Sign up to Newsletter

Research Methodology, Pre-Installed Android App Analysis

Explainer
Post date
19th September 2019
Android-Privacy is not a luxury

Abstract

Over the past few years, smart phones have become incredibly inexpensive, connecting millions of people to the internet for the first time. While growing connectivity is undeniably positive, some device vendors have recently come under scrutiny for harvesting user data and invasive private data collection practices.

Due to the open-source nature of the Android operating system vendors can add pre-installed apps (often called “bundled apps” or "bloatware") to mobile phones. In 2019, the first large-scale study of pre-installed software on Android devices from more than 200 vendors has shown that many of these apps come with security vulnerabilities, facilitate potentially harmful behaviours and backdoored access to sensitive data and services without user consent or awareness. The study concludes that the supply chain around Android's open source model lacks transparency.

Pre-installed apps are not available on the Google Play Store and therefore often do not receive the same level of audit. They also come with pre-accepted permissions (i.e using a custom permission to access users’ location data outside of the location services subsystem), which means that users will be unaware of the data that these apps collect. Finally, many of these apps send data to third parties, both large, and well-known companies such as Google, Facebook, Tencent and Baidu, as well as lesser known companies in the advertising and tracking ecosystem.

Objective

The objective of this ongoing research is to build on existing research and illustrate what the lack of transparency around the Android supply chain looks like in practice for a select number of low-end phones. Our goal is to draw further attention to the issue globally and to showcase how privacy threats often disproportionately affect those with limited resources. The ultimate goal is put pressure on Google and telecommunications companies to better protect the privacy and security of their users – especially those in emerging markets and with limited resources.

Acquisition of data

We used the Android Developer Bridge (ADB) to copy over any file in the APK format (Android application package) in /vendor, /system/persistent, /system/priv-app/ and /system/app.

We also established if /data/app is populated. Finally, we extracted the certificate files in /system/etc/security/cacerts/ for later analysis. Once we have extracted the APK files we ran a minimisation process, which is intended to remove apps that exist within all versions of Android (e.g the phone dialer, the settings app, the clock etc). Even though we won't know if these have been modified, these apps are outside the scope of this research.

Analysis

Extracted APK files were run through the following two processes:

• A static analysis using Exodus_Standalone by Exodus Privacy, which lists the apps’ permissions, signing certificate and integrated trackers
• If needed, a dynamic analysis of selected apps using the methodology and set up we have previously used for our apps analysis

Exodus Privacy is a tool that is designed to detect the presence of known trackers in an application without running it. An online version of the tool allows anyone to analyse applications on the Google Play Store. Exodus-Privacy/exodus-standalone is licensed under the GNU Affero General Public License v3.0, which is designed for app developers to test applications before its publication on Google Play.

Using Exodus-Privacy/exodus-standalone we conducted a static analysis of an app’s install package [APK]. Android applications are developed in JVM compatible languages like Java, Kotlin, etc. As a result, class names are readable directly in the binary file of the program without requiring decompilation. Exodus analyses APK files to find trackers, which can be identified by their own name-space. As an example, Amazon Ads library root name-space/package is com.amazon.device.ads, this library shares the com.amazon package name with other Amazon libraries. So, at this point, a tracker signature is a name-space (a package name).

The analysis generates a report that describes found code signature of trackers in the application (i.e. a piece of software meant to collect data about you or your usages, as well as permissions in the application (i.e. actions that the application can do on your phone) according to severity levels as they are defined by Google's protection levels. Google classifies some permissions as dangerous, since they “cover areas where the app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other apps”.

In relation to the certificates, in a similar manner to apps, we excluded all the certificates which are by default included within the Android operating system (we documented which ones are omitted) to establish if any additional certificates have been added by the manufacturer and/or by telcos.

We will use Privacy International's data interception environment to do dynamic analysis in a similar vein to our previous Facebook AppData project, the methodology can be found in the report here.

Our fight
Challenging Corporate Data Exploitation
Learn more
Smartphones
Device
MyPhone MYA2

Related Content

Advocacy
Photo by Mathias Reding on Unsplash

PI seeks to inform report on AI and racial discrimination of the UN Special Rapporteur on racism

Privacy International submitted its input to the UN Special Rapporteur on racism for their upcoming report which will examine and analyse the relationship between artificial intelligence (AI) and non-discrimination and racial equality, as well as other international human rights standards.

Continue reading
Advocacy
An Electric Control Cabinet Production Factory

PI response to ICO consultation on web scraping by generative AI

PI responded to the ICO consultation on the legality of web scraping by AI developers when producing generative AI models such as LLMs. Developers are known to scrape enormous amounts of data from the web in order to train their models on different types of human-generated content. But data collection by AI web-scrapers can be indiscriminate and the outputs of generative AI models can be unpredictable and potentially harmful.

Continue reading
Long Read
Image of human body with dots of data being extracted

Q&A: €40 million fine for AdTech giant Criteo - What does it mean?

Our 2018 complaint against French AdTech company Criteo led to a €40 million fine for failing to ensure that data subjects had provided their consent to processing, to sufficiently inform them and to enable them to exercise their rights.

Following on from our initial reaction, we answer some questions about the decision below.

Continue reading
Advocacy
A drawing showing a tall amazon building surrounded by businesses closing and out of business. The caption read "Big tech's data-fuelled power is a huge problem"

Submissions to the UK and EU competition authorities on the Amazon/iRobot merger

On 2 May and 5 June 2023, PI made a submission to the UK Competition and Markets Authority (CMA) and the European Commission, respectively, in relation to the proposed merger between Amazon and iRobot, outlining the concerns the transaction raises for consumers and markets.

Continue reading