NC State researchers trace Android vulnerabilities to manufacturers

Computer researchers at N.C. State University have found that security vulnerabilities are being inadvertently added by manufacturers.

Manufacturers like Samsung and HTC customize the Android platform by integrating their own software developed in-house or by third party partners.

A team led by N.C. State’s Xuxian Jiang investigated whether these customizations introduced potential security threats. Testing 10 Android smartphones from Samsung, HTC, LG, Sony and Google, they found that 60 percent of vulnerabilities originated from these “vender customizations.”

"We also found that 85 percent of the preloaded apps were overprivileged," Jiang says. An app is considered "overprivileged" if it requires users to give it permissions that the app does not actually use. "Seeing this many overprivileged apps indicates that the programmers developing the vendors’ apps are violating a well-known security principle, i.e., the ‘least privilege principle.’”