified how OEMs (LG was his main example) are directly responsible for many of the vulnerabilities and exploits he finds.

The researchers at NC State found that 60% of the security issues were directly tied to changes OEMs had made to stock Android, specifically related to apps requesting more permissions than were necessary. They looked at 2 devices from each 4 different OEMs (Sony, Samsung, LG and HTC), with one running a version of Android 2.x and another running 4.x from each OEM, along with the Nexus S and Nexus 4 from Google.

Here are a few of the findings:

  • 86% of preloaded apps asked for more permissions than were necessary, with most coming from OEMs.
  • 65-85% of the security issues on Samsung, HTC, and LG devices come from their customizations, while only 38% of the issues found on Sony devices came from them.

For the user, this should be a warning to pay attention to the permissions used when you install an app and take steps to protect yourself, like with the Xposed module XPrivacy. For OEMs, shame on you. Consumers place trust, no matter how unfounded and risky that is, on you. For you to be breaking that trust by not being responsible and open in your dealings and development is just plain careless.

The full study, presented yesterday at the ACM Conference on Computer and Communications Security in Berlin, is definitely a good read, with specific case studies done on the Samsung Galaxy S3 and LG Optimus P880.

Source: MIT Technology Review

[Thanks to XDA Elite Recognized Developer toastcfh for the tip.]


_________
Want something on the XDA Portal? Send us a tip!

jerdog

jerdog is an editor on XDA-Developers, the largest community for Android users. Jeremy has been an XDA member since 2007, and has been involved in technology in one way or another, dating back to when he was 8 years old and was given his first PC in 1984 - which promptly got formatted. It was a match made in the stars, and he never looked back. He has owned, to date, over 60 mobile devices over the last 15 years and mobile technology just clicks with him. In addition to being a News Editor and OEM Relations Manager, he is a Senior Moderator and member of the Developer and Moderator Committees at XDA. View jerdog's posts and articles here.
Mathew Brack · May 29, 2015 at 05:27 pm · 4 comments

Google No Longer Sending Calendar SMS Notifications

In a not entirely surprising move, Google announced that it's putting an end to SMS notifications for Google calendar as of June 27th. They stated earlier, "SMS notifications for Google Calendar launched before smartphones were available. Now in a world with smartphones and notifications, you can get richer, more reliable experience on your mobile device, even offline". Google Drive for Work, Google Apps for Work (paid edition), Education and Government customers will not be affected by these changes and can continue using...

XDA NEWS
Chris Gilliam · May 29, 2015 at 11:29 am · 4 comments

I/O Summary: Google Cardboard Virtual Reality

One year ago, Google introduced cardboard. Amazingly enough, that was all it took to fire up the Virtual Reality scene on Android, and what began as an open design concept exploded into thousands of apps and dozens of headsets from big and small vendors alike. Now, there are more than 1 million cardboard viewers/handsets - a Google-quoted number that might not even be accurate given the ease with which headsets can be rigged through off-the-shelf equipment. This year, cardboard returned...

XDA NEWS
Jimmy McGee · May 29, 2015 at 06:00 am · 4 comments

Android M Preview Images – XDA TV

Android M preview images are available. That and much more news is covered by Jordan when he reviews all the important stories from this week. Included in this week's news is the announcement of Google's Project Tango going on sale and be sure to check out the article talking about Google's Roboto font going open source. That's not all that's covered in today's video! Jordan talks about the other videos released this week on XDA TV. XDA TV Producer TK...

XDA NEWS
Share This