Tech consumers who purchase brand-new Android smartphones may have absolutely no idea that these devices are fully equipped to start tracking and monitoring them as soon as they are switched on for the first time. According to a new research paper (“An Analysis of Pre-Installed Android Software”) that will be presented at an upcoming May 2019 IEEE Symposium on Security and Privacy, the pre-installed apps on Android phones can be for data harvesting, tracking and monitoring, all without the knowledge of the user. Moreover, many of the pre-installed apps on Android are laced with malware, which represents a potential security threat to the user.
Key findings of the report on pre-installed apps on Android
The research paper, prepared by a team of academics at IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, and the ICSI at Berkeley, provides a comprehensive survey of more than 82,000 apps found on 1,742 devices from 214 different brands. In other words, this problem with pre-installed apps on Android is hardly an isolated phenomenon – it is a problem that deeply affects the entire Android device ecosystem worldwide.
All Android phones come with a mix of pre-installed apps, and it is really up to the manufacturer of the device to contact the other vendors within the Android app ecosystem to decide who should be allowed to have their apps ready to go as soon as the user purchases the phone. One problem, say the researchers, is that many devices include of lot of “bloatware” that cannot be un-installed or removed by the user. And it is often the case that these apps contain access to certain permissions that would not normally be available if a user downloaded the app manually from the Google Play store. In some cases, pre-installed Android apps are running in the background without the user’s knowledge, and making it otherwise impossible to disable apps found on the home screen.
A threat to user privacy
As a broad, overarching theme for the report, say the researchers, these pre-installed apps on Android phones represent a threat to user privacy. They give access to very intrusive permissions, such as the ability to access information about which other apps you are using or downloading. They also collect and send data back to advertisers and analytics firms. This data can include sensitive geo-location data, as well as personally identifiable information based on access to email or phone address books on the Android device.
One particular privacy issue pointed out by the researcher was the prevalent use of third-party libraries (also known as Software Development Kits, or SDKs) within the pre-installed apps on Android phones. In general, SDKs are very popular within the mobile developer world, because they make it possible to build apps much more quickly than if the developer had to “reinvent the wheel.” So the issue, say the researchers, is not that they found these third-party libraries within Android apps. The issue is that so many of these libraries seem to be related to advertising and user tracking. For example, of the 82,000+ apps examined by the researchers, 12,000 of them had a total of more than 164 different advertising-related SDKs.
Another big issue highlighted in the report was the use of so-called “custom permissions” to make it easier for these pre-installed apps on Android phones to collect user information. These are set up by the phone manufacturers, and are designed to give certain privileged app maker bulk access to various Android OS features that are not available to other apps. These custom permissions appear to be very common for analytics services (which obviously would like to harvest as much data as possible) and for online services like Amazon and LinkedIn (which also benefit by getting access to secure personal information).
While some privileges are required in order for apps to run smoothly and to deliver a consistent experience for Android users, the research paper makes clear that there has been a systemic abuse of these privileges. For example, the team of security researchers found that some apps came with pre-installed malware (and even entire libraries of malware), and some specifically designed “back doors” to the phone that theoretically made it possible for some app developers to gain access to features like storage on the phone, or to leak personally identifiable information to third-party data brokers.
Will regulators investigate the pre-installed Android app ecosystem?
The research paper, which is the first of its kind to systematically detail the full extent of the privacy and security risks of the pre-installed apps on Android devices, has already attracted the attention of European regulators. In fact, the research team is now working with the Spanish Data Protection Agency (AEPD) in order to disseminate this study of Android system apps far and wide.
Thus, this is not going to be the typical academic study that shows up online for a few weeks before disappearing into the ether. Instead, this paper detailing potential abuses with pre-installed apps on Android phones has the potential to move the needle when it comes to improving the state of security and privacy in the mobile world. In addition to being presented at a long press conference at the IEEE Symposium, the paper will also be presented to working subgroups of the European Commission for Data Protection (ECDP), as well as other European data protection authorities.
Given the momentum behind the European General Data Protection Regulation (GDPR), it is quite conceivable that the findings of the paper could eventually be used as evidence in cases against specific device manufacturers or app developers. There is, indeed, an entire ecosystem of pre-installed apps on Android, and many questions to ask about apps notifications, settings for apps, and ways to force stop apps from gaining access to personal data. At the very least, removing apps from the home screen or apps drawer should be a lot easier than it is now.
What makes things difficult for regulators, though, is the fact that Android is an open source OS. Each of the 214 brands studied by the researchers, presumably, are using a slightly different version of Android. And each device manufacturer works with a complex network of vendors and partners, so it is unclear whether regulators would choose to go after Google (and its Android OS), or whether they would choose to go after some of the more aggressive developers of pre-installed apps on Android phones. The researchers specifically mentioned that the current ecosystem represents a “peril” to user privacy and security, so clearly something needs to be done sooner rather than later to protect Android phone users.