Mobile Threat Catalogue

Pre-Installed Apps Invading Privacy

Contribute

Threat Category: Malicious or privacy-invasive application

ID: APP-36

Threat Description: Mobile devices with cellular capability must generally be registered with a cellular carrier, and many devices are sold pre-configured to operate with a given carrier so users can have a fully functional device by the end of the initial purchase and activation at a retailer. As part of the configuration, the device may come with carrier-specific apps pre-installed, which may not be removable by the user. Because these apps come pre-installed, they may also may be granted implicit permission to access device resources without explicit knowledge or consent of the device owner. Privacy violations by such pre-installed apps may be more difficult to mitigate than by user-installed apps, which can be uninstalled at any time.

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

Device Squad: The story behind the FTC’s first case against a mobile device maker 1

Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned 2

Samsung Keyboard Security Risk Disclosed 3

CVE Examples

Possible Countermeasures

Mobile Device User

To mitigate the potential for abuse or exploits by pre-installed apps, ensure that devices have the latest security updates installed.

Uninstall pre-installed apps that are not in use.

For pre-installed apps that cannot be uninstalled, revoke access to device sensors and OS-provided services.

For pre-installed apps that cannot be uninstalled, disable the app so that it cannot be launched.

Enterprise

To mitigate the potential for abuse or exploits by pre-installed apps, ensure that devices have the latest security updates installed.

Deploy MAM solutions to identify and block access to devices running high-risk pre-installed apps.

Deploy MAM or container solutions to provide additional separation between trusted and untrusted pre-installed apps to mitigate the potential for pre-installed apps to violate the privacy of user actions performed within trusted apps.

References

  1. L. Fair, “Device Squad: The story behind the FTC’s first case against a mobile device maker”, blog, 22 Feb. 2013; www.ftc.gov/news-events/blogs/business-blog/2013/02/device-squad-story-behind-ftcs-first-case-against-mobile [accessed 8/25/2016] 

  2. Check Point Security Team, “Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned”, blog, 6 Aug. 2015; http://blog.checkpoint.com/2015/08/06/certifigate/ [accessed 8/25/2016] 

  3. “Samsung Keyboard Security Risk Disclosed”, 16 June 2015; www.nowsecure.com/keyboard-vulnerability/ [accessed 8/25/2016]