Pre-installed apps collect a wide range of information and send it to remote servers with little oversight or control, finds independent research
Software pre-installed on Android devices captures a wide range of data on users with little oversight on how that data is used, a new study has found.
The study by the Carlos III University in Madrid, along with IMDEA Networks and the International Computer Science Institute at the University of California, Berkeley, is one of the first to focus on applications that come pre-installed on users’ devices, meaning they are outside the controls built into Google’s Play Store.
Users also have little or no control over them, being generally unable to remove them or alter their settings.
While the findings did not discover any single point of data insecurity, researchers said they bring to light the extent of preinstalled apps’ reach, their lack of transparency and the way they stand outside the systems that regulate other Android software.
“The world of Android is like the jungle or like the Wild West, particularly in countries with little regulation for the protection of personal data,” co-author Juan Tapiador, a professor at Carlos III University in Madrid, told El Pais.
Narseo Vallina-Rodríguez of IMDEA Networks added that there is “no supervision” of the Android software imported and sold in the European Union, and little scrutiny of hardware.
Tapiador said that 91 percent of the pre-installed apps studied were not found on Google Play, meaning they were not subject to the same scrutiny by Google.
Using a custom firmware scanner, researchers found that some of the apps would contact servers belonging to the manufactuer or its affiliates, in some cases passing data along to those servers.
“At times, this information is massive and includes the technical characteristics of the phone, unique identifiers, location, contacts, messages and emails,” Tapiador said.
“All this is picked up by a server, which decides what to do with this. According to the country the device is in, the server could decide to install one app or another, or send the user certain ads over others.”
Another concern was the use of permissions that allow pre-installed apps to exchange data with apps the user adds to the device.
That communication could mean, for instance, that an app the user installs, and which is granted minimal permissions, may gather more far-reaching information from preinstalled apps, including location data, without the user’s knowledge, researchers said.
They also found that in many cases it’s difficult to determine who developed a particular pre-installed app, with some appearing to supply false identification information.
“Working out who the authors are has been an almost manual task, looking at who has signed each one and if it has any kind of chain that can be linked to a library or known manufacturer,” Vallina said.
He said it would be difficult to exercise regulatory control over all the possible versions of Android, due to the fact that it is widely customised.
“It would require a very expensive and extensive analysis,” Vallina said.
Google said it provides manufacturers with “clear policies” on privacy and security standards for pre-installed apps, along with tools to ensure that software meets those policies.
“We also… regularly give them information about potentially dangerous pre-loads we’ve identified,” Google said in a statement.
The study, which analysed 1,742 handsets from 214 manufacturers in 130 countries, is to be presented in May at the 2019 IEEE Symposium on Security and Privacy in San Francisco.