The Android Device Security Database helps you compare the security of Android smartphones
Android users have numerous options when it comes to devices, with a varied combination of specifications, features, and different device budgets. We are spoiled by choice, but this confuses users when it comes to features that cannot be easily measured and compared. Take, for instance, the Android Security status. The current state of Android security is far from perfect, and the situation becomes even more complex across different OEMs and different regions. So if you had to compare two different OEMs on how well they have delivered security updates across their portfolio, the answer may not be easily found. A group of researchers has taken it upon themselves to remedy this situation by building a database of Android devices focusing on their overall security level.
At the virtual Android Security Symposium 2020 event, a group of researchers including Mr. Daniel R. Thomas, Mr. Alastair R. Beresfor, and Mr. René Mayrhofer presented a talk called the “Android Device Security Database”.
We recommend watching the talk to get a better idea of the intents and purposes of the database, but we will also do our best in encapsulating the information below.
The purpose behind the Android Device Security Database is to “gather and publish relevant data about the security posture” of Android devices. This includes information on attributes like the average patch frequency, the guaranteed maximum patch delay, the latest security patch level, and other attributes. The database currently includes smartphones like the Samsung Galaxy S20 (Exynos), Nokia 5.3, Google Pixel 4, Xiaomi Redmi Note 7, Huawei P40, Sony Xperia 10, and more.
The talk brings up the issue of how smartphone OEMs currently have little in terms of motivation and quantifiable incentive to provide quick and relevant security updates across their smartphone portfolio. Smartphone after-sale support is still centered around the limits of Android version updates and device repairs—and overall device security is not given much importance. Security updates aren’t a metric that a marketing department can easily “sell” to most end consumers for future smartphones, so performance in this area remains lacking. And because of the huge variety of smartphones released and the innumerable updates to them over the years, collecting and quantifying this data is also a gargantuan task. For instance, Samsung has been doing very well in terms of providing security updates to its existing portfolio of devices, like the Galaxy S10, Galaxy Z Flip, Galaxy A50, Galaxy Note 10 series, Galaxy A70, and the Galaxy S20 series—but there are still so many more devices left to assess and a larger security update progress chart is also missing to provide historical context.
The Android Device Security Database tries to fix this in a way. Back in 2015 when a similar initiative was undertaken, the team had measured the security of Android devices and given them a score out of 10. The old approach had a few limitations, as it focused heavily on assessing whether a device was susceptible to known vulnerabilities or not. The older approach did not consider other aspects of device security, so the current approach attempts to take a much more holistic look at overall device security.
One area where the team wants to explore much further is how pre-installed apps perform within the context of security and user privacy. Pre-installed apps often have elevated permissions that are pre-granted at the platform level. We’ve seen increased attention towards pre-installed apps in recent times—sometimes it manifests itself in the form of complaints about ads in pre-installed Samsung apps, and sometimes it takes the form of a nationwide ban against several pre-installed Xiaomi Mi apps. How does one exercise oversight over these pre-installed apps by OEMs?
The research team is tackling this question by recommending more transparency and accountability into what apps are pre-installed on a device and what they have permission to do. To do this, the team also wants to add an app risk rating into their database and eventually create a rating system to rank devices on this aspect. The research team also wants its methodology peer-reviewed and is seeking feedback from other security researchers into what aspects of security of pre-installed apps they should look into.
The database aims to become a benchmark for assessing the overall security of a device and the holistic security experience for an OEM. The initiative is definitely a work-in-progress at this stage, and future plans include developing an app that collects security attributes in an anonymous manner and presents it in a comparable manner to end-users—much like how current-generation performance benchmarks work. With enough users volunteering this data to the project, one can hope the project becomes a viable security benchmark that can be used to assess the overall security practices of an OEM. While past performance is certainly no guarantee towards future action, this database/benchmark would still simplify the opaque and complex mess that is currently the state of Android security as an OS.