Page 69:
Thanks to the openness of the Android ecosystem, mobile device vendors can build and sell smart phones and other mobile devices using their own custom versions of Android. Most of these custom versions deviate significantly from Google’s official Android Open Source Project (AOSP): in addition to various visual and functional changes to the base OS, vendors add proprietary applications (apps hereafter) to their firmware, and sometimes even add custom (often unknown) certificates to the system’s root certificate store. In fact, recent anecdotal evidence has revealed that pre-installed apps can put, intentionally or not, user’s privacy and security at risk. This is especially concerning for lesser-known brands producing lower-end devices for whom preserving user privacy might not be high on the priority list. In this extended abstract, we present our methodology to explore the complex and diverse ecosystem of Android pre-installed apps as well as our preliminary results.