Trust aWare investigates the vulnerabilities of open systems like Android.
The research community is investigating many privacy and security abuses in applications published on mobile application marketplaces such as Google Play. Trust aWare experts are developing new methodologies to better understand the risks that end users can be exposed to just by owning a mobile phone. In the article “Android OS Customisations and the Accompanying Security Risks,” published on the official website of the European Trust aWare project, researcher Vinuri Bandara of the Charles III University of Madrid explains why the open source nature of the Android operating system can make our mobile phones more vulnerable.
“From a user experience perspective, we can see how device makers leverage the open source nature of the Android OS as an opportunity to add more functionality to their core applications: phone, camera, contacts, etc. However, from a security perspective, customization can introduce unnecessary permissions, trojans, and vulnerabilities such as backdoors into core applications. For example, in 2019, the Trissa Trojan malware was found embedded in one of the system libraries of several low-cost Android smartphones, such as Leagoo and Nomu,” explains the researcher.
The research community is analysing the development practices of different manufacturers. Almost all of them incorporate additional permissions into their main applications. Some deviate significantly from the Android open source project and add additional features and functionality to the operating system, which can violate user privacy.
"We've only begun to scratch the surface of the core Android application, which could pose a serious security threat to end users." To limit these risks, effective validation of compatibility with Android and careful integration of third-party libraries and Software Development Kits (SDKs) is required. “Above all, however, what is necessary is a reminder of the responsibility of manufacturers towards their customers,” concludes Vinuri Bandara.