The open-source nature of the Android OS makes it possible for manufacturers to ship custom versions of the OS along with a set of pre-installed apps, often for product differentiation. Some device vendors have recently come under scrutiny for potentially invasive private data collection practices and other potentially harmful or unwanted behavior of the preinstalled apps on their devices. Yet, the landscape of preinstalled software in Android has largely remained unexplored, particularly in terms of the security and privacy implications of such customizations.
In this paper, we present the first largescale study of pre-installed software on Android devices from more than 200 vendors. Our work relies on a large dataset of real-world Android firmware acquired worldwide using crowd-sourcing methods. This allows us to answer questions related to the stakeholders involved in the supply chain, from device manufacturers and mobile network operators to thirdparty organizations like advertising and tracking services, and social network platforms. Our study allows us to also uncover relationships between these actors, which seem to revolve primarily around advertising and data-driven services. Overall, the supply chain around Android’s open source model lacks transparency and has facilitated potentially harmful behaviors and backdoored access to sensitive data and services without user consent or awareness. We conclude the paper with recommendations to improve transparency, attribution, and accountability in the Android ecosystem.
About Julien Gamba
Julien Gamba is a PhD student in the Internet Analytics Group at IMDEA Networks Institute. He graduated from the University of Strasbourg, France, in 2015 with a Bachelor’s degree in computer science. After that, Julien went on to obtain a Master’s degree in computer networks and embedded systems with honors at the same university in 2017. His Master’s thesis focused on finding conception rules for iBGP networks to ensure BGP correctness. During the Master’s studies, Julien also did an internship at Internet Initiative Japan (Tokyo) where he researched the fragmentation of the BGP routing table.
This event will be conducted in English