The State of Publicly Available Android Device Security Information
In this blog post, we would like to raise awareness for an often underestimated problem: the lack of publicly available information about the security specifications of modern Android smartphones on the market.
This issue does not only concern security minded end-users who place special emphasis on buying a secure smartphone, but also service providers and app developers, which must make sure that their app is deployed only on smartphones that provide strong or even certified security guarantees by default.
The Current Lack of (Android) Smartphone Security Information
What are your buying criteria for a new smartphone? The price tag, the screen size, the camera quality or the battery runtime?
Let's assume you decided to buy an Android device (the situation is different in the homogenous iOS ecosystem, but out of scope in this article.): How do you compare devices, and where do you get information about its specifications? For the generic attributes, like the ones mentioned above, it’s easy: They are listed on the online shop’s product website; the product data sheets in your local electronics shop or on an independent portal like GSMArena.
But what about more specific, security-related details? In today’s world where we use our smartphones for private communication, online banking or even to store digital identity documents, devices providing strong security guarantees are of utmost importance. Let’s take for example the guaranteed patch availability or average patch frequency of a smartphone model. A device that is not up-to-date is potentially vulnerable to attacks. Besides Google for its Pixel smartphones, only a handful of other manufacturers like Samsung started listing information about their update policy for chosen devices on their websites. Not to mention that this information is self-declared and normally not monitored by an independent body.
Furthermore, details about built-in security hardware & features (Tamper-Resistant Hardware (TRH), Device Encryption type, etc.) are sparse and not publicly accessible. As Google is raising the security requirements in every new Android release by making certain security mechanisms mandatory for devices which ship with a Play Store (Android CDD), the lack of information shrinks. Still, some key insights, like the TRH manufacturer, the THR capabilities and security certifications (e.g., Common Criteria) of smartphone models on the market are mostly unknown to the public. This information is not only interesting for security aware power-users, but especially important for mobile solution providers (e.g., mobile electronic identification, eHealth apps or online banking apps) which must fulfil certain regulatory security requirements, like eIDAS or SCA / PSD2.
Android Device Security Database
In 2020, researchers from Johannes Kepler University Linz (Austria), the University of Cambridge and the University of Strathclyde (UK) teamed up to design and build the Android Device Security Database (ADSDB), a transparent, non-profit database of Android device security attributes. In a first prototype, the security attributes were acquired from off-the-shelf smartphones in a dedicated test bed and published to a publicly accessible website.
Joined by Technische Universität Darmstadt and Fraunhofer AISEC (Germany) in 2021, the research project evolved further. Current plans involve enriching the ADSDB with further security attributes, new devices and also device attributes acquired by crowdsourcing. These activities will help to provide up-to-date information about an even broader set of smartphones, and at the same time will give insights about the overall state of smartphone security on the market.
At SSE, we see the urgent need for trustworthy and reliable information about Android devices’ security specifications. Many of our customers, especially in the public sector, suffer from not being able to selectively deploy their applications only onto devices that guarantee a certain level of security and privacy by default.
For this reason, we support the ADSDB project by hosting one of the dedicated test beds as well as contributing resources and know-how to the ongoing development in the context of our 4+1 policy (4 days project work + 1 day personal research per week). Besides deSEC e.V. and Connaisseur, the ADSDB is the third non-profit project supported by SSE so far.
Contact and Further Information
If you are interested in getting to know more about the ADSDB and how you can contribute, have a look at the ADSDB website or reach out to the project team directly.
If you are interested in how to secure mobile platforms and applications for your business, feel free to reach out to us at email@example.com.