In the early days of Android, co-founder Andy Rubin set the stage for the fledgling mobile operating system. Android’s mission was to create smarter mobile devices, ones that were more aware of their owner’s behavior and location.“If people are smart,” Rubin told Business Week in 2003, “that information starts getting aggregated into consumer products.” A decade and a half later, that goal has become a reality: Android-powered gadgets are in the hands of billions and are loaded with software shipped by Google, the world’s largest ad broker.

WIRED OPINION ABOUT Sean O’Brien and Michael Kwet are visiting fellows at Privacy Lab (@YalePrivacyLab), an initiative of the Information Society Project at Yale Law School. Contact them securely.

Our work at Yale Privacy Lab, made possible by Exodus Privacy’s app scanning software, revealed a huge problem with the Android app ecosystem. Google Play is filled with hidden trackers that siphon a smörgåsbord of data from all sensors, in all directions, unknown to the Android user.

As the profiles we've published about trackers reveal, apps in the Google Play store share a wide variety of data with advertisers, in creative and nuanced ways. These methods can be as invasive as ultrasonic tracking via TV speakers and microphones. Piles of information are being harvested via labyrinthine channels, with a heavy focus on retail marketing. This was the plan all along, wasn’t it? The smart mobile devices that comprise the Android ecosystem are designed to spy on users.

One week after our work was published and the Exodus scanner was announced, Google said it would expand its Unwanted Software Policy and implement click-through warnings in Android.

But this move does nothing to fix fundamental flaws in Google Play. A polluted ocean of apps is plaguing Android, an operating system built upon Free and Open-Source Software (FOSS) but now barely resembling those venerable roots. Today, the average Android device is not only susceptible to malware and trackers, it’s also heavily locked down and loaded with proprietary components—characteristics that are hardly the calling cards of the FOSS movement.

Though Android bears the moniker of open-source, the chain of trust between developers, distributors, and end-users is broken.

Google’s defective privacy and security controls have been made painfully real by a recent investigation into location tracking, massive outbreaks of malware, unwanted cryptomining, and our work on hidden trackers.

The Promise of Open-Source, Unfulfilled

It didn’t have to be this way. When Android was declared Google’s answer to the iPhone, there was palpable excitement across the Internet. Android was ostensibly based on GNU/Linux, the culmination of decades of hacker ingenuity meant to replace proprietary, locked-down software. Hackers worldwide hoped that Android would be a FOSS champion in the mobile arena. FOSS is the gold-standard for security, building that reputation over the decades because of its fundamental transparency.

As Android builds rolled out, however, it became clear that Rubin’s baby contained very little GNU, a vital anchor that keeps GNU/Linux operating systems transparent via a licensing strategy called copyleft, which requires modifications to be made available to end-users and prohibits proprietary derivatives. Such proprietary components can contain all kinds of nasty “features” that tread upon user privacy.

As a 2016 Ars Technica story made clear, there were directives inside Google to avoid copyleft code—except for the Linux kernel, which the company could not do without. Google preferred to bootstrap so-called permissively licensed code on top of Linux instead. Such code may be locked down and doesn’t require developers to disclose their modifications—or any of the source code for that matter.

Google’s choice to limit copyleft’s presence in Android, its disdain for reciprocal licenses, and its begrudging use of copyleft only when it “made sense to do so” are just symptoms of a deeper problem. In an environment without sufficient transparency, malware and trackers can thrive.

Android’s privacy and security woes are amplified by cellphone companies and hardware vendors, which bolt on dodgy Android apps and hardware drivers. Sure, most of Android is still open-source, but the door is wide open to all manners of software trickery you won’t find in an operating system like Debian GNU/Linux, which goes to great length to audit its software packages and protect user security.