Android Device Security Database (ADSDB)

The Android Device Security Database is an easy-to-use tool that helps to compare Android smartphones and their security evaluations. Based on the selection of attributes and their weighting the user can calculate security scores for the pre-selected list of Android devices. The selection of data and calculation of the security score is fully customizable.

To be able to represent a large amount of device data, this project relies on crowdsourced contributions from the community. For this purpose we developed the ADSDB Scanner App which collects attributes of the device and sends them to our server. Furthermore, we are able to store the raw data in our archive to rebuild the database with improved processing units.

The usage of the ADSDB is explained in it’s wiki pages.

Send bug reports to ernst.leierzopf@ins.jku.at.

Open Source Software

This project aims to produce open source software and most of the code is already available in the following links:

The ADSDB Scanner App is available in the Google Play Store for free.

ADSDB Scanner App

The scanner app collects and displays non-personal data about the device. By clicking the Start Scan button in Figure 1, the scan process starts and after finishing automatically shows the results in Figure 2. With the upload button, the results can optionally and on a voluntary basis be uploaded to our servers for analysis. There are three options to using this button:

  • Upload data anonymously and receive score: This option uploads the data and shows the security score of your exact device in the database. Note that the database view is updated at least once every ten minutes. If your device is not shown immediately, use the third option later on to review the result again.
  • Upload data anonymously: Only upload the data without showing the result.
  • Show security score: Only shows the security score in the database. If you did not upload the data, it still might be possible to view data from the devices of previous submissions from other people.

Figure 3 shows the list of previous results with their respective upload state including X (not uploaded), O (uploaded with error), and checkmark (uploaded successfully).

It is worth to be noted that only measurements which fulfill all requirements by the Google Play Integrity test are processed. These requirements include the MEETS_DEVICE_INTEGRITY check and the installed version of the application must be a Google Play Store known version.

Start screen
Figure 1
Scan result
Figure 2
Previous result list
Figure 3
Explanations to all attributes can be found at the Attributes page.

Privacy Policy

No private data is collected within the ADSDB Scanner application. However, it is possible that ip addresses are logged on the webserver for legitimate interests such as finding bugs in the webserver code or to detect ongoing attacks on the server.

The collected data blobs are processed once and archived for future re-use with improved processing units. No personal data is contained in these blobs. The processed data is split up in the database and can not be reversed into the full data blob. This effectively prevents data fingerprinting where a device could be identified when taking a new sample of data and comparing it to existing ones.

The ADSDB Scanner app uses the Google Play Integrity API for device and application attestation. By design no personal data is sent to Google, however it might be possible that network data such as IP address or MAC addresses are logged on Google servers.

All collected attributes only measure the security state of the device, but none of them contain any personal data. The app needs the QUERY_ALL_PACKAGES permission to list all installed packages on the device. Only the list of pre-installed applications in the system image are further used for analysis of the security state of the device. Therefore no personalization is stored within this attribute.

Datenschutzrichtlinie

Innerhalb der ADSDB Scanner-Anwendung werden keine privaten Daten erfasst. Es ist jedoch möglich, dass IP-Adressen aus legitimen Gründen, wie beispielsweise zum Auffinden von Fehlern im Webservercode oder zum Erkennen laufender Angriffe, auf dem Webserver protokolliert werden.

Die gesammelten Datenblobs werden einmal verarbeitet und für die zukünftige Wiederverwendung mit verbesserten Verarbeitungseinheiten archiviert. Diese Blobs enthalten keine persönlichen Daten. Die verarbeiteten Daten werden in der Datenbank aufgeteilt und können nicht in den vollständigen Datenblob zurückverwandelt werden. Dies verhindert effektiv, dass Fingerabdrücke der Daten, die ein Gerät identifizieren, erstellt werden können.

Die ADSDB Scanner App verwendet die Google Play Integrity API zur Geräte- und Anwendungsattestation. Es werden grundsätzlich keine persönlichen Daten an Google gesendet, es ist jedoch möglich, dass Netzwerkdaten wie IP-Adressen oder MAC-Adressen auf Google-Servern protokolliert werden.

Alle gesammelten Attribute messen lediglich den Sicherheitszustand des Geräts, enthalten aber keine personenbezogenen Daten. Die App benötigt die Berechtigung QUERY_ALL_PACKAGES, um alle auf dem Gerät installierten Applikationen aufzulisten. Nur die Liste der vorinstallierten Anwendungen im Systemabbild wird zur Analyse des Sicherheitszustands des Geräts verwendet. Daher werden in diesem Attribut keine personenbezogenen Daten gespeichert.

Contact Information

Johannes Kepler University Linz - Institute of Networks and Security

office@ins.jku.at

For technical questions and bug reports contact

ernst.leierzopf@ins.jku.at

LICENSE

If not stated otherwise within the different projects, the following license is applied.

Licensed under the EUPL, Version 1.2 or – as soon they will be approved by the European Commission - subsequent versions of the EUPL (the “Licence”). You may not use this work except in compliance with the Licence.

License: European Union Public License v1.2