Security Analysis of Consumer-Grade Anti-Theft Solutions Provided by Android Mobile Anti-Virus Apps

We study the “anti-theft” mechanisms available to consumers to thwart unauthorised access to personal data on stolen Android smartphones. With millions of devices stolen in the USA in 2013 alone, such attacks are a serious and growing problem. The main mitigation against unauthorised data access on stolen devices is provided by “anti-theft” apps; that is, with “remote wipe” and “remote lock” functions. We study the top 10 Mobile Anti-Virus (MAV) apps that implement these functions. They have been downloaded hundreds of millions of times. We investigate the general security practices of MAVs, as well as the implementation of their “remote wipe” and “remote lock” functions. Our analysis uncovers flaws that undermine MAV security claims and highlight the fragility of third-party security apps. We find that MAV remote locks may be unreliable due to poor implementation practices, Android API limitations and vendor customisations. Mobile OS architectures leave third-party security apps little leeway to improve built-in Factory Resets, therefore MAV remote wipe functions are not an alternative to a flawed built-in Factory Reset. We conclude the only viable solutions are those driven by vendors themselves.