The article, "An analysis of Pre-installed Android Software" by Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador and Narseo Vallina-Rodriguez, has been awarded the Best Practical Paper Award at the 41st IEEE Symposium on Security and Privacy (Oakland), which takes place on May 18-20, 2020. This is one of the top conferences in cybersecurity. The study has real impact on users as it reveals the privacy and security issues associated with pre-installed software on Android devices and their supply chain.
This is the third prize that this paper has received this year, including the one from the Spanish Data Protection Agency (AEPD) and the CNIL (French Data Protection Authority) - INRIA Privacy Awards. The team is composed by researchers from IMDEA Networks Institute (an institution promoted by the Community of Madrid), the Universidad Carlos III de Madrid, the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (USA).
Besides, this article has triggered Julien Gamba's 2020 NortonLifeLock Research Group Graduate Fellowship. The PhD student at IMDEA Networks and the study's principal investigator presented a proposal based on the Android supply chain and its challenges in terms of attribution, privacy and security. At this moment, his goal "is to design reliable ways to attribute software to developers and to build tools to perform static and dynamic analysis on pre-installed Android applications", says Gamba.
This complete article includes more than 82,000 apps pre-installed in more than 1,700 devices manufactured by 214 brands. The research shows many of the pre-installed applications provide privileged access to data and system resources although the average user would be unable to uninstall them. Furthermore, the researchers found that the vast majority of pre-installed applications are not public, making them difficult to collect and analyze.
On the other hand, researchers have identified a lack of transparency in the apps and the Android operating system itself in the information offered to the user when initiating a new terminal. The user is shown a list of permissions that differs from the real one, thereby limiting the user's decision capacity in managing their personal information.
"The real challenge is to identify with certainty the stakeholders in the supply chain", explains Gamba. This study has shed some light on this ecosystem and has uncovered many supply chain stakeholders, but "there are still many ways to avoid detection". For that reason, the IMDEA Networks researcher concludes they are "currently working on improving state-of-the-art tools that will enable us to design ways to uncover the presence of all these stakeholders and eventually to paint a complete picture of the Android supply chain."