Privacy International urges Google to crack down on Android security

Privacy International is urging Google to crack down on Android manufacturers after a former Android security researcher revealed several vulnerabilities in pre-installed apps.

The UK-based charity has launched a petition calling on Google to: scrutinise pre-installed apps’ for security and privacy issues; refuse to certify devices by vendors or manufacturers that have attempted to exploit users; and allow users to uninstall pre-installed apps. They’re also calling for an “update mechanism” for pre-installed apps, “preferably through Google Play and without a user account”.

It follows the public release of former Google Android Security Team Senior Security Engineer Maddie Stone’s 2019 Black Hat talk last December, which highlighted ways manufacturers had failed to secure pre-installed apps.

Based on the talk, Privacy International claims that “Almost every manufacturer, including Google, disabled Google Play Protect” — a feature in newer versions of Android designed to stop apps behaving maliciously and protect user privacy and security — “without warning the user in order to bypass an issue in provisioning devices.” 

While Stone believes most manufacturers tried to re-enable the setting, some left it off or were unable to turn it back on due to a “race condition”. Although the problem was reportedly resolved in last year’s January Android Open Source Project (AOSP) security update (CVE-2018-9586), Private International believes there could still be hundreds of thousands of devices in use with owners unaware that their device “doesn’t have even the most basic malware protection enabled”.

Additionally, Stone presented an issue called “multi-app collusion” — where two apps (usually pre-installed) can work together to do things they can’t do on their own, such as sending fraudulent messages. In this case, one of the “colluding apps” might have permission to send messages, but not the capability to do so while its “partner app” has no permissions but has the ability to send messages, according to Stone.

Remote code execution and URL logging — where a manufacturer modifies the Android operating system and application programming interfaces to gain access to all URLs visited on a device — were also identified as significant issues. According to Stone’s slides, the latter could be flagged by Google Play Protect as spyware, if the feature is left on.

Finally, Stone raised concerns over supply chain issues relating to pre-installed apps, suggesting “a malware developer only needs to convince a device manufacturer to include their code and it will be automatically shipped to thousands of users”, according to Privacy International. If given some of the privileges of pre-installed apps, it could be “impossible for a user to delete”, Privacy International said.

With Google’s ability to certify “Android Partners”, Privacy International believes the company could help “dramatically improve” Android phones’ privacy and security to better protect users.

Its petition can be found via the Privacy International website.

Image credit: ©stock.adobe.com/au/prima91