Should Users Trust Their Android Devices? A Scoring System for Assessing Security and Privacy Risks of Pre-Installed Applications

TL;DR

This paper introduces a risk scoring system for pre-installed Android apps, based on analysis of trackers, SDKs, and user perceptions, to help users assess security and privacy risks.

Contribution

It presents a new dataset of pre-installed apps, analyzes their security features, and develops a scoring system to evaluate privacy and security risks for users.

Findings

Pre-installed apps contain numerous trackers and SDKs.

Users have concerns about privacy and security.

The scoring system effectively summarizes app risks.

Abstract

Android devices are equipped with many pre-installed applications which have the capability of tracking and monitoring users. Although applications coming pre-installed pose a great danger to user security and privacy, they have received little attention so far among researchers in the field. In this study, we collect a dataset comprising such applications and make it publicly available. Using this dataset, we analyze tracker SDKs, manifest files and the use of cloud services and report our results. We also conduct a user survey to understand concerns and perceptions of users. Last but not least, we present a risk scoring system which assigns scores for smart phones consolidating our findings based on carefully weighted criteria. With this scoring system, users could give their own trust decisions based on the available concise information about the security and privacy impacts of applications pre-installed on their Android devices.