The threat of pre-installed mobile apps

Example: You are trying to install a crucial application, but your phone memory does not allow it. You try every possible way to free up memory space by deleting cache, unwanted and accidental photos and videos, however, you still don’t have enough memory to install the app. You dig deep to find out that a considerable part of the phone memory is occupied by pre-installed apps. Acting quickly, you try to delete the ones you never use, but to your surprise, they aren’t deletable. You just can’t wish them to leave!

Pre-installed apps are a not-so-desired reality of smartphones. However, unlike the early days when a few mobile phones came with a rare app pre-installed, nowadays Android phones come with a whole bunch of them. Many of them are bloatware – a term used for pre-installed apps or software that users don’t want, but struggle with.

While providing several benefits such as simplifying the device activation process, troubleshooting issues and optimizing performance, these pre-installed apps gain extensive control over the device and this can have serious ramifications.

Online user privacy and security

A few months ago, Microsoft discovered serious vulnerabilities in a mobile framework used by well-known mobile service providers in pre-installed Android system apps. In its analysis, Microsoft found that these apps were embedded in the devices’ system image, implying that they were installed by telephony providers. The system image contains all of the settings, configurations, and applications that the original equipment manufacturer and carrier have decided to provide to end users. Also, all the apps were available on Google Play Store. Now, apps available on Google Play are subject to automatic security checks. Therefore, the presence of these apps on the Play Store despite security checks implies that these types of vulnerabilities have not been scanned.

Vulnerabilities detected in pre-installed apps make mobile devices an easy target for attackers. An attacker may be able to carry out local and remote attacks due to pre-existing vulnerabilities. The attacker can also access system configuration and sensitive information by exploiting system privileges.

One of the first large-scale studies of pre-installed software on Android devices was published at the 2020 IEEE Security and Privacy Symposium. The study, An Analysis of Pre-installed Android Software, discusses the ecosystem of pre-installed apps in detail. He found that apps pre-installed on Android phones are used to collect, track and monitor data without the user’s knowledge.

Many of these applications contain viruses that could endanger the user’s security. These apps often allow the user to access permissions that are usually not available if downloaded directly from the Google Play Store. They grant access to intrusive permissions such as information accessibility about other apps installed by users. The collected data is then provided to advertisers and analytics companies. Information collected may include sensitive geolocation data and personally identifiable information gleaned from devices’ email or phone address books. These pre-installed apps often come with specially crafted backdoors that allow app developers to access phone features like storage or leak personally identifiable information to data brokers.

There have been several suspicions about mobile phone manufacturers involved in security breaches involving personally identifiable information. For example, a few years ago, the New York Times reported that Meta (then Facebook) and device makers like Samsung made secret deals to collect users’ private data without their knowledge.

In India, there have been concerns about privacy being compromised due to data collected by preinstalled smartphones, primarily those manufactured by Chinese mobile phone companies.

In 2020, a petition was filed in the Supreme Court of
India asks cellphone makers to disclose everything
apps pre-installed in the outer packaging.

Additionally, the plea wanted manufacturers to ensure user privacy by disclosing how data collected from pre-installed apps would be stored and used.

Undoubtedly, data security and privacy is perhaps the most important concern posed by pre-installed apps. However, there are also other concerns. Take the example of the Glance application which is pre-installed on several smartphones. Although users need to enable it, it is very difficult for a layman to determine whether it is extracting sensitive information from the device. It may rely on data, but only when users activate the app does it share data with other stakeholders. After all, there are instances where many of these pre-installed apps run in the background without the user’s knowledge, making it difficult to disable apps that are on the home screen.

A source of revenue for handset makers

Notwithstanding the security issues posed by pre-installed apps, what drives handset makers to provide these apps is the revenue they generate. Most of the time, application producers pay mobile phone manufacturers to include their applications in the system image. It serves a dual purpose – one, the app gets a promotional platform and recognition which is beneficial to app developers in the long run, second, handset makers are able to lower the price – a key reason why Android phones were able to target the middle and low income groups.

Removing these apps can cost you dearly

While most bloatware cannot be removed altogether, some like the Glance app can be disabled. In order to get rid of the apps completely, one can opt for the highly technical method of rooting the device. While rooting your phone, you reach a secure part of the device where system files exist and from there you can remove unwanted apps. However, this comes at the cost of device security. Rooting also increases the chances of bricking the device in which your phone turns into an expensive and unusable “brick” due to improper use. Additionally, handset makers void the warranty if the device has been rooted.

Go forward

One possible way out of this mess would be for manufacturers to provide documentation for the specific set of apps they have pre-installed in devices, along with their purpose and the entity responsible for each of those apps. It must be accessible and understandable for users. Such a practice will ensure that there is at least one benchmark for users and regulators to find accurate information about pre-installed apps and their practices.

With the evolution of mobile technology, as new threats and vulnerabilities are discovered, collaboration between security researchers, software vendors and other stakeholders can improve overall security so that end users are protected against present and future threats.

Casey J. Nelson