Study Of Pre-Installed Android Software Finds Privacy ‘Wild West’

Software pre-installed on Android devices captures a wide range of data on users with little oversight on how that data is used, a new study has found.

The study by the Carlos III University in Madrid, along with IMDEA Networks and the International Computer Science Institute at the University of California, Berkeley, is one of the first to focus on applications that come pre-installed on users’ devices, meaning they are outside the controls built into Google’s Play Store.

Users also have little or no control over them, being generally unable to remove them or alter their settings.

While the findings did not discover any single point of data insecurity, researchers said they bring to light the extent of preinstalled apps’ reach, their lack of transparency and the way they stand outside the systems that regulate other Android software.

‘Wild West’

“The world of Android is like the jungle or like the Wild West, particularly in countries with little regulation for the protection of personal data,” co-author Juan Tapiador, a professor at Carlos III University in Madrid, told El Pais.

Narseo Vallina-Rodríguez of IMDEA Networks added that there is “no supervision” of the Android software imported and sold in the European Union, and little scrutiny of hardware.

Tapiador said that 91 percent of the pre-installed apps studied were not found on Google Play, meaning they were not subject to the same scrutiny by Google.

Using a custom firmware scanner, researchers found that some of the apps would contact servers belonging to the manufactuer or its affiliates,  in some cases passing data along to those servers.

“At times, this information is massive and includes the technical characteristics of the phone, unique identifiers, location, contacts, messages and emails,” Tapiador said.

“All this is picked up by a server, which decides what to do with this. According to the country the device is in, the server could decide to install one app or another, or send the user certain ads over others.”

Data exchange

Another concern was the use of permissions that allow pre-installed apps to exchange data with apps the user adds to the device.

That communication could mean, for instance, that an app the user installs, and which is granted minimal permissions, may gather more far-reaching information from preinstalled apps, including location data, without the user’s knowledge, researchers said.

They also found that in many cases it’s difficult to determine who developed a particular pre-installed app, with some appearing to supply false identification information.

“Working out who the authors are has been an almost manual task, looking at who has signed each one and if it has any kind of chain that can be linked to a library or known manufacturer,” Vallina said.

He said it would be difficult to exercise regulatory control over all the possible versions of Android, due to the fact that it is widely customised.

“It would require a very expensive and extensive analysis,” Vallina said.

Google said it provides manufacturers with “clear policies” on privacy and security standards for pre-installed apps, along with tools to ensure that software meets those policies.

“We also… regularly give them information about potentially dangerous pre-loads we’ve identified,” Google said in a statement.

The study, which analysed 1,742 handsets from 214 manufacturers in 130 countries, is to be presented in May at the 2019 IEEE Symposium on Security and Privacy in San Francisco.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft Criticised For ‘Workplace Surveillance’ Feature

Microsoft 365 Productivity Score feature, introduced last month, criticised for analysing 'extensive data' on individual…

13 hours ago

Facebook Removes Thousands Of Illegal UK Ads

Facebook removes more than 2,000 ads exploiting health fears and selling dubious Covid-19 cures in…

14 hours ago

Huawei Founder Calls Honor Sale A ‘Clean Break’

Sell-off of Honor consumer brand should allow newly independent company to 'very quickly' resume production…

14 hours ago

European Commission Approves French Fibre Acquisition

Altice/SFR gets the go-ahead to buy wholesale rival Covage, but will spin off its fibre-to-the-office…

15 hours ago

Disruption Continues Two Weeks After Manchester United Cyber-Attack

Manchester United has confirmed it was struck by a 'sophisticated' cyber-attack but declined to comment…

15 hours ago

Government Told To Open Up On AI Decision-Making

Government advisory body publishes roadmap to 'responsible' use of AI and algorithms, following summer chaos…

16 hours ago