Cheap phones, how can they be so cheap?

Over the past few years, smart phones have become incredibly inexpensive. So inexpensive, that more than half the world’s population is now online, powered by new smartphones for as little as 15 USD. Modern smartphones are often sold as a loss-leader. In fact, a significant number of phone manufacturers aren’t making a profit on their handsets. Handsets are partially subsidised by the products and services that come with pre-installed apps – as well as the data that these harvest and share. One of the biggest costs incurred by a manufacturer is long-term support, such as patching. That’s why most low-cost devices have limited warranties and rarely receive system updates. Telecommunication companies also subsidise smartphones, particularly those sold on pay-monthly contracts. They will bundle their own apps and services.

What are preinstalled apps (aka bloatware) and why are they on my phone?

When you first unbox your new phone and turn it on, it might come as a surprise to see that there are already a number of apps preinstalled on the device beyond what's part of Android. Such apps may include the manufacturer’s own app store, utilities and even games or social media apps that you've no intention of ever using. Since iPhones are sold at a higher price point, cheap phones usually run on the Android Operating System (OS). The openness of the Android source code makes it possible for any manufacturer to ship a custom version of the OS along with proprietary pre-installed apps. Pre-installed apps get added by a range of actors. Chipset makers (such as Mediatek, Qualcomm) add apps that are generally hidden to the user as they provide API’s for other components in the phone. Manufacturers add apps that contribute to the "unique" selling point of the device, such as health apps, camera/video apps or audio Services. Some apps are also bundled with system updates delivered over the air, piggybacking on a phone manufacture’s Android system update. Finally, the telecommunications provider or the vendor may include their own apps, such as Video on Demand services, their own browsers or tools to check account information.

Why do some pre-installed apps come with privacy and security risks?

While some apps may be useful to users, some pre-installed apps on your phone are used to offset the cost of the phone itself. Harmful pre-installed apps harvest and share data from the device, commit click fraud, or come with security vulnerabilities. Earlier this year, the first large-scale study of pre-installed software on Android devices from more than 200 vendors found harmful behaviours and backdoored access to sensitive data and services without user consent or awareness. One of the fundamental problems of pre-installed apps is that they can exist outside of standardised update processes. In other words: they don’t receive updates, even when vulnerabilities are discovered, which means that the apps could be compromised. Such compromise may be worse for pre-installed apps than it is for the apps you choose to install yourself. This is because pre-installed apps often make use of "custom-permissions" that allow app developers to define activities on a device outside the scope of the standard permissions suite that Android uses now have. For example, when you install an app, you are usually asked, whether you want the app to have access to your camera, microphone etc. But for pre-installed apps, a developer could specify a custom permission to access the camera, and then use the camera without the permission of the user. Some pre-installed apps use exploits to root devices. Sometimes, it's not possible to delete them. Other malicious behaviour of pre-installed apps includes built-in malware, data exploitation or ad- and click-fraud. Bloatware can also make it impossible to install important security patches if it takes up too much memory and then can't be deleted.

Who is at fault?

It’s the developers of pre-installed apps that make design-decisions that undermine the security and privacy of your devices. That said, manufacturers of cheap phones often seem to be using access to user data as a way to subsidise the phone. In other words: you are paying with your data. Some manufacturers are also being deceived by malicious app developers. As Google's Android Security 2018 Year in Review remarks: "developers of pre-installed PHAs [Potentially Harmful Apps] only need to deceive the device manufacturer or another company in the supply chain instead of large numbers of users, so it’s easier to achieve large-scale distribution." There’s also a broader issue here. Academic research on pre-installed apps has concluded that “the supply chain around Android’s open source model lacks transparency” and that this “has facilitated potentially harmful behaviours and backdoored access to sensitive data and services without user consent or awareness”. We think that Google could do more to address the privacy and security concerns with pre-installed apps, for instance by banning pre-installed apps that can’t be deleted, by increasing transparency around the Android certification process and by better enforcing their own rules.

What’s the difference between Android (Open Source) and Google's Android?

Android is a mobile operating system developed by Google. Google designs, develops and markets its own Android smartphones, such as the Pixel. The source code for Android is open-source and since Google publishes most of the code under the non-copyleft Apache License version 2.0., anybody can modify and redistribute the code. The license does not grant rights to the "Android" trademark, so device manufacturers and wireless carriers have to license it from Google under individual contracts. Android is also associated with a suite of proprietary software developed by Google, called Google Mobile Services that very frequently comes pre-installed in devices, which usually includes the Google Chrome web browser and Google Search and always includes core apps for services such as Gmail, Google Play Store, and Google Play Services. This is where is gets complicated. Google licenses their Google Mobile Services software, along with Android trademarks, only to hardware manufacturers for devices that meet Google's compatibility standards specified in the Android Compatibility Program document. The Android team at Google certifies these devices to ensure they are secure and ready to run apps from Google and the Play Store. These devices are called Play Protect Certified Android devices and come with a Google Play Protect logo.

Why does Google allow harmful apps to be pre-installed, even on Play Protect Certified Android devices?

Google is aware of the problem and has dedicated a significant share of its “Android Security and Privacy Year in Review 2018” report on the issue of Potentially Harmful Applications. Since March 2018 Google has begun to block "uncertified" Android devices from using Google Mobile Services software, and now also displays a warning indicating that "the device manufacturer has preloaded Google apps and services without certification from Google". In their 2018 security report, Google declare: “We expanded the program in 2018 and now every new Android-certified device goes through the same app scanning process as apps on Google Play. Additionally, our security scanner looks for other common security and privacy issues and denies device certification until device manufacturers fix these problems.” While there is certainly awareness, and while there seem to be improvements, our case studies of Android certified phones suggest that certification process does not seem to be working as well as it should. In fact, it seems that people who want to buy a secure new phone that doesn’t violate their privacy, can’t rely on the Play Protect logo. Google could do more to address the privacy and security concerns with pre-installed apps, for instance by banning pre-installed apps that can’t be deleted, by increasing transparency around the Android certification process and by better enforcing their own rules.

I have an iPhone, does this mean my privacy is protected?