RT Dissertation/Thesis
T1 Do Androids Dream of Electric Sheep? On Privacy in the Android Supply Chain
A1 Gamba, Julien Armand Pierre
A2 IMDEA Networks Institute, 
AB The Android Open Source Project (AOSP) was first released by Google in 2008 andhas since become the most used operating system [Andaf]. Thanks to the opennessof its source code, any smartphone vendor or original equipment manufacturer(OEM) can modify and adapt Android to their specific needs, or add proprietary featuresbefore installing it on their devices in order to add custom features to differentiate themselvesfrom competitors. This has created a complex and diverse supply chain, completely opaque toend-users, formed by manufacturers, resellers, chipset manufacturers, network operators, andprominent actors of the online industry that partnered with OEMs. Each of these stakeholderscan pre-install extra apps, or implement proprietary features at the framework level.However, such customizations can create privacy and security threats to end-users. Preinstalledapps are privileged by the operating system, and can therefore access system APIsor personal data more easily than apps installed by the user. Unfortunately, despite thesepotential threats, there is currently no end-to-end control over what apps come pre-installedon a device and why, and no traceability of the different software and hardware componentsused in a given Android device. In fact, the landscape of pre-installed software in Android andits security and privacy implications has largely remained unexplored by researchers.In this thesis, I investigate the customization of Android devices and their impact on theprivacy and security of end-users. Specifically, I perform the first large-scale and systematicanalysis of pre-installed Android apps and the supply chain. To do so, I first develop an app,Firmware Scanner [Sca], to crowdsource close to 34,000 Android firmware versions from 1,000different OEMs from all over the world. This dataset allows us to map the stakeholders involvedin the supply chain and their relationships, from device manufacturers and mobile network operatorsto third-party organizations like advertising and tracking services, and social networkplatforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors.My results show a disturbing lack of transparency and control over the Android supplychain, thus showing that it can be damageable privacy- and security-wise to end-users.Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing,the permission system empowers users to control what sensitive resources (e.g., usercontacts, the camera, location sensors) are accessible to which apps. The research communityhas extensively studied the permission system, but most previous studies focus on its limitationsor specific attacks. In this thesis, I present an up-to-date view and longitudinal analysisof the evolution of the permissions system. I study how some lesser-known features of thepermission system, specifically permission flags, can impact the permission granting process,making it either more restrictive or less. I then highlight how pre-installed apps developersuse said flags in the wild and focus on the privacy and security implications. Specifically, Ishow the presence of third-party apps, installed as privileged system apps, potentially usingsaid features to share resources with other third-party apps.Another salient feature of the permission system is its extensibility: apps can define theirown custom permissions to expose features and data to other apps. However, little is knownabout how widespread the usage of custom permissions is, and what impact these permissionsmay have on users’ privacy and security. In the last part of this thesis, I investigate the exposureand request of custom permissions in the Android ecosystem and their potential for openingprivacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed andpublicly available apps using both Firmware Scanner and purpose-built app store crawlers.I find the usage of custom permissions to be pervasive, regardless of the origin of the apps,and seemingly growing over time. Despite this prevalence, I find that custom permissions arevirtually invisible to end-users, and their purpose is mostly undocumented. While Google recommendsthat developers use their reverse domain name as the prefix of their custom permissions[Gpla], I find widespread violations of this recommendation, making sound attributionat scale virtually impossible. Through static analysis methods, I demonstrate that custom permissionscan facilitate access to permission-protected system resources to apps that lack thosepermissions, without user awareness. Due to the lack of tools for studying such risks, I designand implement two tools, PermissionTracer [Pere] and PermissionTainter [Perd] to studycustom permissions. I highlight multiple cases of concerning use of custom permissions byAndroid apps in the wild.In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of preinstalledAndroid apps. My results show a complete lack of control of the supply chain whichis worrying, given the huge potential impact of pre-installed apps on the privacy and securityof end-users. I conclude with a number of open research questions and future avenues forfurther research in the ecosystem of the supply chain of Android devices.
YR 2022
FD 2022-07
LK https://hdl.handle.net/10016/36468
UL https://hdl.handle.net/10016/36468
LA eng
NO This work has been supported by IMDEA Networks Institute
DS e-Archivo
RD 1 sept. 2024