The 59 Chinese apps banned by the Narendra Modi government, in the backdrop of tensions on the Line of Actual Control, posed significant privacy and security concerns to the unwitting Indians using them. Their presence also raised some grave national security concerns, given the link the developers of most of these apps have with the Chinese government. However, threats to privacy and security continue to linger on from some unsuspecting quarters. One such area is the presence of bloatware on mobile phones.
The bloatware problem
Bloatware may be defined as a system of pre-installed apps on select mobile devices that cannot be removed or even disabled without compromising on the functionality of the phone or exposing it to serious security concerns. These apps are installed primarily by handset manufacturers and often add significantly to their revenue. Several mobile manufacturers are able to keep the price of their device low because they compensate for reduced profits on the sale of devices by making additional profits through these third party apps. The problem is particularly acute with some of the Chinese mobile manufacturers. Xiaomi, for example, by some estimates, earned 9.1% of its revenue in 2018 through these pre-loaded apps and services. Samsung and other manufacturers have also adopted such business models, especially at the lower end of the price spectrum. However, this low price for customers often comes at a significant cost. Apart from consuming unnecessary space on the phone and being a drain on the device’s battery, these apps pose serious security threats because they collect user data in surreptitious ways that can easily be misused.
Surprisingly, the issue has received very little attention in both academic and policy circles. However, a paper titled An analysis of Pre-installed Android Software by researchers at the IMDEA Networks Institute, brings forth significant issues with these pre-installed apps.
What data is being collected?
These apps are designed to have what can be called custom permission that allows them bulk access to various features that are not available to other apps. Highlighting the gravity of the risk, the paper notes: “These actors have privileged access to system resources through their presence in preinstalled apps but also as third-party libraries embedded in them. Potential partnerships and deals – made behind closed doors between stakeholders – may have made user data a commodity before users purchase their devices or decide to install software of their own”
The paper also found that these apps collect extremely sensitive information that can range from data related to geo-location, information regarding other apps that a consumer is using on the phone to even personally identifiable information. All this data collected is shared with the advertisers and other analytics firms. These pre-installed apps have also been found to have embedded third-party libraries like Rootnik that can expose the users to banks and other kinds of monetary fraud. Such practices raise concerns about the privacy of individual users.
We are deeply grateful to our readers & viewers for their time, trust and subscriptions.
Quality journalism is expensive and needs readers to pay for it. Your support will define our work and ThePrint’s future.
Challenges regulating pre-installed apps
There are challenges in regulating these apps, especially in the absence of a robust data protection law. The device manufacturers work with a large network of vendors, and at times, it becomes difficult to trace the legitimate developer of such an app. This makes it difficult to fix accountability, which is further complicated by long supply chains in the app development business. However, South Korea has sought to regulate use of such apps by imposing obligations on the handset manufacturers. These regulations require the phone makers to allow such pre-installed apps to be deleted, if a user wishes to, without compromising any of the functionalities of the device. Only four categories of apps: Wi-fi connectivity, near-field communication, customer service app and the Play Store have been allowed as an exception from this rule.
China has also adopted a similar approach. While the US and Europe don’t have specific regulations for these apps, they do have fairly robust laws on data protection, which does provide some level of security against these practices.
What India can do
Given that India does not yet have a dedicated law on data protection and the heightened privacy concerns associated with these apps, regulators in India must take proactive steps. Possible regulatory approaches can range from outright banning of such pre-installation to regulating it on the lines of South Korea. However, merely giving the option to delete these apps to the consumers may not be very effective in India as a large number of users here are not aware of the hidden risks associated with the use of such apps.
Therefore, the most effective way could be to make it obligatory on the device manufacturers to also provide the users with sufficient information on such apps, including full disclosure on the type of data being collected, the purpose for which data will be used and the entities with which such data will be shared, if any. Also, all this information should be communicated in a language that the user can understand easily. This approach will allow consumers to make an informed choice about the apps they want to use on their phones and risks associated with the same.
It is surprising to see that the issue has not received the attention that it deserves given the stakes involved. However, it is better late than never. Regulators must take note of this potential security lapse, especially in the light of current developments.
Ravi Shankar Jha @ravijhatweets is a Senior Investment Specialist at Invest India, Ministry of Commerce. Views are personal.
News media is in a crisis & only you can fix it
You are reading this because you value good, intelligent and objective journalism. We thank you for your time and your trust.
You also know that the news media is facing an unprecedented crisis. It is likely that you are also hearing of the brutal layoffs and pay-cuts hitting the industry. There are many reasons why the media’s economics is broken. But a big one is that good people are not yet paying enough for good journalism.
We have a newsroom filled with talented young reporters. We also have the country’s most robust editing and fact-checking team, finest news photographers and video professionals. We are building India’s most ambitious and energetic news platform. And we aren’t even three yet.
At ThePrint, we invest in quality journalists. We pay them fairly and on time even in this difficult period. As you may have noticed, we do not flinch from spending whatever it takes to make sure our reporters reach where the story is. Our stellar coronavirus coverage is a good example. You can check some of it here.
This comes with a sizable cost. For us to continue bringing quality journalism, we need readers like you to pay for it. Because the advertising market is broken too.
If you think we deserve your support, do join us in this endeavour to strengthen fair, free, courageous, and questioning journalism, please click on the link below. Your support will define our journalism, and ThePrint’s future. It will take just a few seconds of your time.