A user buys a new Android mobile. It doesn’t matter the brand. He opens the box, presses the power button, the mobile connects to the Internet and, without doing anything else, has just started the most sophisticated machine for monitoring his routines.
No longer does it matter if you download Facebook, activate your Google account or give all permissions to a rare flashlight or antivirus app. Before any action, your new mobile has begun to share details of your life. The software that comes pre-installed as standard is the most perfect resource for that mobile to know its future activity: where it is, what it downloads, what messages it sends, what music files it has.
“The pre-installed apps are the manifestation of another phenomenon: agreements between actors (manufacturers, data merchants, operators, advertisers) to give, in principle, added value but also for commercial purposes. The gravity element is provided by scale: we are talking about hundreds or billions of Android phones”, says Juan Tapiador, professor at Carlos III University and one of the authors, together with Narseo Vallina-Rodriguez, of IMDEA Networks and ICSI (University of Berkeley), of the research that reveals this underworld. Android mobiles represent more than 80% of the global market.
The new international study conducted by the two Spanish academics reveals the depth of the abyss. None of the findings by itself is radically new: it is well known that mobile phones play on the red line of permissions when it comes to collecting and sharing data. The novelty of the function of pre-installed apps lies in their extension, lack of transparency and privileged position within the mobile: they have analysed 1,742 mobiles from 214 manufacturers in 130 countries.
“Until now, research on mobile privacy risks has focused on apps that are listed in Google Play or malware samples,” says Vallina. Now they’ve analyzed what mobiles come standard and seem out of control. Because of the complexity of the ecosystem, the privacy guarantees of the Android platform may be in question.
The article, which will be officially published on April 1 and to which EL PAÍS has had access, has already been accepted by one of the world’s leading cybersecurity and privacy conferences, the IEEE Symposium on Security & Privacy in California.
Our personal information is sent to a wide network of destinations, which changes according to the mobile, and some are controversial: to servers of the mobile manufacturer, to companies usually accused of spying on our lives – Facebook, Google – and to a dark world that goes from corporations to start-ups that gather personal information of each one, pack it with an identifier that is linked to our name and sell it to whoever pays well.
No one had ever looked into this abyss before to do an investigation of this magnitude. The researchers created the Firmware Scanner app, which collected the pre-installed software from the volunteer users who downloaded it. For the study they have analyzed more than 1,700 devices, but they have more than eight thousand. The open source Android operating system allows any manufacturer to have their version, along with their pre-installed apps. A mobile can have more than 100 pre-installed apps and hundreds of other libraries, which are third party services included in its code, many of them specialized in user monitoring and advertising.
In total, an international panorama of hundreds of thousands of applications with common, dubious, unknown, dangerous or potentially criminal functions. This near-perfect definition of chaos led researchers to more than a year of exploration. The result is just a first look at the precipice of massive surveillance of our Android mobiles without user knowledge.
More than one manufacturer
An Android mobile phone is not just a product of its manufacturer. The statement is surprising, but several companies are involved in the production chain: the chip is a brand, operating system upgrades can be outsourced, telephone operators or large businesses that sell mobiles add their own software. The actors involved in making a mobile go far beyond the name on the box. The ultimate control of all the software that is placed there and has privileged access to user data is indeterminate.
The result is an uncontrolled ecosystem, where no one today is able to take responsibility for what happens to our most intimate information. Google created the platform from open source, but now it belongs to everyone. And what belongs to everyone is nobody’s: “The Android world is very jungle-like, it’s like the Far West, especially in countries with little regulation of personal data protection,” says Tapiador.
“There is no supervision of what is imported and marketed at a software (and largely hardware) level within the European Union,” says Vallina. The result? A chaos where every version of our Android mobiles talks to their base from day one, without interruption, to tell them what we do. The problem is not only that they tell about us, but the owner of the mobile does not control what permissions it gives.
The closed garden of Google Play
Companies that collect user data to, for example, create profiles for advertisers already have access to user data through normal Google Play apps. What then is the interest of a data merchant in entering into agreements with manufacturers to be part of the pre-installed software?
Imagine that our data is inside a multi-storey house. Google Play apps are windows that we open and close: sometimes we let the data out and sometimes not. It depends on the vigilance of each user and the permissions you give. But what that user doesn’t know is that Android mobiles come with the door to the street wide open. It doesn’t matter what he does with the windows.
The pre-installed software is always there, it accompanies us everywhere and in every corner of the phone, and moreover it cannot be erased without rooting the device -break the protection provided by the system to do with it what you want-, something that is not within the reach of ordinary users.
The apps the user downloads from Google Play give them the option to see the permissions they ask for: do you allow your new free game to access your microphone? Do you allow your new app to access your location for better productivity? If we find too many permissions, we can delete it. The applications that Google monitors have their terms of service and must ask for explicit permission to execute actions.
The user, even if he or she doesn’t notice or has no choice, is ultimately responsible for his or her decisions. You are giving permission for someone to access your contacts. But the pre-installed apps are already there. They live below the apps indexed in the store, without clear permissions or, in many cases, with the same permissions as the operating system. In other words, all of them. “Google Play is a closed garden with its policemen, but 91% of the pre-installed applications we’ve seen aren’t in Google Play,” says Tapiador. Outside Google Play nobody watches in detail what ends up inside a mobile.
Two additional problems
The pre-installed software has two additional problems: one, they are next to the operating system, which has access to all the functions of a mobile, and two, those apps can be updated and mutated.
The operating system is the brain of the mobile. It has access to everything at all times. It doesn’t depend on whether the app is running or whether the user can delete it. It will always be there and is updated. Why are updates important? Here’s an example: a manufacturer has given permission to a company to put code on the mobile to check something innocuous. But that code can be updated and, two months later or when the company knows that the user lives in that country and works in that place, send an update to do other things. What are they: record conversations, take photos, look at messages …
The pre-installed apps are easy to update by their creator: if you change the country or the intentions of whoever has placed a tracking system there, new software is sent to you with new orders. The owner of your mobile phone cannot prevent it and does not even ask for specific permissions: your operating system is updated.
“Some of those apps call home for instructions and send information about where they are installed. That information is sometimes huge: extensive reports with technical features of the phone, unique identifiers, location, contacts in the phone book, messages or e-mails. All that is collected by a server and a decision is made as to what to do with that phone. For example, depending on the country you are in, you may decide to install one app or another, or promote one ad or another. We have found out by analyzing the code and behavior of the apps,” says Tapiador.
The server that receives the information goes from the manufacturer, a social network that sells advertising, an unknown data merchant, or an obscure IP address that you don’t know who it belongs to.
One danger is that those pre-installed dark apps use custom permissions to expose information to apps from the Play Store. Custom permissions are a tool that Android offers software developers for apps to share data with each other. For example, if an operator or a banking service has several, it is permissible for them to talk to each other and share data. But sometimes it is not easy to find out what data some pieces of that software share.
Inside a new mobile there is, for example, a pre-installed app that has access to a camera, contacts, or microphone. This application has been programmed by a guy named Wang Sánchez and carries a certificate with his public key and signature. Apparently it’s legitimate, but nobody checks that Wang Sanchez’s certificate is real. That application is always on, takes the location, activates the microphone and keeps the recordings. But he doesn’t send it to any server because Wang Sanchez’s application doesn’t have permission to send anything over the Internet. What it does do is declare a personalized permission that regulates access to those data: whoever has that permission will be able to obtain them.
One day the owner of that mobile goes to the Google Play Store and finds a great sports app. What official permissions do you ask? Just access the Internet, which is perfectly common between apps. And it also asks for personalized permission from Wang Sanchez’s application. But he doesn’t realize it because these permissions aren’t shown to the user. So, the first thing the newly arrived sports app will say to the pre-installed app is: “Oh, you live here? Give me access to the microphone and the camera. It was apparently a risk-free app, but the complexities of the permission system mean that situations like this can occur.