You might assume that the apps mobile device vendors pre-install on their hardware are secure. Pre-installed apps are assumed to be secure as they are handpicked or developed by the device vendors themselves rather than third parties. Unfortunately, we discovered over 200 public vulnerabilities (CVEs) in pre-installed software, ranging from Simo to Unisoc and more. We’ve also identified Android firmware that contain privilege-escalation vulnerabilities in pre-installed apps, allowing attackers to perform unauthorized actions such as executing arbitrary commands, recording the device audio and screen, and accessing personal data to name a few.

There are many reasons to introduce pre-installed apps in firmware. First, pre-installed apps often provide unique features and special services that distinguish a vendor or device from its competitors. Second, pre-installed apps come with pre-approved sensitive permissions and capabilities that are unavailable to user-level apps downloaded from app stores and often do not require user approval or consent to operate. In most cases, pre-installed apps typically run as the highly-privileged system user and cannot be uninstalled by the end user, even if a pre-installed app is found to be vulnerable, malicious, or simply unwanted. When users face these threats, their options are limited: wait for an update that hopefully fixes the vulnerable pre-installed app; or remove the app by rooting the device, potentially voiding its warranty and compromising its security.

Although most device vendors do their best to ensure that pre-installed apps are secure, there’s no guarantee that their devices are free from vulnerabilities or that their configurations and permissions settings minimize potential security risks to the end users.

That’s why securing pre-installed apps is just as important as securing apps that users install themselves. In some ways, protecting pre-installed apps is even more crucial because these apps also tend to have special privileges that can increase the impact of security incidents. Last year, Quokka (formerly Kryptowire) identified several models of Android mobile devices that contained pre-installed software that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without user consent or awareness. These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).

Keep reading for tips on why securing pre-installed apps is challenging as well as which tools and methodologies can keep pre-installed apps secure.

Although the types of security risks that affect pre-installed apps are not fundamentally different from those affecting user-installed apps, pre-installed apps pose a special security challenge because in many cases, pre-installed apps are also “privileged” apps.

Privileged apps are programs that have higher levels of access to operating system resources on mobile devices. For instance, they may be able to write data to directories that normally wouldn’t be accessible to apps, or view system log data that standard apps can’t access.

Some pre-installed apps have these higher privileges because the apps are designed to be used for device management purposes. Vendors might provide pre-installed apps that can install security updates or change the network service configuration on the device, for example – tasks that require a higher level of access to system resources than those needed by a conventional app.

On top of this, some pre-installed apps like the App Store are designed to be impossible to remove. However, in some cases, it’s possible to uninstall them if you try hard enough and know how to reconfigure your device, but because the apps claim to be uninstallable through the standard software management tooling on devices, lay users keep the apps – and their permissions – around indefinitely.

Both of these reasons – the high privileges that pre-installed apps sometimes have and the likelihood they will linger forever on devices even if users don’t actually use the apps – mean that securing pre-installed apps is especially important for enterprises that want to protect against mobile security threats on their networks. Even if the enterprise and the end users are diligent and follow a stringent security guidance, they may still be at risk
of malicious or insecure apps that they did not install but were present on devices out of the box.

Pre-installed apps are privileged apps by design and are capable of performing actions and accessing resources that have a much broader scope and impact on the users device confidentiality and integrity than third-party apps, making them prime targets for privilege escalation attacks. Pre-installed apps are subject to the same types of security risks that affect any type of app; however, it’s important to note that the threat model, attack vectors and scopes are different. Let’s take a look at some of the security risks that affect pre-installed apps:

• Vulnerabilities: Attackers could exploit security weaknesses in privileged pre-installed apps, allowing them to control mobile devices or access sensitive data stored on them.
• Weak authentication & authorization: Incorrect or missing access control can result in local and remote privilege escalation scenarios.
• Insecure management of sensitive data: Personal information stored in mobile apps can be vulnerable to attackers.
• Configuration mistakes: Excessive permissions, that give apps access to resources they shouldn’t be able to view or modify – and by extension, give any attackers who compromise the apps access to the same resources.

Unlike apps that users install through app stores, you can’t vet pre-installed apps before they’re installed. However, you can enforce reasonable security protections through the following practices:

• Deploying vulnerability detection systems, which use a variety of methods – such as examining app behavior and interactions with other processes and scanning binary code – to detect malicious activity within apps.
• Evaluating permissions to determine whether pre-installed apps are also privileged apps. Device vendors almost never make it clear whether pre-installed apps have high permissions, so it’s important to check this explicitly.
• Enforce automatic Updates and turn on this feature whenever possible; if a trusted program prompts you to opt into automatic updates, say yes.

Unless you have total control over all of the devices on your network – a prospect that is unrealistic in today’s BYOD era – you can’t prevent pre-installed apps from appearing on mobile devices within your network by just using a “common weakness” scanner. But you can deploy a “vulnerability scanner” that protects against the security risks, potential threats and attack vectors specific to privileged apps and the private system APIs they use which are not available to third-party apps. When you know which pre-installed apps pose the greatest risk and comprehensively scan and validate those apps for threats, it becomes possible to mitigate the risk that pre-installed apps will become vectors for security breaches on your network. Quokka’s Q-MAST has advanced analysis capabilities that can scan privileged and pre-installed apps and detect vulnerabilities. While other products tell you “this app can execute a command”, Quokka will tell you “this app has a vulnerability that allows attackers to execute a command of their choice in the context of the app process.” This strong differentiator makes Quokka break through the noise and helps user’s safeguard their devices. With Q-MAST, developers can integrate full automated mobile app security testing into their CI/CD pipeline to ensure a solid, secure final mobile app. A report is provided that shares threat details, remediation guidance and pass/fail evidence. Q-MAST digs deeper and tests more thoroughly and is capable of the depth and breadth of app testing required by the current market.