Home of internet privacy

Organizations push Google for tighter control over bloatware

Is your Android device glitchy and unresponsive? Part of the problem could be bloatware: pre-bundled apps and software that can’t be deleted, no matter how hard you try.

Despite Android dominating global smartphone sales with nearly 87% market share, the problem has continued to persist. The open-source nature of the operating system means manufacturers and carriers are free to install their own apps, in an effort to differentiate themselves from the competition.

[Want more stories about Android security? Sign up for the ExpressVPN newsletter.]

However, it’s the end consumers that suffer the most with privacy and security loopholes and other egregious exploitations.

Could there be light at the end of the tunnel? Efforts to contain this practice have gained momentum; an open letter to Alphabet CEO Sundar Pichai from advocacy body Privacy International urges the company to take comprehensive action to safeguard user privacy.

The letter, released earlier this month, points to the security loopholes in bloatware, such as their custom permissions. These permissions allow preloaded apps to operate outside of the traditional Android security model and often enable access to the microphone, camera, and GPS location coordinates willy-nilly.

Privacy International, which is made up of a number of organizations committed to digital privacy and security, says users should be in complete control of their devices. Hence, they should be allowed to delete any pre-installed apps.

Furthermore, these apps should be subjected to the same security screening and mechanisms as those on the Google Play Store. And finally, Google should flag devices that have privacy concerns so consumers know what they’re getting into.

How long has bloatware been a problem in Android devices?

Android bloatware dates back to the early days of the OS, with a Wired Magazine story referencing “apps that can’t be deleted off the device.”

Drawing parallels with the PC world, where preloaded trial software had been a problem for decades, Wired’s story was a prescient example of what was to follow. Since the practice was still relatively new at the time, most didn’t know how consumers would react and whether the model would catch on.

Fast forward a few years later, and bloatware only exploded in popularity. The Samsung Galaxy S4, released in 2013 and considered to be Android’s flagship device at the time, had 45% of its internal storage blocked off for pre-installed apps and extra software features.

And Samsung wasn’t the only offending company. Other manufacturers such as HTC, LG, and Motorola routinely bundled together their proprietary apps in an effort to convince users that their devices were better than the competition.

Original equipment manufacturers (OEMs) have tried to defend the practice, saying it offers consumers more flexibility and choice, but the downsides are too big to ignore, in my opinion.

Can bloatware expose my data?

Research from security firm Kryptowire, published in November 2019, points to pre-installed software and firmware in Android devices as some of the worst offenders when it comes to user privacy.

These apps have the capability to record audio from your device and the ability to modify system settings. And they’re not just present in unknown companies churning out Android phones, even global heavyweights like Samsung possess security vulnerabilities.

“We wanted to understand how easy it is for someone to be able to penetrate the device without the user downloading an application,” explained Kryptowire CEO Angelos Stavrou. “If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases, the user cannot do anything to remove the offending functionality.”

Another academic paper, titled “An Analysis of Pre-Installed Android Software” which counts five co-authors, exposes Android’s open-source limitations.

The researchers state that the “supply chain around Android’s open-source model lacks transparency and has facilitated potentially harmful behaviors and backdoored access to sensitive data and services without user consent or awareness.”

Another troubling statistic revealed in the paper: 91% of Android bloatware doesn’t appear in the Google Play Store. This means it’s not subjected to the same security checks as regular apps, with potentially invasive consequences.

Google says it values user privacy, but the fact is that bloatware and security loopholes in Android have been evident for at least a decade now, with little done to quell these concerns.