back to article Eggheads confirm: Rampant Android bloatware a privacy and security hellscape

The apps bundled with many Android phones are presenting threats to security and privacy greater than most users think. This according to a paper (PDF) from university researchers in the US and Spain who studied the pre-installed software that 214 different vendors included in their Android devices. They found that everyone …

  1. Korev Silver badge
    FAIL

    Barrier to updates

    Not to mention that the cost/effort of updating the Bloat makes it harder to update the OS on the phones too.

    I'm assuming that the manufacturers actually give a **** about this of course...

    1. fidodogbreath Silver badge

      Re: Barrier to updates

      Not to mention that the cost/effort of updating the Bloat makes it harder to update the OS on the phones too.

      Android updates are a cost center with no offsetting revenue, not to mention the risk of generating support requests if an update goes wrong. All risk, no reward. It's much better for their bottom line to skip the updates and sell you a new phone every couple of years.

  2. yoganmahew

    Insecure dead things

    Add to the risks deadware, particularly from Google, that cannot be uninstalled and that can only be 'disabled'.

    Thing it's really disabled? Guess again! I've disabled Google Keep (which claims to be a note taking app). Still I get the "Unfortunately Google Keep has stopped" errors pretty much at random...

    1. Wade Burchette Silver badge

      Re: Insecure dead things

      Two apps I found essential for my Android devices are Package Disabler Pro. Unfortunately, Package Disabler requires a rooted device or a Sammy or LG devices.

      1. MiguelC Silver badge

        Re: Package Disabler requires a rooted device

        And if you have root you don't need Package Disabler

        And from wath I gather from the comments on Google Play, it looks a lot like a money sucking machine...

      2. NonSSL-Login
        Mushroom

        Re: Insecure dead things

        It works without root.

        Something every samsung user should look at.

  3. thosrtanner

    Since when has self regulation worked (or even happened) in this industry? Or was GDPR sponsored by the likes of Google and Apple, and I missed the announcement?

  4. ACZ
    Mushroom

    Surely there's a big GDPR angle here?

    These folks need to team up with a consumer rights advocacy group who can initiate some GDPR proceedings - sounds like it should be an easy win, and could be a very significant shot across the bows of device retailers and software companies.

    1. Charlie Clark Silver badge

      Re: Surely there's a big GDPR angle here?

      Actually, standard consumer protection regualtion in most countries should allow users to remove any unwanted software. But, yeah, GDPR should also be a smackdown. Assuming anybody bothers to take it up with the regulators.

    2. Anonymous Coward
      Anonymous Coward

      Re: Surely there's a big GDPR angle here?

      I guess there would be, if there was any substance to this story. When you dig past the money making generalisations in to details however, you find that there is really nothing going on that affects western countries and major brands, and it's the 1% of Chinese brands in asis that you will have never heard of that is making the sensationalism in this money making paper

  5. Anonymous Coward
    Anonymous Coward

    Heavy fines and prison time

    Industry self regulation obviously does not work at all and it is time for something else. Companies have had many years to act and put things right, so it’s too late to cry out when penalties are being handed out. EU has made a nice start, but it is still far from good enough.

    Established industrial players know very well how to act in a responsible way, but choose not to do so year after year. No more chance to say ’Oops, we will correct our habits, please don’t fine us 2 billion euros’. Fine them right away when they break the laws. I call for imprisonment for the persons in charge too. Not for poor engineers and other underlings who are forced to do bad things.

  6. Down not across Silver badge

    Recommendation

    To that end, they recommend someone steps in to offer audits of the supply chain and catch potential security and privacy threats in bundled software.

    Too little, too late. The recommendation should be that pre-installed/bundled software must be removable by the end user. Just "disabling" is not enough, as it could be re-enabled by something else and wouldn't free up the storage.

    At least there are now choices with no, or hardly any, bundled crap.

    1. Pascal Monett Silver badge
      Flame

      I agree

      Coming from a computer background, it irks me to no end to see that I don't actually have any true say in what is on my phone. There is no question of license here, the hardware is mine, bought and paid for with my money, yet I'm not given the tools to manage my hardware out of the box.

      That is just one reason I hate the damn things.

      1. Charles 9 Silver badge

        Re: I agree

        That's because you may be in control of the hardware, but you don't have the same control over the software unless, like with the copyrighted car computer software, you're willing to throw everything out and go solo.

        Just remember, Android is more than just the hardware, and the Android software, by law, is NOT under your control.

        1. ds6 Bronze badge

          Re: I agree

          Isn't AOSP licensed under Apache 2.0, and the kernel GPLv2?

          So... It is kinda under your control, actually. OEMs just don't want you to have that control, so they can make more money. There are proprietary components that are closed source (eg. almost every bloat and Play Store app) but the core is free software.

        2. A.P. Veening Silver badge

          Re: I agree

          the Android software, by law, is NOT under your control.

          Which law and which country? I am pretty sure it is not according to the law in most EU and EEA countries.

          1. Charles 9 Silver badge

            Re: I agree

            The EU is signatory to the Berne Convention, is it not? That means copyright is enforceable in the EU. That means Google's core Android software (which is NOT open-source) is not fair game. Sure, you can use AOSP or roll your own (just as you can roll your own car computer software), but it's a strictly YOYO affair.

            1. ds6 Bronze badge

              Re: I agree

              You need to differentiate Android the trademark, Android the software (including Linux kernel, userland, and AOSP), and the proprietary Google apps and frameworks that run on Android (GSF, Play apps, etc), because saying "Android software, by law, is NOT under your control" is simply not true. While Google may own the Android trademark, the Android kernel (modified Linux kernel) is licensed under the GPLv2, while the userland and AOSP are licensed under Apache 2.0, which makes the whole package Free Software as defined by the FSF. That's how custom distributions of Android are able to exist, because it is legal to do so. For example, I am posting this from my Android (the trademark) device running LineageOS 16, and I don't use Google apps or services otherwise what comes with the AOSP. Compare this freedom to iOS, which is closed source and proprietary.

              GSF and associated functionality is NOT a core feature of Android. When Google took over Android, they extended and replaced the Android Market with the proprietary Google Play Store, and used their leverage as the new figurehead for the Android trademark and codebase to push their apps on OEMs, resellers, and end users. Why do you think the EU (and recently India) are going after Google for anti-trust lawsuits? Because "Android" does not mean "Google bloat" and their pervasiveness in the Android ecosystem pushes out most competition on the platform. Apple can get away with having Safari, FaceTime, and etc. on all the devices they sell, because the "iPhone" is expressly a single, homogeneous entity and the built-in apps are baked-in features of the iOS software.

              Yes, Google is almost expected to be a part of any Android device despite being functionally independent, but the only reason GSF is such a standard is because Google pushes it and provides lots of nice APIs and services you can't get anywhere else; I don't like or use them personally but it's not hard to see their worth to the average app developer. Want to distribute your cool app to as many people as possible on a trusted network? OK, release your app on Google Play for a small fee, sign up to Google AdWords, and get your app presented on the millions of devices showing Google ads. Want to show your own ads and make money off of your app? Embed this simple API in your codebase, and add a few function calls to pop up some revenue generators. The whole process is practically effortless and very affordable, not to mention Google gets a cut of any revenue you generate from app sales and advertising, so of course they're going to push their APIs over everyone else.

              There are other app stores (too many to count, I use F-Droid), other advertising methods and APIs, other stock apps to include with a phone. Google just happens to be the owner of some of the best you could possibly be using, for developers and frequently for end users.

              1. Charles 9 Silver badge

                Re: I agree

                "Yes, Google is almost expected to be a part of any Android device despite being functionally independent, but the only reason GSF is such a standard is because Google pushes it and provides lots of nice APIs and services you can't get anywhere else;"

                Which means, for at least 95% of the smartphone population, enough to exert overwhelming influence, that's Android, full stop. You always have to take Joe Ordinary into consideration when you consider the Android brand, given their actions take the rest of us with them. Thus, why most phones lack removable batteries, SD slots, and completely unlocked software.

                1. ds6 Bronze badge

                  Re: I agree

                  Now you're talking about Android-compatible hardware. I was expressly talking about your phrasing in relation to the Android software and branding, not hardware. In that regard, just because Android is colloquially known as a single entity comprised of Google apps, AOSP, and vendor bloat doesn't make the phrase "the Android software, by law, is NOT under your control" any less incorrect, no matter what malarkey Joe Ordinary is up to lately.

                  If when you said that, you meant "Android hardware" instead of "Android software" then, yes, you would have been correct, since most Android-compatible hardware vendors are not very keen on sharing their design documents and other such secrets. Other correct answers would have been the Google Services Framework, Play backend APIs, etc., and the Android brand/trademark. Otherwise, while Google may have significant impact on the Android ecosystem, they still can't stop you from doing pretty much whatever you want with the software.

                  To help make things a little clearer:

                  • Android the brand/trademark: Owned by Google LLC.
                  • Android the software (AOSP): Developed primarily by Google; Apache 2.0 licensed and open source. The interests of the Android project are driven by the Open Handset Alliance which Google founded and is the parent company. There are enough members however (over 80 IIRC, including most big-name mobe and tablet pushers) that Google doesn't fully direct the development process.
                  • Android-compatible hardware: The CDD directs hardware compatibility and directly impacts new devices on the market. Google does most of the work on this document with occasional input from the OHA.
                  • Google services provided on Android (GSF et al.): Wholly owned by Google. They can do whatever they want in this corner with little oversight.

                  I'm really tired so please try to excuse any inaccuracies.

      2. anonymous boring coward Silver badge

        Re: I agree

        Fair point. But using something like Windows 10 isn't a whole lot better.

        1. jelabarre59 Silver badge

          Re: I agree

          Fair point. But using something like Windows 10 isn't a whole lot better.

          I never got to actually use or even try out a MSWindows Mobile device, but my impression was that it actually gave you MORE control over your device than either iOS or Android. Ironic if you think about it.

          1. anonymous boring coward Silver badge

            Re: I agree

            "my impression was that it actually gave you MORE control over your device than either iOS or Android. Ironic if you think about it"

            That's because they didn't have the market share. Before you can start dictating how things should be (to your advantage) you must first have a near-monopoly. MS has that with the PC OS, and Google on phones.

            1. Michael Maxwell

              Re: I agree

              Even when they did have a reasonable market share, there was little or no bloatware on a Windows phone. (I have owned several, and still prefer my Win10 phone to anything else I've seen.)

      3. jelabarre59 Silver badge

        Re: I agree

        Exactly. Barring such things as the "Secure" Boot function in many modern UEFI firmwares, you are allowed to install or not install exactly whatever software you want on machines you bought and paid for. Even with all the crap MSWin10 bundles in, there are workarounds that can excise much of that out. That's because, as *YOUR* device, you (or in the case of managed corporate assets, the IT department) automatically have root access available to you, without having to have a Papal Dispensation to do it.

        It's completely unacceptable that cellphone makers can demand exaggerated prices for their crapware, and have the chutzpah to tell you you can't actually manage the systems as you see fit. I'd think a good solution would be to require cellphone manufacturers to provide unlock codes/software for ALL their devices, so we can re-flash them with alternatives like LineageOS. No having to say "mother may I" or groveling to get the codes, but rather available to any and all.

  7. Anonymous Coward
    Anonymous Coward

    The worst part of it all...

    ...is that for some stupid reason Google decided to let manufacturers/carriers make it impossible to uninstall the stuff without rooting the phone. If you're lucky you can at least 'deactivate' it, but it'll still sit there taking up internal storage space. And then they made it so you can't install apps to the SD card either so that's fun to try and deal with.

  8. bungle42

    Oh but you can remove bloatware to a certain degree ...

    It is possible to de-bloat your phone without root access by using one of the simple guides such as the following which uses the ADB Shell command prompt over a USB cable to uninstall packages identified using the Application Inspector App:

    https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/

    I have successfully used this method to remove several Android and Samsung Apps that I know I will never have any use for. Just be careful not to remove a critical application like Google Play Services however it is possible to re-install these if you decide that you made a mistake.

    1. FrogsAndChips Silver badge

      Re: Oh but you can remove bloatware to a certain degree ...

      As far as I understand, it doesn't remove the app from the system, just uninstalls it for the user, so you can't reclaim the disk space.

      Still, I might give it a go, since there's no rootkit available for my phone and this could at least free some RAM and prevent some spying.

      1. bungle42

        Re: Oh but you can remove bloatware to a certain degree ...

        Yes I think you are correct in that it removes the package for the current user.

        If you consider that Bloatware is basically three parts: 1) consumption of storage space; 2) crapware/security vulnerabilities running in the background; 3) cluttering up the UI then I believe this solves the last two but not the first.

        I consider it a small price to pay for not having to root and still receive updates.

        1. Doctor Syntax Silver badge

          Re: Oh but you can remove bloatware to a certain degree ...

          4) Any bandwidth consumed talking to its owner.

    2. Anonymous Coward
      Anonymous Coward

      Re: a critical application like Google Play Services

      why critical? I mean, I cut out any (visible and semi-visible) traits of google play services in my old (rooted) phone, and I never saw any problems. But then, I don't use google play store, google maps, google music, google mail, google calendar and all other google (...) which can be substituted with non-google equivalents.

      btw, is google play services indispensable to the regular OS operation? Now I'm asking seriously.

      1. bungle42

        Re: a critical application like Google Play Services

        OK, you can argue whether Google Play Services is truly "critical" or not but my understanding is that it is intertwined with other Apps and Services so I thought it best not to uninstall it. I'm not sure what would happen it you uninstalled it.

        1. ds6 Bronze badge

          Re: a critical application like Google Play Services

          Apps can choose to implement GSF and other Play-related APIs. They are not critical to AOSP functionality. Unless you are using an Android distribution that has a hard dependency on GSF or related functionality, it is entirely safe to remove. Most apps can run without GSF and will display an error message when trying to utilize it instead of crashing.

      2. Gene Cash Silver badge

        Re: a critical application like Google Play Services

        > btw, is google play services indispensable to the regular OS operation? Now I'm asking seriously.

        My Moto G6 Play won't boot if it's disabled.

        Boy, was THAT a nasty surprise.

        1. simpfeld

          Re: a critical application like Google Play Services

          On my new phone (a PocoF1 if that matters) I decided to go cold turkey with LineageOS and not install any Google Apps or Google Play services. Most things are absolutely fine. A few things complain about lack of Google Play Service but continue to work (if you click through the warnings). These include the "National Rail" app, Hive and surprisingly Nest. For mapping I have use HereWeGo which is okay.

          Everything else seems fine. The only completely broken thing for me is RingGo which starts but just blows away. I can use their mobile website for that. I guess it would probably work if I took a microG version of LineageOS but as I'm mostly there I have resisted. (microG being an open source reimplementation of the Google Play Services, not everything is there )

  9. Anonymous Coward
    Anonymous Coward

    Better to use an umbrella than divert a flood ....

    all we can do - as techies - is eschew the phones with carrier installed crap, and *buy* (not contract) the phone we want and put LineageOS on it as a **** you to the world.

    Works for me.

  10. Anonymous Coward
    Anonymous Coward

    governments and regulatory bodies could step in

    I would LOVE to see legislation FORCING manufacturers and carriers to provide an option to unlock the bootloader (in exchange for immediate and permanent loss of any warranties). But then, this is never going to happen, because of all the bleating about SAFETY! CHILDREN! TERRORISTS! HACKERS! Read: lost revenue! lost revenue! lost revenue!

    That said, no government would introduce such legislation.

  11. Semtex451 Silver badge
    Facepalm

    As I've said before

    The main problem is that the average folk just don't care. Present one and they'll even sign a contact that says so.

    The thought process is 'gimme selfies, gimme Facebook, gimme instgram, gimme twatta, gimme fame, gimme gimme gimme'.

    The worst part, studies like this make it look mature and sensible to buy an Apple. $$$$

    1. GnuTzu Silver badge
      Unhappy

      Re: As I've said before -- Pain Point

      Yes. And, consumers have been conditioned to be just that.

      The addiction will only end for those that reach a certain pain point--well beyond those little annoyances that send them back to the phone store where they feed their addiction. I've heard that the term used in addiction circles is "rock bottom". Yes, that's how bad it's going to have to get before the market gets clean and sober.

    2. ds6 Bronze badge

      Re: As I've said before

      At least Apple's built-in apps are fairly free of problems, but they most certainly track you just as much as your average Android. App Store apps are no better, either.

      1. fidodogbreath Silver badge

        Re: As I've said before

        At least Apple's built-in apps are fairly free of problems, but they most certainly track you just as much as your average Android.

        Citation?

        1. Anonymous Coward
          Anonymous Coward

          Citation?

          Seriously?

  12. Cuddles Silver badge

    Define "malware"

    "also harvests personal information and in some cases even introduces malware"

    I'm not sure I understand the difference here. Software I did not install, don't want, and never use is harvesting personal and sending it... somewhere. That's not a potential risk vector that could contain vulnerabilities allowing malware to be installed, it is malware.

  13. adam 40 Bronze badge
    WTF?

    This has been going on for years

    I installed a no-root firewall in my Sony Z1 as soon as I got it maybe 5 years ago.

    One thing that immediately grabbed my attention was that the Sony Keyboard App tries to contact t'internet on a regular basis.

    Of course this is where I type in passwords and the like. WTF!!!???!?

    1. Gene Cash Silver badge

      Re: This has been going on for years

      > Sony Keyboard App

      By the same company that had no problem with installing rootkits on people's PCs... Are you really surprised?

  14. anonymous boring coward Silver badge

    LG. has tried to update its bloat/spyware and enable it in the process. I won't allow it to update -even though LG pretends it's important security stuff. (As if.)

    Phone manufacturers don't care about security a few years down the line. They do care about spying on you, however. I prefer Apple, but they are just too expensive.

  15. Dr.Flay

    2 easy (and free) no-ROOT options for removing bloatware

    Both these will need a PC with the android drivers installed, and ADB access enabled in the phone.

    You can avoid messing with CLI and downloading the ADB binaries as both come with the required files (feel free to update with newer versions)

    The easiest to use for everyone is APK Installer.

    http://apkinstaller.com/features

    And for total control or for the more nerdy, a TotalComander / GhostCommander ADB plugin

    http://uniqtec.eu/applications/android-adb.html

    Happy de-bloat day \o/

  16. jelabarre59 Silver badge

    chuckle, chortle, and other such amusements

    "Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs," the researchers note.

    Man, I'd like to know what they were smoking/snorting when they came up with *THAT* observation...

    Kind of like the proverbial fox guarding the proverbial henhouse...

  17. jelabarre59 Silver badge

    Moto

    I could see at least ONE vendor-specific app I'd want back.

    On the older Motorola phones (like the Droid Razr HD) the phone was able to handle voice recognition for dialing from a BT headset completely on it's own, no special user accounts or mobile data needed. NOW in the current models (like the Moto e5) they decided to dump taht perfectly functional stand-alone app in exchange for "Google ASSistant", which requires you to set it up in full-on Hack-Me/Spy-On-Me/Screw-The-User Mode.

    Granted, in a properly designed, completely open infrastructure, you'd be able to install the stand-alone app on your own anyway.

  18. jiml8

    Techies live in their own world

    I fully agree with all the comments about controlling your device. That option should be available to those who can take advantage of it.

    And that option IS available...though you have to do some work to get there. Personally, I run a rooted device with LOS 16 on it. No bloatware, full control.

    But most people can't do that. The subject is complicated, ever-changing, and requires a great deal of attention to keep up with it. Also, while the only way to fully secure an android is to first root it, once you do that it ceases to be an appliance and becomes a device that you have to manage...and you can easily brick it. This is too much for most people.

    The solution - if there is one - is to change the marketing model in a fashion that discourages these abuses. The EU privacy laws are a decent start in that direction, though there needs to be some heavy fines for non-compliant companies.

    And as for whether Google Play Services is needed on an android to retain functionality...

    The phone will run just fine without any of the google stuff on it. But Uber will not work unless Google Maps is present. And Signal, of all things, won't work without a fully enabled google play services. I was forced to add google stuff to my phone if I wanted to use these apps. I make heavy use of Signal, and from time to time calling an Uber is very convenient. So... Shrug.

  19. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019