Sample this: You try to install a crucial app, but your phone’s memory doesn’t allow it. You try all possible ways to clear memory space by deleting cache, unwanted and accidental photos and videos, however, you still don’t have enough memory to install the app. You dig deep to find that a considerable portion of the phone’s memory is occupied by pre-installed apps. Acting swiftly, you try deleting the ones you never use, but to your utter surprise, they are not deletable. You just can’t wish them away!

Pre-installed apps are a not-so-desired reality of smartphones. However, unlike the initial days, when a few mobile phones would come with a rare pre-installed app, these days, Android phones come with a whole bunch of them. Many of them are bloatware – a term used for pre-installed apps or softwares that users do not want, but are saddled with.

While providing several benefits like simplifying the device activation process, troubleshooting issues and optimising performance, these pre-installed apps gain extensive control over the device and that can have serious ramifications. 

User privacy and security on the line

A few months ago, Microsoft uncovered severe vulnerabilities in a mobile framework used by renowned mobile service providers in pre-installed Android system apps. In its analysis, Microsoft found that these apps were embedded in the system image of devices, implying that they were installed by phone providers. The system image contains all the settings, configurations, and apps that the original equipment manufacturer and the carrier have decided to provide to end users. Moreover, all the apps were available on Google Play Store. Now, apps available on Google Play go through automatic safety checks. Therefore, the presence of these apps on the Play Store despite safety checks implies that such kinds of vulnerabilities were not scanned for. 

Detected vulnerabilities in pre-installed apps render mobile devices an easy target for attackers. An attacker may be able to carry out local and remote attacks due to the pre-existing vulnerabilities. The attacker may also get access to the system configuration and sensitive information by exploiting the system privileges. 

One of the first large-scale studies on pre-installed software on Android devices was published at the 2020 IEEE Symposium on Security and Privacy. The study, An Analysis of Pre-installed Android Software, discusses the ecosystem of pre-installed apps in detail. It found that pre-installed apps in Android phones are used for data collection, tracking, and monitoring without the user’s awareness. 

Many of these applications contain viruses that could endanger the user’s security. These apps frequently provide user’s access to permissions that aren’t typically available if directly downloaded from the Google Play Store. They grant access to intrusive permissions like the accessibility to information about other apps installed by users. The data thus gathered, is then provided to advertisers and analytics companies. The collected information may include sensitive geolocation data and personally identifiable information gleaned from the email or phone address books of the devices. These pre-installed apps often come with specifically designed backdoors that allow app developers to access phone functionalities like storage or leak personally identifying information to data brokers.

There have been several suspicions about mobile phone manufacturers being involved in security breaches concerning personally identifiable information. For example, a few years ago, The New York Times reported that Meta (then Facebook) and device manufacturers like Samsung had secret agreements to collect private data from users without their knowledge.

In India, there have been concerns about privacy being jeopardised due to data collected by pre-installed smartphones, essentially those manufactured by Chinese mobile phone companies.

In addition, the plea wanted the manufacturers to guarantee users’ privacy by revealing how the data collected from the pre-installed apps would be stored and used. 

Undoubtedly, security and data privacy is perhaps the most important concern posed by the pre-installed apps. However, there are other concerns too. Take the example of the Glance app that comes pre-installed on several smartphones. Although users need to enable it, it is very difficult for a layman to determine if it is drawing sensitive information from the device. There could be a possibility that it may be drawing on data, but only when users enable the app does it share data with other stakeholders. After all, there are instances when many of these pre-installed apps run in the background without the user’s knowledge making it difficult to disable apps that are found on the home screen.

A revenue stream for handset manufacturers

Notwithstanding the security issues posed by pre-installed apps, what makes handset manufacturers provide these apps is the revenue they provide. Most of the time, app producers pay mobile phone manufacturing companies to include their apps in the system image. It serves a dual purpose – one, the app gets a promotional platform and recognition which is beneficial for app developers in the long run, two, the handset manufacturers are able lower the price – a key reason why Android phones have been able to target the middle and lower-income groups. 

Doing away with these apps can cost you

While most bloatware cannot be outrightly deleted, some like the Glance app can be disabled. In order to completely get rid of the apps, one could opt for the highly technical way of rooting the device. When rooting your phone, you reach a secured part of the device where system files exist and from there, you will be able to delete unwanted apps. However, that comes at the cost of device security.  Rooting also increases the chances of bricking the device wherein your phone turns into an expensive unusable ‘brick’ due to mis-operation. Moreover, handset manufacturers revoke the warranty, if the device has been rooted. 

Way forward

A possible way out of this mess would be if manufacturers provide documentation for the specific set of apps that they have pre-installed in the devices, along with their purpose and the entity responsible for each such application. It should be accessible and understandable to users. Such a practice will ensure that at least a reference point exists for users and regulators to find accurate information about pre-installed apps and their practices. 

With the evolution of mobile technology, as newer threats and vulnerabilities are discovered, collaboration among security researchers, software vendors and other stakeholders can improve the overall security so that end users are shielded from present and future threats.