Imagine buying a mobile device that comes pre-installed with apps that can set their own permissions in ways the owner can often neither see nor control.
These apps don’t appear in any app store and, regardless of whether the user finds them useful, can’t be de-installed.
Who would use a smartphone or tablet that imposed such limitations?
If you’re an Android user, you’ll have guessed the punchline – you probably already do.
It’s the age-old woe of bloatware, and according to a new letter sent to Google CEO Sundar Pichai by Privacy International on behalf of a 53-organisation collaboration, the fact that vendors are allowed to install it at their whim has allowed a privacy and security hole to open almost unnoticed.
In recent times, Android has made a big deal out of giving users a stronger permissions structure based on clear consent and notification. And yet, says the letter, bloatware apps are often able to bypass this:
These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model. This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts.
Some of these are used to carry out commercial surveillance while others might come with security vulnerabilities that could put the device at risk.
The letter references a joint US-Spanish study published last year which uncovered the surprising scale of the bloatware issue – of 140,000 pre-installed apps, only 9% were available on Google’s Play Store, for example.
That means that Google hadn’t scanned them for provenance. Many were found to track users, including by collecting different kinds of user data while a small number were downright malevolent.
The problem for Pichai, who became CEO in 2015, is that the way bloatware works on Android is largely a legacy of decisions made in the software’s early days.
That’s because Android is not simply a mobile OS but a platform which was designed to allow third parties to customise it to suit their needs.
Some of that’s necessary – devices vary from one another at a physical level – but vendors have a habit of topping this up with an assortment of additional apps that might not be strictly necessary.
Some vendors are worse than others, and at least one, Samsung, uses its own additional Android apps and capabilities as a positive selling point, creating a platform-within-a-platform.
At the other end of the scale, Motorola, Nokia and Google’s own devices stick closely to what is called ‘stock’ Android, that is the OS with no or very minimal additions. Most vendors sit somewhere between these two poles.
One issue is there’s no accepted definition of what bloatware is – although the inability to de-install or disable a non-system app (Settings > Apps & notifications > click on app > ‘Disable’) is probably where most people would start.
According to Privacy International, the solution is to change the model so that:
- Individuals should be able to permanently uninstall the apps on their phones. This should include any related background services that continue to run even if the apps are disabled.
- Pre-installed apps should adhere to the same scrutiny as Play Store apps, especially in relation to custom permissions.
- Pre-installed apps should have some update mechanism, preferably through Google Play and without a user account. Google should refuse to certify a device on privacy grounds, where manufacturers or vendors have attempted to exploit users in this way.
We won’t know what Google’s CEO thinks until he responds, assuming he does. But after a decade of Android firmware and app bloat being given little scrutiny, reforming this part of the OS must be his to-do list.