As reported yesterday by Lucian Armasu in TomsHardware.com, there’s a research paper that talks about security issues of customizing mobile devices:
Security and system architecture: comparison of Android customizations
Roberto Gallo, Patricia Hongo, Ricardo Dahab, Luiz C. Navarro, Henrique Kawakami, Kaio Galvão, Glauber Junqueira, and Luander Ribeiro
“Smartphone manufacturers frequently customize Android distributions so as to create competitive advantages by adding, removing and modifying packages and configurations. In this paper we show that such modifications have deep architectural implications for security. We analysed five different distributions: Google Nexus 4, Google Nexus 5, Sony Z1, Samsung Galaxy S4 and Samsung Galaxy S5, all running OS versions 4.4.X (except for Samsung S4 running version 4.3). Our conclusions indicate that serious security issues such as expanded attack surface and poorer permission control grow sharply with the level of customization.”
See the TomsHardware article for some additional comments, beyond the research.
(Re: ‘firmware’ use in TomHardware article, I wish there was more granularity for the term ‘firmware’, it is often used to refer to embedded OS code on mobile devices.)