One of the oft-discussed downsides of choosing an Android device is the phenomenon of pre-loaded “bloatware.”
Broadly speaking, these are apps and services pre-loaded on smartphones and tablets by phone vendors, mobile carriers, and their partners along with the basic suite of Google apps and Android itself.
Not all of this software is necessarily useless, and some vendors load less than others, but often it can’t be uninstalled, leaving users stuck with space-consuming software they might never use.
Worse still, according to a new study by researchers at the Universidad Carlos III de Madrid in Spain and Stony Brook University in the US, which analysed crowdsourced data from 1,742 devices made by 214 vendors, bloatware can also create hidden security and privacy risks.
Their first discovery was the sheer amount and mysterious origins of the software shipping on Android devices, which totalled 424,584 firmware files, only 9% of which corresponded to app APKs found on Google Play.
That amounted to around 140,000 apps, built using 11,665 different third-party software libraries (TPLs), and 1,200 developers closely associated with smartphone makers.
What does all this software do?
Mostly social networking, advertising, and analytics, which included extensive tracking of users for commercial purposes, the researchers found.
A lot of it was obscure long-tail stuff but plenty of big brands appeared regularly, such as Spotify, Facebook, TripAdvisor, and AccuWeather.
Activities ranged from gathering location data to more invasive cases that resulted in the collection of phone call metadata, contacts and, of course, valuable behavioural data.
The analysis covered 144 countries, with the team also spotting a small number of known malicious apps.
Our results reveal that a significant part of the pre-installed software exhibit potentially harmful or unwanted behavior.
Android users understand that phone makers need to make a profit from the device. What’s less well understood is that the data users generate while using the device is also lucrative when scaled across millions of people. It’s not easy for Android users to fathom for themselves:
Overall, the supply chain around Android’s open source model lacks transparency and has facilitated potentially harmful behaviors and backdoored access to sensitive data and services without user consent or awareness.
And the sheer volume of pre-installed apps and privileges afforded to them increased the chances that some suffered from software flaws that might be exploited maliciously by third parties.
The researchers suggest reforms, including that phone makers be required to list the installed software, stating its developer and purpose and any data collection it is engaged in.
They also suggest reforming user consent – although that might not be easy to put into practice on a device with a dozen or more of these pre-installed apps, each one of which might require a separate agreement.
Perhaps, then, it would just be easier to allow users to uninstall all non-integral apps. This wouldn’t solve the bloatware problem (not all users would bother) but would at least give users some say in the matter.
Right now, buying an Android smartphone is like holding a party for a large number of guests you’ve never met and perhaps shouldn’t trust.
Listen to the podcast
In episode 26 of the Naked Security podcast, we looked into the annoying problem of bloatware on Android phones [01’54”]