According to a recent study of Android pre-installed apps, an alarming number are not included in Google Play. That means they are not subject to the terms and protections of the “Google Play Protect” security suite that is now standard on all modern Android devices. This can leave smartphone and tablet users open to data exploitation courtesy of their device manufacturer.
With the vast majority of these pre-installed apps existing outside the secure Google ecosystem, the end user has to trust their device manufacturer to not overreach with app permissions or funnel their personal data to remote servers.
Some manufacturers have proven to not be worthy of this sort of trust, leading Privacy International and over 50 other data protection NGOs to draft an open letter asking Google to take action against data exploitation.
The problem with pre-installed apps
The open nature of the Android operating system has been both a strength and weakness for consumers. There are a wide range of manufacturers in the market, leading to a variety of choices and competitive hardware. However, unless the consumer purchases one of Google’s own line of phones or tablets they are locked in to the policies of their manufacturer.
One common issue is manufacturers commonly abandoning operating system updates after only a year or two, essentially forcing the user to upgrade their mobile phone or be left behind in terms of security patches and app compatibility. Another major issue, pointed out by the open letter, is that device manufacturers are granted a lot of leeway in how they collect and handle user data. In some cases, this leads to data exploitation.
The open letter is addressed to Google CEO Sundar Pichai and calls upon the company to do more to police the ecosystem of pre-installed apps. As the letter points out, these apps may have access to sensitive items such as the camera or the user’s location data without triggering the usual prompts for permission that a Google Play Store app would be required to have.
Among the organizations co-signing the letter are the ACLU, Amnesty International, and the Electronic Frontier Foundation.
Bloatware and data exploitation
The inclusion of “bloatware” by manufacturers is a practice much older than smartphones and tablets. It’s tied to the history of mass-market prebuilt PCs, with OEMs such as Dell and Hewlett-Packard developing reputations for including it on their computers in the 1990s.
The mobile bloatware issue is different due to the always-on connectivity and more opaque operating systems of these devices. PC bloatware has typically been a nuisance that just takes up space, a side revenue stream that the manufacturer gets simply for shipping it with their systems. It’s very obvious to the end user, usually fairly easy to uninstall, and usually a low data exploitation risk. Mobile bloatware may be spying on users without their knowledge or consent, and may be difficult (or even impossible) to get rid of.
The study that Privacy International cites examined over 1,700 different Android devices from over 200 vendors distributed across 130 countries. Of the firmware apps included with these devices, the researchers found that a mere 9% were present in the Google Play store (and thus subject to Google security requirements).
The study included a behavioral analysis of half of the apps examined, to determine if they posed any sort of data exploitation risk or threat to the end user. The researchers characterized user tracking and personal data collection as “quite prevalent” among these apps. Geolocation and personally identifiable information collection were common, but some pre-installed apps went farther than that in collecting user contacts and metadata from emails and phone calls.
The researchers even found a small handful of malware samples in with these pre-installed apps on certain devices – some designed to grant remote root access to the phone for parties unknown, others to waste the end user’s resources with various advertising view schemes.
One might wonder how 91% of these pre-installed apps can be outside of the Google app ecosystem when phones usually come packed with apps for Facebook, Twitter and other mainstream services. The authors of the study mention that hardware manufacturers often have their own unique version of these apps that are signed by the parent company, but are not the same as the standard Google Play Store version and may be playing by their own rules. This includes the pack-in version of web browsers such as Opera and UME Browser.
Another important factor with these “alternate version” Android apps is that they do not necessarily receive the same updates and patches that the standard versions do. The study authors found that 74% of these types of apps were never updated, and 41% had not received security patches in at least five years.
But don’t many countries now require that this sort of data handling be disclosed, and the end user given the option of accessing it and opting out?
Even in the countries that have robust data protection laws, such as European Union members, the study found that some devices were simply not in compliance. Many either did not display a privacy notice, or displayed an overly general one about personally identifiable information that was not adequate. The study also pointed out that many of these devices and pre-installed apps may not be in compliance with the United States Children’s Online Privacy Protection Act (COPPA) as they do not initiate age checks before collecting this data.
Hardware manufacturers are required to be certified by Google before they can ship devices with Android installed on them, but this certification process is mostly a matter of installing the official app store and Google’s featured mobile apps. This study reveals that there is clearly still too much slack for Android device manufacturers to engage in data exploitation, but it remains to be seen if the privacy initiative will have any effect.