Android preinstalls – a ticking timebomb

February 17th, 2016 by

So, I got a push notification on my phone today from “Peel Smart Remote”. Never heard of it. This turns out to be one of those applications for people who really need to use their phone as a TV remote; a bit pointless, but hey, I’m sure someone thinks it’s a great idea.

I don’t own a TV, so unsurprisingly, I’m not one of those people. The app turned out to be pre-installed on my phone (originally under a different name), and is undeleteable – but I can “disable” it and delete any data it had recorded. (Data they should, of course, not have, but trying to tell American startups about privacy is like trying to explain delayed gratification to a piranha, so let’s not even go there.)

I then went through my phone’s app list looking for the other junk like this. Four, all with pre-approved push applications, all of which now disabled. (I’m leaving aside the pre-installed ones which I might actually want to use…)

But when I removed them, I happened to scroll down and look at permissions. The Peel app, which has been running quietly in the background for about two years, has had an astonishing range of permissions.

* read contact data (giving the ability to know personal details of anyone stored as a contact – along with metadata about when and how I contact them)
* create calendar events and email guests without my awareness
* read and write anything stored on the SD card
* full internet access

Let’s not even ask why a TV remote would need the ability to find out who all my contacts are.

The others were not much better. Blurb (a small print-on-demand publishing firm) could read my data and find out who was calling me. Flipboard (a social-media aggregator) could read my data. And “ChatON“, which seems to be some kind of now-defunct messaging service run by Samsung; its app could call people, record audio, take pictures, find my location, read all my data (and my contact data), create accounts, shut down other applications, force the phone to remain active – basically every permission in the book. Again, that’s been burbling away for two years. Always on, starting on launch, and… what?.

Now, I’ll be fair here – it’s unlikely that a startup like Peel has a business plan that involves “gather a load of personal data and sell it”. But how could I know for sure? It’s hardly an unknown approach out there. And on reflection, maybe it’s not their business plan we need to worry about.

Let’s imagine a startup made something like ChatON. They get widespread ‘adoption’ (by paying for preinstalls), but ultimately it doesn’t take off. They fail – as ChatON did – but without the ability of a large corporation to write it off as a failure and file it away, the residue of the company and its assets are sold for some trivial sum to whoever turns up.

Their assets that include a hundred million always-on apps on phones worldwide, with security permissions to record everything and transmit, and preapproved automatic updates.

If you’re not grimacing at that, you haven’t thought about it enough.

This is one thing that Apple have got right – very little preinstalled that isn’t from the manufacturer directly. Maybe I could switch to an iPhone, or maybe it’s time to finally think about Cyanogen.

But that’d fix it for me. The underlying systemic risk is still there… and one day we’re all going to get burned. Preinstalled third party apps with broad permissions are a time-bomb and the phone manufactures should probably think hard about their (legal and reputational) liability.

Tags: ,

Leave a Reply