A study conducted by Carlos III University of Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) in Berkeley (USA) and Stony Brook University of New York (USA), has analysed more than 82,000 pre-installed apps in more than 1,700 devices manufactured by 214 brands.
The results of the study reveal the existence of a complex ecosystem of manufacturers, mobile operators, developers and service providers, as well as organizations specializing in monitoring and tracking users and advertising on the network.
Fact: Many of the pre-installed apps provide privileged access to data and system resources without an average user being able to uninstall them.
The general rules of permissions, of the Android operating system and its applications, allows a large number of actors to monitor and obtain personal information from users and, logically, the end user is unaware of the presence of these spies on their Android devices and the implications that these practices have on their privacy. The fact that it is a software with system privileges complicates its elimination for any average user, this is not the case for experts, but it is clear that their number is much lower.
The conclusions of the study will be presented at one of the world's leading cybersecurity and privacy conferences, the IEEE Symposium on Security and Privacy in California (USA). Similarly, the Spanish Data Protection Agency (AEPD) has contributed to the dissemination of the study due to the massive impact of the results on citizens' privacy. The AEPD will present the results to the European Data Protection Committee for action.
That’s not the end of it
Apart from the standard permissions defined in an Android device, researchers have identified more than 4,845 proprietary or custom permissions by those involved in the manufacture and distribution of mobile phones. This type of permissions allows apps published in Google Play to bypass the Android permissions model to access user data without requiring their consent when installing a new app.
What about pre-installed applications?
Academics have identified more than 1,200 developers after the pre-installed software, as well as the presence of more than 11,000 third-party libraries (SDKs) included in it, many related to online advertising and monitoring services for commercial purposes. Most cannot be uninstalled from the system.
Lack of transparency
Researchers also state that there is a lack of transparency in the apps and the Android operating system itself, by showing the user a list of permissions different from the real one, limiting their decision-making capacity to manage their personal information.
What will the AEPD do?
The Data Protection Agency will present the conclusions to the European Data Protection Committee (EDC), a body of the European Union, which it is a member along with other European data protection authorities and the European Supervisor. According to the AEPD, this study contributes to facilitating manufacturers, developers and distributors of products and services to apply the principles of Privacy by Default and from Design established in the RGPD in order to safeguard the rights and freedoms of individuals.
Reference: An analysis of preinstalled Android software Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf Para participar en el 41º Simposio IEEE sobre Seguridad y Privacidad (IEEE S&P 2020)