An Economic Study of the Effect of Android Platform Fragmentation on Security Updates

TL;DR

This paper models how Android vendors' customization and security investment decisions are influenced by market competition, consumer awareness, and regulatory fines, revealing impacts on security standards and pricing.

Contribution

It introduces a game-theoretic model of Android ecosystem customization, security investment, and regulation effects, providing insights into vendor behavior and security outcomes.

Findings

Vendors differentiate products to compete, affecting security investments.

Regulatory fines incentivize vendors to meet security standards.

Prices decrease with higher security standards under regulation.

Abstract

Vendors in the Android ecosystem typically customize their devices by modifying Android Open Source Project (AOSP) code, adding in-house developed proprietary software, and pre-installing third-party applications. However, research has documented how various security problems are associated with this customization process. We develop a model of the Android ecosystem utilizing the concepts of game theory and product differentiation to capture the competition involving two vendors customizing the AOSP platform. We show how the vendors are incentivized to differentiate their products from AOSP and from each other, and how prices are shaped through this differentiation process. We also consider two types of consumers: security-conscious consumers who understand and care about security, and na\"ive consumers who lack the ability to correctly evaluate security properties of vendor-supplied Android products or simply ignore security. It is evident that vendors shirk on security investments in the latter case. Regulators such as the U.S. Federal Trade Commission have sanctioned Android vendors for underinvestment in security, but the exact effects of these sanctions are difficult to disentangle with empirical data. Here, we model the impact of a regulator-imposed fine that incentivizes vendors to match a minimum security standard. Interestingly, we show how product prices will decrease for the same cost of customization in the presence of a fine, or a higher level of regulator-imposed minimum security.