Abstract
Vendors in the Android ecosystem typically customize their devices by modifying Android Open Source Project (AOSP) code, adding in-house developed proprietary software, and pre-installing third-party applications. However, research has documented how various security problems are associated with this customization process.
We develop a model of the Android ecosystem utilizing the concepts of game theory and product differentiation to capture the competition involving two vendors customizing the AOSP platform. We show how the vendors are incentivized to differentiate their products from AOSP and from each other, and how prices are shaped through this differentiation process. We also consider two types of consumers: security-conscious consumers who understand and care about security, and naïve consumers who lack the ability to correctly evaluate security properties of vendor-supplied Android products or simply ignore security. It is evident that vendors shirk on security investments in the latter case.
Regulators such as the U.S. Federal Trade Commission have sanctioned Android vendors for underinvestment in security, but the exact effects of these sanctions are difficult to disentangle with empirical data. Here, we model the impact of a regulator-imposed fine that incentivizes vendors to match a minimum security level. Interestingly, we show how product prices will decrease for the same cost of customization in the presence of a fine, or a higher level of regulator-imposed minimum security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Further compounding the problem scenario is how third-party apps targeting outdated Android versions and thereby disabling important security changes to the Android platform cause additional fragmentation [19].
- 2.
While we restrict our model to two vendors, we are aware that in practice, there are more than two vendors competing with each other. However, we believe that similar to classic economic studies with two companies in the context of product differentiation, our model provides a meaningful understanding of the customization in the Android ecosystem and of security quality.
- 3.
While we have identified a small set of research projects which aim to understand the security impact of customization, e.g., [23, 25, 26], we are unaware of any well-known market signals regarding the security of different Android versions. The recent FTC initiative to solicit security-relevant data from vendors may contribute to such signals in the future [8].
- 4.
In fact, research by Wu et al. shows that vendors of different reputation (which may also influence perceptions regarding Android security) all suffer from similar challenges due to Android customization [25].
- 5.
Note that it is not required that businesses have an accurate assessment of the security quality of their own product (or competitors’ products) for informational market power to be exploited.
References
Aafer, Y., Zhang, X., Du, W.: Harvesting inconsistent security configurations in custom Android ROMs via differential analysis. In: USENIX Security Symposium (2016)
Android market share: Android market share. http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed 11 Apr 2018
Beales, H., Craswell, R., Salop, S.C.: The efficient regulation of consumer information. J. Law Econ. 24(3), 491–539 (1981)
Cavusoglu, H., Raghunathan, S.: Selecting a customization strategy under competition: mass customization, targeted mass customization, and product proliferation. IEEE Trans. Eng. Manag. 54(1), 12–28 (2007)
d’Aspremont, C., Gabszewicz, J., Thisse, J.-F.: On Hotelling’s “Stability in competition”. Econometrica 47(5), 1145–1150 (1979)
Dewan, R., Jing, B., Seidmann, A.: Product customization and price competition on the internet. Manag. Sci. 49(8), 1055–1070 (2003)
Farhang, S., Laszka, A., Grossklags, J.: An economic study of the effect of Android platform fragmentation on security updates. arXiv preprint arXiv:1712.08222 (2017)
Federal Trade Commission: FTC to study mobile device industry’s security update practices. https://www.ftc.gov/news-events/press-releases/2016/05/ftc-study-mobile-device-industrys-security-update-practices. Accessed 11 Apr 2018
Federal Trade Commission: HTC America settles FTC charges it failed to secure millions of mobile devices shipped to consumers. https://www.ftc.gov/news-events/press-releases/2013/02/htc-america-settles-ftc-charges-it-failed-secure-millions-mobile. Accessed 11 Apr 2018
Felt, A., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Symposium on Usable Privacy and Security, pp. 3:1–3:14 (2012)
Gabszewicz, J., Thisse, J.-F.: Price competition, quality and income disparities. J. Econ. Theory 20(3), 340–359 (1979)
Galbraith, J.: The New Industrial State. Princeton University Press, Princeton (2015)
GSMarena: HTC One X price. http://www.gsmarena.com/htc_one_x-4320.php. Accessed 11 Apr 2018
GSMarena: Samsung Galaxy S3 price. http://www.gsmarena.com/samsung_i9300_galaxy_s_iii-4238.php. Accessed 11 Apr 2018
Han, D., Zhang, C., Fan, X., Hindle, A., Wong, K., Stroulia, E.: Understanding Android fragmentation with topic analysis of vendor-specific bugs. In: 19th Working Conference on Reverse Engineering, pp. 83–92 (2012)
Hotelling, H.: Stability in competition. Econ. J. 39(153), 41–57 (1929)
Kaldor, N.: The economic aspects of advertising. Rev. Econ. Stud. 18(1), 1–27 (1950)
Kardes, F.: Omission neglect. In: Baumeister, R., Vohs, K. (eds.) Encyclopedia of Social Psychology, vol. 1. Sage (2007)
Mutchler, P., Safaei, Y., Doupé, A., Mitchell, J.: Target fragmentation in Android apps. In: IEEE Security and Privacy Workshops, SPW, pp. 204–213 (2016)
Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)
Salop, S.: Monopolistic competition with outside goods. Bell J. Econ. 10(1), 141–156 (1979)
Singh, S.: An analysis of Android fragmentation. http://www.tech-thoughts.net/2012/03/analysis-of-android-fragmentation.html#.WA_OxoMrKUk. Accessed 11 Apr 2018
Thomas, D., Beresford, A., Rice, A.: Security metrics for the Android ecosystem. In: ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 87–98 (2015)
Tirole, J.: The Theory of Industrial Organization. MIT Press, Cambridge (1988)
Wu, L., Grace, M., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on Android security. In: ACM Conference on Computer & Communications Security, pp. 623–634 (2013)
Zhou, X., Lee, Y., Zhang, N., Naveed, M., Wang, X.: The peril of fragmentation: security hazards in Android device driver customizations. In: IEEE Symposium on Security and Privacy, pp. 409–423 (2014)
Acknowledgments
We thank the anonymous reviewers for their comments. The research activities of Jens Grossklags are supported by the German Institute for Trust and Safety on the Internet (DIVSI). Aron Laszka’s work was supported in part by the National Science Foundation (CNS-1238959) and the Air Force Research Laboratory (FA 8750-14-2-0180).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Financial Cryptography Association
About this paper
Cite this paper
Farhang, S., Laszka, A., Grossklags, J. (2018). An Economic Study of the Effect of Android Platform Fragmentation on Security Updates. In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-662-58387-6_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-58386-9
Online ISBN: 978-3-662-58387-6
eBook Packages: Computer ScienceComputer Science (R0)