Privacy activists beg Google to ban un-removable bloatware from Android For much of Android's existence, Google has adopted a relatively hands-off approach that lets manufacturers ship units with pre-installed bloatware which, in many cases, cannot be easily removed. This has infuriated users and privacy advocates alike, leading 50 of the latter to pen a blistering open letter to Google and Alphabet …
Then on top of that, how would Google enforce it--if it actually did care? Manufacturers may well pull the same kind of sleezy data-slurping hackery that got us stuck with super cookies. If they're willing to hack a way for them to get around our tools to not get tracked, then they'll surely find similar sleeze code for bundled apps. {insert-my-usual-rant: we-consumers-need-our-own-DMCA-protection-from-corporations}
This was always an option with Windows when you bought a bloated version from Dell or HP. Unfortunately Googles model for killing MS was to develop fast (and badly) and allow the OEMs to customise and control the OS. That won them the war. Unfortunately they did not have a planned exit strategy so are no having to re-engineer Android to be a proper sustainable and updateable OS.
At some point a downloadable and flashable vanilla OS may be a possibility but i would guess were are 2-3 years away from that. In the mean time contracts would need to run out....
"2-3 years away from that"
It exists now - that's what the base AOSP code is all about.
Google add their proprietary code to form "proper" Android (as people understand it) - the handset manufacturers add their stuff on top.
Go search the XDA board for your device - I'll wager there are plenty of AOSP-based OS variants available... the fact that (more often than not) the handset manufacturer makes it difficult (or impossible) to remove the bloat isn't Google's fault - they're just the obvious target (not that I'm saying they are entirely innocent by the way)
Case in point - my Moto G5 Plus: Motorola were savvy enough to a) use a fairly unencumbered version of the 7.0 Nougat base (the odd bit of bloat aside admittedly) so there's very little to remove as per the article, and b) make it easy to unlock the handset so that newer versions of Android can be flashed (it's currently running a version of Android 10 with the January 2020 security patches, built a few days ago - and with a bunch of Google apps installed because I chose to do so...)
you can't just download a generic OS and install it like you can with Windows or "proper" Linux you have to either build your own and install the google stuff from some random website or hunt through forums for a random users who have posted one they built and then add the apps from somewhere else.
If you didn't build it yourself how well do you know the person who built it for you?
Even if you're running Android 10 with the Jan 2020 security patches, are you sure the rom creator is backporting all the kernel patches to whatever version that phone needs for all the drivers to work?
What I think Lorribot is referring to with "2-3 years away" is Google's efforts to get Android working with vanilla kernels so in theory a single rom would work on every device. If this every happens it'll be brilliant but I'm not holding my breath.
"Even if you're running Android 10 with the Jan 2020 security patches, are you sure the rom creator is backporting all the kernel patches to whatever version that phone needs for all the drivers to work?"
I can't help your trust issues - I could build the ROM I'm running myself if I chose to, but even then you'd probably want to know if I've audited every line of code thoroughly.
"What I think Lorribot is referring to with "2-3 years away" is Google's efforts to get Android working with vanilla kernels so in theory a single rom would work on every device. If this every happens it'll be brilliant but I'm not holding my breath."
Vanilla kernel? It's Linux under there, how "vanilla" do you want? Oh... I can replace the kernel separately also, by the way, as per any Linux-based OS.
The "one ROM fits all" solution also exists ... it's called Project Treble (admittedly a bit flaky on devices that weren't designed with it in mind, but since when did a generic solution work better than a bespoke one?)
You misunderstand the trust issue. If you build it yourself, we would trust it. If you got it from someone reputable, from Google to the Lineage OS people to someone who has earned our trust in building images, we'd trust it. If the image comes from a user on a webforum, that's a much less trustworthy origin because you don't know what that user built or whether anything else was done to it. The discussion was about ease in building and flashing. It's not a simple task to build Android to run on something, nor is it simple to figure out how to flash it unless the bootloader is very accommodating. Technically aware people such as the ones who read and comment here can do it, probably, but it would take much longer than downloading a Linux image and putting it on a disk. People who are less technical would not find it straightforward at all.
"If you didn't build it yourself how well do you know the person who built it for you?"
At some point, you have to trust someone - be that the team behind Arrow (my current 10-based ROM), though Cyanogenmod / Lineage in the early days, all the way to Google for the AOSP source in the first place... none of which I know personally, but trust to create something suitable for my needs. (I wasn't suggesting installing any random junk, by the way)
"It's not a simple task to build Android to run on something, nor is it simple to figure out how to flash it unless the bootloader is very accommodating."
Agreed on the build process...
...the flashing process, however, is not as arcane as once it was given that there are PC-based tools that will (bootloader permitting) automate the tasks required, reducing it to the few button clicks needed to download a suitable file, reboot the handset into the proper state, and then flash the new/updated ROM ... from memory this is exactly what the Kies Manager did for Samsung handsets back in the day (but it's been a while since I last owned one) - or iTunes for iOS devices.
The Project Treble initiative should make the process simpler still (or that's the impression I get from https://developer.android.com/topic/generic-system-image/ ) given a suitable (modern) handset. Whether it'll exist in the long term is one for the bespoke/generic debate I guess.
To what end? If a manufacturer shipped a phone with no Google apps on it, very few people would actually buy it...just people like us.
Furthermore, those "Googless" phones would like be landfill tat, not flagship devices.
I think the best course of action is for Google to withdraw all support and updates for phones with locked bootloaders and/or a "warranty fuse".
The main issue is that people cannot run whatever version of Android they like, rather than the bloatware.
It isn't just Google apps though, is it? Buy a Moto phone and get Motorola apps and ditto for other manufacturers. Though the Google apps can be a pain. My phone used to slow to ultra glacial when browsing. I realised whenever a page with any sort of even possible video was loaded the phone invoked the YouTube app and would not stop. So I was forced to disable it but am unable to remove this large app from my phone.
Google doesn't actually care: it uses licence agreements to enforce GMS. If Samsung has a deal with Facebook to install its shit on phones, then Google can do nothing about this.
But Google isn't the right person to talk to about this. This can, and should, be handled by consumer protection legislation. Unfortunately, in the US at least, this usually means post facto injury suits targetting limited liability, because consumer protection exists in name only, because everyone hates regulations, right?
'It also states that pre-installed apps should undergo the same scrutiny as standard Google Play store apps, with users able to control the permissions the software is allowed.'
The same scrutiny is not enough. I also want more fine grained controlled or every Google service that comes pre installed as well. Eg. WiFi scanning (such as WiFi analyzer etc) requires location access since v6? Why?
On a different note, where has the top bar above the Reg logo gone on mobile? Fully patched Android Firefox user. Very strange but is making me less likely to post / seem to have lost my gold Badger :(
On a different note ~ I'm not crazy, thanks for verifying subtle changes have been taking place here on El Reg. Not only mobile, there is something missing at the top of Opera on macOS, just checked FF and Safari are missing something too....
Back to the story, google didn't make money taking apps off of phones.... they aren't about to start.
I emailed the webmaster about this very subject, as I thought I was losing my marbles.
They replied (very promptly) to say that they have removed the top links to a few days ago to release a little more "above-the-fold" space. You will be prompted to log when you need it, eg to post on a forum or download a whitepaper.
As a very long-time reader of the Reg, I find this fundamental change to the layout rather disturbing; I am still processing it ,and hope to come to terms with it over the next few days and weeks.
How would google ban them? The manufacturers take the stock OS then adapt it to their phones. Should it not be the manufacturers they should be going after? Sure google could make changes with regards to permissions and such like but the manufacturers could just bypass or remove it anyway unless it was locked down in such a way that the phone wouldn't work with google play if it's modified. Also the cost and time involved to google isn't worth it to them as they gain nothing.
If they cared, the Google-enforced solution looks like this:
1. If you manufacture a device with extra software that can't be uninstalled, you can't be part of our Play Services community on any newly manufactured devices until you update your older devices. If you manufacture devices without Google Play, you must make these modifications on them if you ever intend to run Play Services on them.
2. We have modified the Android kernel not to allow an app to bypass certain permissions, and if you modify the kernel back we will flag your installed apps as malicious through Play Protect.
But none of that is going to happen. Google has no incentive to want this, no reason to spend any time on this, and no interest in taking any user-oriented actions such as this. If they did, their own apps would look very different, and they would have a better system for making sure people got security updates at the very least.
Actually, Google does have an interest in hindering phone makers preinstalling crap: The crap is generally competing with Google apps.
Phone makers would probably complain to regulators that Google is abusing of its monopoly on Google Play Services to shut down the competition; and the EU would almost certainly agree with them.
No, the problem is that if Google allow to remove *any* app, then even Google apps could be removed. And because the data gathered by Google services is what make Google rich, that's obviously what they have to ensure keeps humming along.
From the EU point of view, you can't give your apps more privileges than others.
It would be anticompetitive to deny them the ability to preinstall their apps. However, I did not suggest that. I suggested that the preinstalled apps would have to be uninstallable and would be subject to the same permission restrictions as any other apps. Google doesn't want to do that for a few reasons. First, they don't want any of that to apply to their own apps, and if they restricted manufacturers but not themselves, that would indeed be anticompetitive. Second, they get paid by the manufacturers, and they wouldn't want to anger any of them. Third, they know that not many people are using the manufacturer-provided apps when the Google apps are also preinstalled, so they get the data anyway.
How would google ban them? The manufacturers take the stock OS then adapt it to their phones.
While the "Android" O/S is open source, Android™ is exactly that, a registered trademark of Google (or maybe Alphabet) Inc. To use the Android™ with a phone, the manufacturer has to obtain and sign a license agreement with Google. Part of this license agreement is publicly known to include a requirement for the Google apps - Google Play Store, Google Maps, Google Mail, etc. - to be included on the device. If those apps aren't included, it would be a breach of trademark law for the manufacturer to advertise the phone (or in any other way claim) as an Android™ device - even if it is a derivative of Android, such as a bog standard or forked AOSP.
Therefore Google could, but as @Cronus posted would not be in Google's interest to do so, put such requested requirements into that licensing agreement to use the Android™ trademark. In which case the manufacturers would either have to comply, or stop calling their devices Android™ devices.
The manufacturers have to license the Android name and they have to license the Google Play Store and the associated apps and the Google "layer" on top of stock Android that provides most of the services.
They are in a good position to put pressure on the manufacturers. "No factory installed malware/crapware or we will revoke your license and block your devices from Google services for breach of contract."
Banning apps will not work as that could be blatantly misused by the dark side of the chocolate factory.
Simply insist that the OS supplied is a vanilla OS and only at primary user initialisation should it download all the 'required', verified apps from the Google Store. That would put all the devices default apps under the scrutiny of Google (for better or worse), they would be updatable via the store and all that is required on top of the vanilla os is a custom initialisation script to pull 'default' apps ... Post initialisation the device can be as bloaty as the maker wants but the device will still conform to some security/privacy standard (if that's what Google calls it).
there are two ways it's going
1) they respond by saying "Security & privacy of google android ecosystem users is our utmost/topmost/highestmostestmost concern therefore and we are ALWAYS grateful to receive meaningful input concerning the above (yada yada if the reply bot's well ahead of its lunch-breah, otherwise, THE END
2) nothing
but then, what other reply would you receive from, say, the taxman, if you ask them why taxes are so high, and why you have to pay them in the first place?! Pay up, little man, or go find another miserable island. Cyprus, anybody? :/
I expect Google's own software gathers as much user data as the built-in bloatware / malware apps, hence they avoid being hypocrites.
Removing them requires rooting, which invalidates device support. Really users should have root access to their own device OOTB, using a separate password / PIN, or by plugging a physical key in the USB port.
Plain vanilla OS installed by default, as a licensing requirement and just offer all those wonderful (if you say so) apps from the VodaThreeEEVermin or whatever dedicated app store. After all, that stuff is so wonderful it that which makes people choose Voda over O2 etc, ain't it?
They might needs a huge server to cope with the demand..They might do. Personally I think a broken XP with no power supply and a 1200 baud modem would be enough.
(Wasn't there another article about this?) I'll reiterate: Google does not control the code that phone makers put on their phone, they all fork base Android. And threatening to shut phone makers out of the Google Play Services is an abuse of monopoly, and Google has been fined €4 billions by the EU last year for using that trick.
Regulators did not accept Google using its leverage to promote its apps, and they would certainly not accept Google using the exact same leverage to hinder phone makers from promoting their own apps. It would be a classic case of shutting out the competition in favor of Google apps.
Google does not control the code that phone makers put on their phone, they all fork base Android
My understanding is that this is not the case. I'm open to being corrected, but my impression is that most phones have the standard Android on them, but that the OS has the faciltiy for the images that get flashed onto a phone's protected OS memory to contain "pre-installed" apps that don't behave in the same way as apps isntalled in the phone's main user memory. To me, the solution here is for Google to remove the ability for such apps to be installed this way, and make the manufacturers put these in the normal 'user-space' on the phone, where they can be removed / updated.
I don't know how this would play with the more low-level things (like HTC's 'sense' UI). Maybe Google could take the apporach that such things on the protected storage need to meet strict criteria and be approved by google before they license the right to use the Android™ name / app store.
Sorry, but expensive phones have tons of shovelware and spyware. How many phones let you disable the classic "weather app" GPS tracker? There's also Hiya, suspicious VPN and speed boosters, contextually aware personal assistants, fitness trackers, social media invitations, wallpapers customized for your location, etc. This is all on a high-end Samsung.
True that Samsungs come with their own bloatware that your average user can't remove/disable. I have had no problems rooting all my Samsung handsets and have removed the excess baggage. Pretty much the main reason I still buy Samsung as other manufacturers make it difficult/impossible to root their android phones.
P.S. I have also tried many custom roms as a result - there was always some issues/quirks that would inevitably lead me to revert back to the stock rom.
I wonder how many of the 'protected' apps can be removed / replaced by putting the phone into 'developer mode', enabling debug and using ADB from a PC, over a USB cable? There are some fairly powerful things you can do with that if you know what you're doing (and if you can find the documentation).
> if you know what you're doing (and if you can find the documentation)
That's the problem, precisely. Unless you are already a phone programmer (most people aren't), chances are it is way beyond your reach (or at least too time-consuming to be worth your while).
I wonder at all those who come to brag about having solved the problem simply by recompiling their phone OS during their daily commute. Is that somehow supposed to be helpful? Or is it just about showing their disdain for the great unwashed?
Exactly, hence my slightly snarky parenthesised "if you can find the documentation".
As someone who could reasonably be considered to be a well experienced developer, with fairly broad knowledge, I recently had to spend several hours working out how to re-flash a stock ROM onto a certain manufacturer's Android phone becuase they ah dsomehow corrupted the factory install in such a way that prevented an OTA update of Android to the latest version.
Getting to grips with this included such joys as installing Android Studio, working out where adb is installled, fighting my antivirus, which for some reason likes to quarantine adb.exe when it's run, working out that not only do you have to put the android phone into 'developer mode' (the secret tap-10-times hidden menu), but also enable USB debugging in order to successfully connect, before finding the exact right build of the installer for the phone's ROM and hoping it will install...
None of which is well documented, or documented in one place (or at least any place that's easy to find). Microsoft, by comparison, are saintly when it comes to their documentation, and their documentation is crap...
Any non-technical user (or merely moderately technical one) would have given up. It's only through sheer bloody-mindedness that I didn't...
And as we know, to root any phone running Android 5.0 or above, you click settings, scroll to the bottom, click "Root this device", and agree to the prompt. You might have to enter your passcode as well, and the process should take ten minutes or less, ending in a reboot. Oh, wait a minute. I drifted off and was dreaming. What were we talking about again?
It's not just cheap handsets - Samsung do it as well. And they don't seem to be very good at writing software. Their push service does nothing that I want yet consumes about 2% of my battery unless I remember to disable background data and the service itself. The latter option became more difficult with the last update so I get the impression that Samsung aren't happy with users trying to switch of its bloatware.
From what I've read Google are keen on Android One being taken up - a clean base install with minimal bloat - just the one utility app on my Nokia - and it makes it easier for Google to roll out updates. Only a few Motorola and the Nokai range on it I think - but of course still Google's own bloat on there.
"From what I've read Google are keen on Android One being taken up"
Yes, this will be the new Android model. OEMs managed updates (and bloatware) have already proved to be a complete failure, therefore, Google will take back control.
This doesn't necessarily mean the end of bloatware (Google will have its own) but there will be a lot less, only enough to spy on you :)
In the world of Android -- a fully customizable and open-source mobile platform -- there really isn't such a thing as apps that cannot be removed. The majority of Android devices can easily be rooted, nodded and fully customized to the user's prerogative. This includes the unfettered ability to remove any unwanted system apps which are not wanted by the user for whatever reason (e.g. bloatware, preloaded carrier apps, etc.). This is the very essence of owning an Android powered device -- the inherent ability to alter, customize and mod your device to your particular wants, needs and personal preferences.
Just because some phones can be rooted or install a custom ROM, that doesn't mean it applies to all, or a "majority". It just doesn't, plain and simple. Many of the devices on the market are locked down to prevent you from doing that. Even those that can be rooted make it clear to you that you aren't supposed to be poking around there, marking the device as insecure which can make some apps decide not to work.
Compared to every desktop operating system in common use, this is crazy. No matter whose Windows machine you buy, you have the right to be an administrator. You have the ability to boot to an external disk. The same applies to Macs, Linux machines, BSD machines, and pretty much everything except some Chromebooks. And yet, people wishing to root their Android device usually check for that before they buy it because they know most out there won't make it easy if they let it happen at all.
As a security professional I choose NOT to use Android for a few reasons,
1) Running Virus Total app on the device and checking system apps and user apps, you can normally see one or two system apps proporting to be Trojans - run it yourself and see 'orange' robots and the description of potential threat.
2) Running Grey Shirts NoRootFirewall shows how noisy Google is and allows you to shut off the access to the internet for certain noisy apps - how can Google justify the second by second 'polling' of connections, each click of the OS, each panel you go into when using the system - run it yourselves and see.
TBH IOS probably just hide all this stuff from the users view - so cannot comment on that, but IOS doesn't have a virus killer app as far as I know that has privilege to scan ISO apps and your hardware for nasties, but at least supposedly ISO has more safeguards so each app has it's own tight security - but nobody would be any of the wiser since nothing like virus total or a virus scanner (to scan internal apps) runs on ISO. *IOS talking about Phones and IPADS here
I would pay good money for a app that detects and removes this kind of crap. This crap also comes just about every phone you have to buy when you sign up for a new account with a wireless carrier, it is not just low end phones.
The best I can do now is supposedly de-activate these apps.
The gangsters get it, use a burner if you don't want constant surveillance.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
