Uraniborg's device preloaded app risks scoring metrics

The security of Android devices depends on a wide range of factors. In this paper we focus on quantifying the risks associated with one important factor: the security and privacy posture of preloaded apps. Such applications deserve particular attention since they are installed by the manufacturer on all devices of a particular make and model, individual apps may have elevated privileges beyond those available to apps installed via the Google Play Store, and typically cannot be removed by the user. In order to measure the risk presented by preloaded apps in a quantifiable way, we adopt a numerical approach and derive a single overall score for a given handset and therefore support the relative comparison of risks posed by different handsets. Due to the difficulty in computing the security and privacy risk, we approximate the actual risk by estimating the attack surface 1 presented by this layer of software. We therefore present an extensible mathematical software framework that allows us to define, compute, and analyze various aspects of security and privacy risks of preloaded Android apps in a systematic manner.