An Economic Study of the Effect of Android Platform Fragmentation on Security Updates

Vendors in the Android ecosystem typically customize their devices by modifying Android Open Source Project (AOSP) code, adding in-house developed proprietary software, and pre-installing third-party applications. However, research has documented how various security problems are associated with this customization process. We develop a model of the Android ecosystem utilizing the concepts of game theory and product differentiation to capture the competition involving two vendors customizing the AOSP platform. We show how the vendors are incentivized to differentiate their products from AOSP and from each other, and how prices are shaped through this differentiation process. We also consider two types of consumers: security-conscious consumers who understand and care about security, and na\"ive consumers who lack the ability to correctly evaluate security properties of vendor-supplied Android products or simply ignore security. It is evident that vendors shirk on security investments in the latter case. Regulators such as the U.S. Federal Trade Commission have sanctioned Android vendors for underinvestment in security, but the exact effects of these sanctions are difficult to disentangle with empirical data. Here, we model the impact of a regulator-imposed fine that incentivizes vendors to match a minimum security standard. Interestingly, we show how product prices will decrease for the same cost of customization in the presence of a fine, or a higher level of regulator-imposed minimum security.

[1]  Rajiv M. Dewan,et al.  Product Customization and Price Competition on the Internet , 2003, Manag. Sci..

[2]  J. Tirole The Theory of Industrial Organization , 1988 .

[3]  S. Salop Monopolistic competition with outside goods , 1979 .

[4]  Jacques-François Thisse,et al.  On hotelling's "Stability in competition" , 1979 .

[5]  Dimitris Gritzalis,et al.  Delegate the smartphone user? Security awareness in smartphone platforms , 2013, Comput. Secur..

[6]  Yajin Zhou,et al.  The impact of vendor customizations on android security , 2013, CCS.

[7]  Xiao Zhang,et al.  Harvesting Inconsistent Security Configurations in Custom Android ROMs via Differential Analysis , 2016, USENIX Security Symposium.

[8]  Jacques-François Thisse,et al.  Price competition, quality and income disparities , 1979 .

[9]  Alastair R. Beresford,et al.  Security Metrics for the Android Ecosystem , 2015, SPSM@CCS.

[10]  Adam Doupé,et al.  Target Fragmentation in Android Apps , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[11]  John Kenneth Galbraith,et al.  The New Industrial State , 1968 .

[12]  Huseyin Cavusoglu,et al.  Selecting a Customization Strategy Under Competition: Mass Customization, Targeted Mass Customization, and Product Proliferation , 2007, IEEE Transactions on Engineering Management.

[13]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[14]  Nan Zhang,et al.  The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Eleni Stroulia,et al.  Understanding Android Fragmentation with Topic Analysis of Vendor-Specific Bugs , 2012, 2012 19th Working Conference on Reverse Engineering.

[16]  H. Beales,et al.  The Efficient Regulation of Consumer Information , 1981, The Journal of Law and Economics.

[17]  N. Kaldor,et al.  The Economic Aspects of Advertising , 1950 .

[18]  H. Hotelling Stability in Competition , 1929 .