As a consumer, you buy a new Android cellphone. It could be any brand, but it is likely to be an Android as they account for more than 80% of today’s cellphone market. You open the box, press the “On” button and the phone connects to the internet. Without further ado, you have just triggered the most sophisticated surveillance machine to date for monitoring your routines.
It no longer matters whether you have downloaded Facebook or activated a Google account, or given permission to some app or anti-virus program to access your contacts, camera and microphone. Whatever you do from that moment on, your new cellphone will be sharing details of your activity with the rest of the world. The software that comes pre-installed is the most accurate resource on your phone for predicting where you might be, what you might download, what messages you might send and what music you might listen to.
It is the scale of it that makes it so serious: we are talking about hundreds of thousands of millions of Android phones
Juan Tapiador, professor and co-author of study
“The pre-installed apps are an indication of another reality: agreements between actors (manufacturers, data traders, mobile operators and advertisers) for added value, but also for commercial ends,” says Juan Tapiador, a professor at Carlos III University in Madrid and co-author of the study on this alarming situation, along with Narseo Vallina-Rodríguez from IMDEA Networks and the International Computer Science Institute at Berkeley University.
While none of the findings are in themselves earth-shattering – we already know, for example, that cellphones walk a fine line when it comes to compiling and sharing data – what they do reveal is the extent of pre-installed apps’ reach, their lack of transparency, and their privileged position within the devices. Researchers analyzed 1,742 phones made by 214 manufacturers in 130 countries.
“Until now, research on the risks to privacy from cellphones has been focused on apps that are listed on Google Play or malware,” says Vallina. Instead, he and Tapiador analyzed the pre-installed apps on standard cellphones and it turns out that, due to a complex ecosystem of manufacturers, mobile operators, app developers and service providers, the guarantees offered by Android are looking less than foolproof.
The research is to be published in detail on April 1 and will be presented at one of the biggest global cyber security and privacy conferences in the world, the 41st IEEE Symposium on Security & Privacy, in California.
The authors gave EL PAÍS an early look at the study, which shows how our personal data is sent to a broad network of interested parties, which generally includes servers belonging to the cellphone’s manufacturer, companies that are regularly accused of harvesting our personal data such as Facebook and Google, but also to a murky world of big corporations and start-ups that package it, tag it and sell it on to whoever offers the right price.
Our personal information is sent to a broad network of interested parties, some of which are controversial
In a research project on an unprecedented scale, Tapiador and Vallina created the app Firmware Scanner to pick up the pre-installed software on the cellphones of volunteers. The open code of Android’s operating system means that any manufacturer can have this version of it along with other pre-installed apps. A cellphone can have more than 100 pre-installed apps and a further 100 that are third-party libraries included in the code, many of which are specialized in monitoring the user and in advertising.
It is, in effect, an international landscape of hundreds of thousands of apps with common, dubious, unknown, dangerous and potentially criminal uses – a chaotic environment of mass surveillance with only the tip of the iceberg revealed by the year-long research.
A jigsaw of parts
An Android cellphone is not produced by just one manufacturer. The chip comes from one company and the updates of the operating system will possibly be outsourced to another, while separate software will be added by the mobile operators and distributors. There are a lot more players involved in the final product than the name on the box might suggest, although the final control of all the software belongs to the brand, which may or may not have privileged access to the user’s data.
The result is an ecosystem so complex that all the players can sidestep the responsibility of where our personal data ends up. Google created the open-code platform but this is now available to everyone. And what belongs to everyone belongs to no one. “The world of Android is like the jungle or the Wild West, particularly in countries with little regulation for the protection of personal data,” says Tapiador.
Vallina adds, “There is no supervision on what is imported and sold within the European Union when it comes to software, and to a large extent hardware too.”
Consequently, each version of our Android cellphones tells its base what we are up to from the moment we turn it on, without skipping a beat. The problem is not only what is said about us, but also that the user has no control over the management of personal data.
Google Play’s permissions
The companies that compile consumer data for advertisers already have access to user data via Google Play’s regular apps. So why do they seek to reach agreements with manufacturers allowing them to be part of the pre-installed software?
Imagine our data is stored in a house that has several floors. The Google Play apps would look like windows that we can open and close. Sometimes we let the data out and sometimes not. That depends on each user’s decision on how to manage their personal data. But what this user cannot know is that Android cellphones come with a door that is wide open all the time, making the windows irrelevant.
There is no supervision on what is imported and sold within the European Union when it comes to software, and to a large extent hardware too
Narseo Vallina-Rodríguez, co-author of study
Pre-installed software is always there. We cannot eliminate it from the device without breaking the protection offered by the system; but this is something beyond the scope of the average user.
Apps downloaded from Google Play come with the option of data management. For example, it might say: “Allow your new free game to have access to your microphone?” Or: “Allow your app to access your location to improve its productivity?” If we decide there are too many permission requests, we can simply scrub the app from our phone. Google apps have their own service terms and need to ask explicit permission before acting. The user is ultimately responsible for the management of their data.
But pre-installed apps reside below the radar of the indexed apps in the store, and in many cases their permission agreement is incorporated into the operating system. “Google Play is a garden that has a gate that is shut and policed, but 91% of the pre-installed apps that we have seen are not in Google Play,” says Tapiador. And outside Google Play, no one is aware of what is going on in their phone.
Pre-installed software has two further problems; first, it is inside an operating system that has access to all the cellphone’s functions and, secondly, these apps can be automatically updated, which allows them to mutate. The operating system is the cellphone’s brain. It has constant access to everything and it automatically updates. And these updates are important because a manufacturer might have given permission to a company to be on its mobile code for something innocuous. Then two months later, this can be updated, adding permission for other things such as recording conversations and accessing messages.
The pre-installed apps are easy for their creators to update; when the needs of the tracking company change, the creators can introduce new software and new instructions. The owner of the cellphone is powerless to stop that from happening; there is no permission request; the operating system is simply updated.
The user does not know that Android cellphones come with a door on their personal data that is wide open
“Some of these apps call home base asking for instructions, and they pass along information from the device where they are installed. At times, this information is massive and includes the technical characteristics of the phone, unique identifiers, location, contacts, messages and emails,” says Tapiador. “All this is picked up by a server, which decides what to do with this. According to the country the device is in, the server could decide to install one app or another, or send the user certain ads over others. We discovered this by analyzing the code and the behavior of the apps.”
The server that receives the information could be the manufacturer or a social network that sells publicity to unknown data traders, or even an unidentifiable IP address.
At times, this information is massive and includes the technical characteristics of the phone, unique identifiers, location, contacts, messages and emails
One risk is that these obscure pre-installed apps can use the custom permissions to expose information to Play Store apps. The custom permissions are a tool that Android offers to software developers so that the apps share data with them. For example, if an operator or a bank service has a number of them, it is legal for them to talk between themselves and share data. But at times it is not easy to discover which data is being shared by which pieces of software.
In a new cellphone, there could, for example, be a pre-installed app that has access to the camera, contacts and microphone. This app was programmed, say, by Wang Sánchez and it bears a certificate with his public code and signature. It is apparently legitimate but nobody can confirm whether Wang Sánchez’s certificate is bona fide. This app is always on and it clocks the location, activates the microphone and stores the recordings. But it does not send the information to any server because Wang Sánchez’s app does not have permission to send anything through the internet. What it does do is declare a custom permission that regulates access to the data and whoever else has this permission can get ahold of the data.
The owner of this cellphone might go to Google Play Store one day and find a fabulous sports app. The only official permission that has been asked for has been access to the internet, which is absolutely normal for apps. But the sports app also asks for the custom permission of the Wang Sánchez app. The sports app is not aware these permissions are not shown to the user. So the first thing it will say to the pre-installed app is, “Do you live here? Give me access to the microphone and the camera.” It was apparently a risk-free app, but the complexities of the system of permissions means these kinds of scenarios are common.
Governments and the industry have been aware for years of this process. The US federal agencies ask for their cellphones to come with operating systems that are free of pre-installed software. But ordinary citizens needs to wise up. Their data is not safe. “Having regulatory control over all the possible versions of Android on the market would be almost unmanageable,” says Vallina. “It would require a very expensive and extensive analysis.”
The bottom line is that we carry a massively sophisticated surveillance machine in our pockets.
The authors of these apps are a huge mystery. In fact, Tapiador and Vallina’s research has revealed something not unlike the dark web. There are, for example, apps that are signed by Google, which are unlikely to belong to Google. “Working out who the authors are has been an almost manual task, looking at who has signed each one and if it has any kind of chain that can be linked to a library or known manufacturer,” says Vallina, who explains that while many send acceptable information to manufacturers or big companies, many others hide behind fake names.
The information they send out is easily linked to a particular telephone number or to personal data. The phone’s SIM and dozens of apps linked to the email or to social media accounts easily reveal the origin of the data.
English version by Heather Galloway.