research-article

Large-scale security measurements on the android firmware ecosystem

Authors:

Haixin DuanAuthors Info & Claims

ICSE '22: Proceedings of the 44th International Conference on Software Engineering

Pages 1257 - 1268

https://doi.org/10.1145/3510003.3510072

Published: 05 July 2022 Publication History

Abstract

Android is the most popular smartphone platform with over 85% market share. Its success is built on openness, and phone vendors can utilize the Android source code to make products with unique software/hardware features. On the other hand, the fragmentation and customization of Android also bring many security risks that have attracted the attention of researchers. Many efforts were put in to investigate the security of customized Android firmware. However, most of the previous work focuses on designing efficient analysis tools or analyzing particular aspects of the firmware. There still lacks a panoramic view of Android firmware ecosystem security and the corresponding understandings based on large-scale firmware datasets. In this work, we made a large-scale comprehensive measurement of the Android firmware ecosystem security. Our study is based on 6,261 firmware images from 153 vendors and 602 Android-related CVEs, which is the largest Android firmware dataset ever used for security measurements. In particular, our study followed a series of research questions, covering vulnerabilities, patches, security updates, and pre-installed apps. To automate the analysis process, we designed a framework, AndScanner, to complete ROM crawling, ROM parsing, patch analysis, and app analysis. Through massive data analysis and case explorations, several interesting findings are obtained. For example, the patch delay and missing issues are widespread in Android images, say 24.2% and 6.1% of all images, respectively. The latest images of several phones still contain vulnerable pre-installed apps, and even the corresponding vulnerabilities have been publicly disclosed. In addition to data measurements, we also explore the causes behind these security threats through case studies and demonstrate that the discovered security threats can be converted into exploitable vulnerabilities via 38 newfound vulnerabilities by our framework, 32 of which have been assigned CVE/CNVD numbers. This study provides much new knowledge of the Android firmware ecosystem with deep understanding of software engineering security practices.

References

[1]

accessed: 2021-09-03. Android Compatibility Program. https://source.android.com/compatibility/overview.

[2]

accessed: 2021-09-03. Android Dumps. https://dumps.tadiphone.dev/dumps.

[3]

accessed: 2021-09-03. Android Enterprise Security White Paper. https://static.googleusercontent.com/media/www.android.com/zh-us//static/2016/pdfs/enterprise/Android_Enterprise_Security_White_Paper_2019.pdf.

[4]

accessed: 2021-09-03. Android Open Source Project. https://source.android.com/.

[5]

accessed: 2021-09-03. Android Security Bulletins. https://source.android.google.cn/security/bulletin?hl=en.

[6]

accessed: 2021-09-03. brotli. https://github.com/google/brotli.

[7]

accessed: 2021-09-03. Certified Partners. https://www.android.com/certified/partners/.

[8]

accessed: 2021-09-03. Compatibility Test Suite. https://source.android.com/compatibility/cts.

[9]

accessed: 2021-09-03. CVE. https://cve.mitre.org/.

[10]

accessed: 2021-09-03. Factory Images for Nexus and Pixel Devices. https://developers.google.com/android/images.

[11]

accessed: 2021-09-03. Full OTA Images for Nexus and Pixel Devices. https://developers.google.com/android/ota.

[12]

accessed: 2021-09-03. How to address WebView SSL Error Handler alerts in your apps. https://support.google.com/faqs/answer/7071387.

[13]

accessed: 2021-09-03. How to fix apps containing an unsafe implementation of TrustManager. https://support.google.com/faqs/answer/6346016.

[14]

accessed: 2021-09-03. How to resolve Insecure HostnameVerifier. https://support.google.com/faqs/answer/7188426.

[15]

accessed: 2021-09-03. Images. https://source.android.com/devices/bootloader/images.

[16]

accessed: 2021-09-03. List of supported Android devices. https://storage.googleapis.com/play_public/supported_devices.html.

[17]

accessed: 2021-09-03. Network security configuration. https://developer.android.com/training/articles/security-config.

[18]

accessed: 2021-09-03. NVD. https://nvd.nist.gov/.

[19]

accessed: 2021-09-03. OPPO A57. https://www.coloros.com/rom/firmware?id=126.

[20]

accessed: 2021-09-03. OPPO R9s. https://www.coloros.com/rom/firmware?id=125.

[21]

accessed: 2021-09-03. Play Protect Certified Android devices: safe and secure. https://www.android.com/certified/.

[22]

accessed: 2021-09-03. Prepare for release. https://developer.android.com/studio/publish/preparing#turn-off-logging-and-debugging.

[23]

accessed: 2021-09-03. Standard partitions. https://source.android.com/devices/bootloader/partitions.

[24]

accessed: 2021-09-03. Supported devices. https://support.google.com/googleplay/answer/1727131?hl=en.

[25]

accessed: 2021-09-03. Treble. https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html.

[26]

Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiao-yong Zhou, Wenliang Du, and Michael Grace. 2015. Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS), Denver, CO, USA, October 12--16, 2015.

Digital Library

[27]

Yousra Aafer, Xiao Zhang, and Wenliang Du. 2016. Harvesting Inconsistent Security Configurations in Custom Android ROMs via Differential Analysis. In Proceedings of the 25th USENIX Security Symposium (USENIX-SEC), Austin, TX, USA, August 10--12, 2016.

Digital Library

[28]

androguard. accessed: 2021-09-03. Androguard. https://github.com/androguard/androguard.

[29]

Android Police Team. accessed: 2021-09-03. Android security update tracker, March 2021: Rankings for popular smartphones. https://www.androidpolice.com/2021/03/03/android-phone-security-update-tracker/.

[30]

Cláudio André. 2018. Gmail Android App Insecure Network Security Configuration. https://labs.integrity.pt/articles/Gmail-Android-app-insecure-Network-Security-Configuration/index.html.

[31]

anestisb. accessed: 2021-09-03. simg2img. https://github.com/anestisb/androidsimg2img.

[32]

Nguyen Tan Cam, Van-Hau Pham, and Tuan Nguyen. 2017. Sensitive Data Leakage Detection in Pre-Installed Applications of Custom Android Firmware. In Proceedings of the 18th IEEE International Conference on Mobile Data Management (MDM), Daejeon, South Korea, May 29 - June 1, 2017.

[33]

Catalin Cimpanu. 2020. Android OEM patch rates have improved, with Nokia and Google leading the charge. https://www.zdnet.com/article/android-oem-patch-rates-have-improved-with-nokia-and-google-leading-the-charge/.

[34]

CryptoGuardOSS. accessed: 2021-09-03. CryptoGuard. https://github.com/CryptoGuardOSS/cryptoguard.

[35]

cyxx. accessed: 2021-09-03. extract_android_ota_payload. https://github.com/cyxx/extract_android_ota_payload.

[36]

Android Dumps. accessed: 2021-09-03. Firmware_extractor. https://github.com/AndroidDumps/Firmware_extractor.

[37]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4--8, 2013.

Digital Library

[38]

Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2020. FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. In Proceedings of the 29th USENIX Security Symposium (USENIX-SEC), August 12--14, 2020.

[39]

Sadegh Farhang, Mehmet Bahadir Kirdan, Aron Laszka, and Jens Grossklags. 2019. Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities. CoRR abs/1905.09352 (2019).

[40]

FSecureLABS. accessed: 2021-09-03. Drozer. https://github.com/FSecureLABS/drozer.

[41]

Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. 2020. An Analysis of Pre-installed Android Software. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (Oakland), San Francisco, CA, USA, May 18--21, 2020.

[42]

Gionee. accessed: 2021-09-03. GIONEE. https://gionee.co.in/.

[43]

Michael C. Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 5--8, 2012.

[44]

Willem Jan Hengeveld. accessed: 2021-09-03. extfstools. https://github.com/nlitsme/extfstools.

[45]

Simon Hill. 2018. What is Android fragmentation, and can Google ever fix it? https://www.digitaltrends.com/mobile/what-is-android-fragmentation-and-can-google-ever-fix-it/.

[46]

IDC. 2021. Smartphone Market Share. https://www.idc.com/promo/smartphone-market-share/vendor.

[47]

Leagoo. accessed: 2021-09-03. Leagoo. https://www.leagoo.com/.

[48]

Codrut Neagu. 2021. What is firmware? What does firmware do? https://www.digitalcitizen.life/simple-questions-what-firmware-what-does-it-do/.

[49]

Karsten Nohl and Jakob Lell. 2018. Mind the Gap: Uncovering the Android Patch Gap Through Binary-Only Patch Level Analysis. In HITB 2018.

[50]

OWASP. accessed: 2021-09-03. OWASP Mobile Security Testing Guide. https://owasp.org/www-project-mobile-security-testing-guide/.

[51]

Andrea Possemato, Simone Aonzo, Davide Balzarotti, and Yanick Fratantonio. 2021. Trust, But Verify: A Longitudinal Analysis Of Android OEM Compliance and Customization. In Proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland), Virtual Event, May 23--27, 2021.

[52]

Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng (Daphne) Yao. 2019. CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), London, UK, November 11--15, 2019.

Digital Library

[53]

Maddie Stone. 2019. Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps. In BlackHat 2019.

[54]

Dave (Jing) Tian, Grant Hernandez, Joseph I. Choi, Vanessa Frost, Christie Ruales, Patrick Traynor, Hayawardh Vijayakumar, Lee Harrison, Amir Rahmati, Michael Grace, and Kevin R. B. Butler. 2018. ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem. In Proceedings of the 27th USENIX Security Symposium (USENIX-SEC), Baltimore, MD, USA, August 15--17, 2018.

[55]

Liam Tung. 2018. Android security: Your phone's patch level says you're up to date, but that may be a lie. https://www.zdnet.com/article/android-security-your-phones-patch-level-says-youre-up-to-date-but-that-may-be-a-lie/.

[56]

vicky858. accessed: 2021-09-03. SplitUpdated. https://github.com/vicky858/SplitUpdated.

[57]

Lei Wu, Michael C. Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang. 2013. The Impact of Vendor Customizations on Android Security. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS), Berlin, Germany, November 4--8, 2013.

Digital Library

[58]

xpirt. accessed: 2021-09-03. sdat2img. https://github.com/xpirt/sdat2img.

[59]

Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau. 2021. An Investigation of the Android Kernel Patch Ecosystem. In Proceedings of the 30th USENIX Security Symposium (USENIX-SEC), Virtual Event, August 11--13, 2021.

[60]

Min Zheng, Mingshen Sun, and John C. S. Lui. 2014. DroidRay: A Security Evaluation System for Customized Android Firmwares. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Kyoto, Japan - June 03 - 06, 2014.

Digital Library

[61]

Xiao-yong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed, and XiaoFeng Wang. 2014. The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (Oakland), Berkeley, CA, USA, May 18--21, 2014.

Cited By

Dong ZZhao YLiu TWang CXu GXu GZhang LWang HFilkov VRay BZhou M(2024)Same App, Different Behaviors: Uncovering Device-specific Behaviors in Android AppsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695272(2099-2109)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695272
Li WWen HLin ZLuo BLiao XXu JKirda ELie D(2024)BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface LayerProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690254(2311-2325)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690254
Morales GC PJahan SHosseini MSlavin R(2024)A Large Language Model Approach to Code and Privacy Policy Alignment2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00016(79-90)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00016
Show More Cited By

Index Terms

Large-scale security measurements on the android firmware ecosystem
1. Software and its engineering
  1. Software organization and properties
    1. Extra-functional properties
      1. Software safety

Recommendations

Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware Ecosystem
Android is the most popular smartphone platform with over 85% market share. Its success is built on openness, and phone vendors can utilize the Android source code to make customized products with unique software/hardware features. On the other ...
Android Plugin Becomes a Catastrophe to Android Ecosystem
RESEC '18: Proceedings of the First Workshop on Radical and Experiential Security

The Android Plugin is a new application-level virtualization technology in Android system. Android Plugin allows a host app to create a virtual environment, in which any other APK files can be directly launched as runnable plugins without the ...
Permission evolution in the Android ecosystem
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference

Android uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '22: Proceedings of the 44th International Conference on Software Engineering

May 2022

2508 pages

ISBN:9781450392211

DOI:10.1145/3510003

General Chair:
Matthew B Dwyer
University of Virginia
,
Program Chairs:
Daniela Damian
University of Victoria, Canada
,
Andreas Zeller
CISPA, Germany

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 July 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Shandong Provincial Natural Science Foundation
Joint Funds of the National Natural Science Foundation of China
National Natural Science Foundation of China
Qilu Young Scholar Program of Shandong University

Conference

ICSE '22

Sponsor:

SIGSOFT

ICSE '22: 44th International Conference on Software Engineering

May 21 - 29, 2022

Pennsylvania, Pittsburgh

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
250
Total Downloads

Downloads (Last 12 months)84
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dong ZZhao YLiu TWang CXu GXu GZhang LWang HFilkov VRay BZhou M(2024)Same App, Different Behaviors: Uncovering Device-specific Behaviors in Android AppsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695272(2099-2109)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695272
Li WWen HLin ZLuo BLiao XXu JKirda ELie D(2024)BaseMirror: Automatic Reverse Engineering of Baseband Commands from Android's Radio Interface LayerProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690254(2311-2325)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690254
Morales GC PJahan SHosseini MSlavin R(2024)A Large Language Model Approach to Code and Privacy Policy Alignment2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00016(79-90)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00016
Muhammad ZAnwar ZJaved ASaleem BAbbas SGadekallu T(2023)Smartphone Security and Privacy: A Survey on APTs, Sensor-Based Attacks, Side-Channel Attacks, Google Play Attacks, and DefensesTechnologies10.3390/technologies1103007611:3(76)Online publication date: 12-Jun-2023
https://doi.org/10.3390/technologies11030076
Hou QDiao WWang YMao CYing LLiu SLiu XLi YGuo SNie MDuan H(2023)Can We Trust the Phone Vendors? Comprehensive Security Measurements on the Android Firmware EcosystemIEEE Transactions on Software Engineering10.1109/TSE.2023.327565549:7(3901-3921)Online publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3275655
Sutter TTellenbach B(2023)FirmwareDroid: Towards Automated Static Analysis of Pre-Installed Android Apps2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)10.1109/MOBILSoft59058.2023.00009(12-22)Online publication date: May-2023
https://doi.org/10.1109/MOBILSoft59058.2023.00009
Khullar VGera TMehta T(2023)Static Method to Locate Risky Features in Android Applications2023 2nd Edition of IEEE Delhi Section Flagship Conference (DELCON)10.1109/DELCON57910.2023.10127577(1-6)Online publication date: 24-Feb-2023
https://doi.org/10.1109/DELCON57910.2023.10127577

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents