Skip to content
Naked Security Naked Security

Google urged to tame privacy-killing Android bloatware

A letter sent to the Google CEO by Privacy International claims bloatware has allowed a privacy and security hole to open almost unnoticed.

Imagine buying a mobile device that comes pre-installed with apps that can set their own permissions in ways the owner can often neither see nor control.
These apps don’t appear in any app store and, regardless of whether the user finds them useful, can’t be de-installed.
Who would use a smartphone or tablet that imposed such limitations?
If you’re an Android user, you’ll have guessed the punchline – you probably already do.
It’s the age-old woe of bloatware, and according to a new letter sent to Google CEO Sundar Pichai by Privacy International on behalf of a 53-organisation collaboration, the fact that vendors are allowed to install it at their whim has allowed a privacy and security hole to open almost unnoticed.
In recent times, Android has made a big deal out of giving users a stronger permissions structure based on clear consent and notification. And yet, says the letter, bloatware apps are often able to bypass this:

These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts.

Some of these are used to carry out commercial surveillance while others might come with security vulnerabilities that could put the device at risk.
The letter references a joint US-Spanish study published last year which uncovered the surprising scale of the bloatware issue – of 140,000 pre-installed apps, only 9% were available on Google’s Play Store, for example.
That means that Google hadn’t scanned them for provenance. Many were found to track users, including by collecting different kinds of user data while a small number were downright malevolent.
The problem for Pichai, who became CEO in 2015, is that the way bloatware works on Android is largely a legacy of decisions made in the software’s early days.
That’s because Android is not simply a mobile OS but a platform which was designed to allow third parties to customise it to suit their needs.
Some of that’s necessary – devices vary from one another at a physical level – but vendors have a habit of topping this up with an assortment of additional apps that might not be strictly necessary.

Sinking bloat

Some vendors are worse than others, and at least one, Samsung, uses its own additional Android apps and capabilities as a positive selling point, creating a platform-within-a-platform.
At the other end of the scale, Motorola, Nokia and Google’s own devices stick closely to what is called ‘stock’ Android, that is the OS with no or very minimal additions. Most vendors sit somewhere between these two poles.
One issue is there’s no accepted definition of what bloatware is – although the inability to de-install or disable a non-system app (Settings > Apps & notifications > click on app > ‘Disable’) is probably where most people would start.
According to Privacy International, the solution is to change the model so that:

  • Individuals should be able to permanently uninstall the apps on their phones. This should include any related background services that continue to run even if the apps are disabled.
  • Pre-installed apps should adhere to the same scrutiny as Play Store apps, especially in relation to custom permissions.
  • Pre-installed apps should have some update mechanism, preferably through Google Play and without a user account. Google should refuse to certify a device on privacy grounds, where manufacturers or vendors have attempted to exploit users in this way.

We won’t know what Google’s CEO thinks until he responds, assuming he does. But after a decade of Android firmware and app bloat being given little scrutiny, reforming this part of the OS must be his to-do list.

4 Comments

I find this very interesting: “In recent times, Android has made a big deal out of giving users a stronger permissions structure based on clear consent and notification”. Back in September, after the Android 10 update, when my husband would try to call me my phone would ring but I couldn’t hear him at all… unless he called me back using a non-Android phone. For some reason, I could call him with no problems at all. The problem turned out to be with permissions, which I managed to figure out after 3 days! Very nice of Google to worry about my security by making my phone unusable… AND with no “clear consent and notification” to me that they were doing it. My phone is a Pixel 2.

I don’t think the goog would ever accept not being able to pry PII out of devices. That is what their entire business model is built around: Harvest data for marketing purposes (and some times political manipulation). They provide a search engine, Email, a browser and an OS, Not for free. All are designed to harvest PII and do targeted advertisement.
Android “should” work like Linux, where the user has root, and can manage their own device without being taken advantage of. But, that breaks the business model. So it will not happen on goog’s watch.

Thank you the update on your May 2019 article in the same area. Having just had a look at my new phone I am reminded of one of my great frustrations – that apps do not say what they do or any informaiton on how to use them. In adidtion when a permission is removed the unhelpful message that the device may not work properly comes up – this is about as helpful as the old windows error message (Keyboard faulty or missing, press F1 to continue)!
Surely these apps fall foul of the GDPR, at least for those us who are covered by it. Which takes me to a second bone of contention. I think it would be reasonable for any app, pre loaded or otherwise, to provide a means of contact in the event of dispute. Who does the use go to, The phone maker, the app writer, the phone provider or Google?
I suspect that many users would not be too concerned about the collection of personal data in exchange for the facilities offered – google maps as a sat nav being a good example perhaps – but it is the lack of transparancy that is the problem – The first data protection principle – processing is lawful, fair and transparant.
it is also unfortunate that the the DPA has not implemented Article 80(2) of the GDPR which provdies for suitable representative bodies to raise a data protection issue with the Commissioner in the absence of a specific user complaint. I hope that Sophos will make reprsentation if it can when a report is put to parliament to consider this provision again.
Thank you for the update!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?