Overview
Explore a comprehensive analysis of pre-installed Android software in this 16-minute IEEE conference talk. Delve into the security and privacy implications of custom Android OS versions and pre-installed apps shipped by manufacturers. Examine the findings of a large-scale study covering devices from over 200 vendors, based on real-world Android firmware data collected through crowd-sourcing methods. Uncover the complex relationships between various stakeholders in the Android ecosystem, including device manufacturers, mobile network operators, and third-party organizations. Learn about the lack of transparency in the Android supply chain and its potential facilitation of harmful behaviors and unauthorized access to sensitive data. Gain insights into the Android Open Source Project, data collection methods, app developer identification, third-party libraries, and Android permissions. Conclude with recommendations for improving transparency, attribution, and accountability in the Android ecosystem.
Syllabus
Intro
Android Open Source Project (AOSP)
The supply chain can be very large
Data collection at scale
How to identify app developers?
Third-party libraries
A quick Android permissions primer
Custom permissions
Access to sensitive information
Dangerous behaviors
Our recommendations
In conclusion
Taught by
IEEE Symposium on Security and Privacy