Android phones bring a factory software pre-installed that in many cases traces the activity of the owner without his knowledge: "Users have no idea of the data exchange agreements that exist between companies that decide what is pre-installed in their phones," says the pioneering research led by two Spanish academics, Narseo Vallina-Rodríguez, of Imdea Networks and the ICSI (University of Berkeley), and Juan Tapiador, of the Carlos III University, who EL PAÍS advanced in scoop. This newspaper contacted Google -author of the Android ecosystem-, the manufacturers Samsung, Huawei, Xiaomi and BQ, and the operators Telefónica, Vodafone and Orange to find out their opinion about the findings.
The rest of the answers focus on arguments that do not challenge the main conclusion of the study
After repeated messages, Xiaomi, Huawei and Telefonica have opted not to answer. The rest of the answers focus on arguments that do not challenge The main conclusion of the study: that Android phones have a life of their own apart from the will of their owner. The only way to get rid of the role of preinstalled software is apparently not to use an Android mobile. In the messages given so far, the companies do not offer any technical input that makes the investigation doubtful.
"We are concerned about the accuracy of this research and the conclusions drawn from it," says Google, who admits to having been in contact with researchers. He adds that they work "in close collaboration with the original equipment manufacturers certified with Play Protect to help them ensure the quality and safety of the applications they pre-install on the devices."
That said, Google's first big "concern" with the research is that "the vast majority of the phones tested were not certified by Play Protect." The article analyzes 1,742 devices. In one of the tables at least 908 of four brands certified by Google are listed: Samsung, Huawei, LG and Motorola. They are more than 50%. For its argument of "the vast majority", Google seems to hide behind the fact that of the 214 brands analyzed, only 22% are certified. But that does not mean that the majority of mobiles are of those unknown brands: only between Samsung and Huawei there are already more than 750 devices.
Google also says that "none of the samples they shared with us to date turned out to be really pre-installed applications." The researchers shared with Google only some sample of software malicious, which is a minor part of the study. Next to the panorama of chaos generated from the applications brought by the factory mobile, there is a malicious subgroup that hijacks the mobile. According to Google, those apps they can sneak in between the preinstalled software without being.
Vallina and Tapiador have shared with EL PAÍS a statement on this point: "Google's statement seems to focus on this point that, in our investigation, is not central, so we understand that all the key observations made in our work on the presence of several actors and the lack of transparency and control in the preinstalled software of the Android ecosystem are still unquestioned, "they conclude.
The protagonism of the manufacturers
Among those other actors, the protagonists are the manufacturers. Chinese companies Huawei and Xiaomi have declined to answer the questions sent to them by EL PAÍS.
Samsung and BQ focus on the strict control they presumably exercise and the ability to disconnect some of the pre-installed apps. "We work hard with our partners to review pre-installed applications and ensure that consumers have control of the applications on their devices," they say from Samsung. It is somewhat difficult for the user of an Android phone to understand, but the software that it carries is not all of the company that sells it. In the process of creating that device, the software of several companies participates.
If the trust that the brand asks for does not satisfy the user, the nuclear option remains
If the trust requested by the brand fails to satisfy the user, the nuclear option remains: "Our policies allow users to have control and authority over their devices, allowing them to eliminate or disable pre-installed applications if they wish," they say from Samsung.
In the section of applications of the settings of an Android phone you can activate a function that shows all that are in the mobile, both those downloaded by the user and those that already came. If done, in the list of apps suddenly appear a lot of applications with the Android logo and unclear names or that seem key to the operation of the mobile. These are some examples: androidhwext, Certificate Installer, ConfigUpdater, Fused Location, Google One Time Init, Google Services Framework.
The system allows denying permissions, deleting data, forcing the arrest or disabling these apps. If you want to "disable", the mobile warns: "If you disable a pre-installed app, other apps may malfunction." Which user risks having a phone that malfunctions? Or worse, stop working.
It is a one-way street: either you accept or accept.
Size also matters One way to lower the cost of a phone is to give access to the data of its future users to who pays well. A brand that places more phones around the world will have more negotiation capacity.
In the end the user depends on the good faith of the brand. In BQ they presume to safeguard privacy. This is the complex technical explanation given by the Spanish brand: "Much of the Android project is open source and the source code can be found in both AOSP and CodeauroraForum (Qualcomm) .The stack is also composed of precompiled libraries of Qualcomm itself or of third parties that work with the big players (Google, Qcom) and are totally reliable, BQ is in charge, ultimately, of integrating all the source / precompiled code and generating firmwares for our devices ".
The user must rely several times on several companies: Qualcomm, Google and BQ. The brand however does not share with which companies have agreements to integrate software into the device: "It is confidential", because "they are companies that make specific algorithms (camera or audio, for example) and publish a list is to provide the competition a important strategic information, "they say from BQ.
The central confirmation that everything will go well with that Android phone focuses again on that there will be no malicious software or pre-installed vulnerabilities, which is the same concern of Google. This is explained from BQ: "As shown by the security reports published by Google each year, vulnerabilities suffered by people who only install applications from reliable sites (for example, the Play Store), are practically non-existent."
The objective of this research is, however, to go beyond the malware and the applications that are inside the closed and guarded garden of Google Play: 91% of the apps analyzed are not in Google Play.
Another obvious actor that reaches agreements with the manufacturers to add pre-installed software and commercialize the devices are the operators. Orange, for example, says that it gives these options: "Each time the client opens the application you can see the list of apps that we offer: both our apps and those of suppliers with which we have agreements. , there is also a page where the client can consult the conditions for third party apps that we include, "says the operator. On these phones there is software from the manufacturer, from the companies with which it has reached agreements, from Orange and from the companies with which it has reached agreements.
Vodafone has a different policy for each country, which is something that reflects the research because there are examples from 130 countries. In Spain, "the decision that was made a few years ago," according to Vodafone Spain, "was not to preload third-party applications, although we can have commercial agreements with them, and to limit Vodafone's applications exclusively to strategic applications" . It is not easy to understand what a commercial agreement means without preloading or how "applications" are limited to "strategic applications".
The pre-installed software that allows tracking lives outside the Play Store. Google says it scans 50 billion applications every day on more than two billion devices. Look for potentially harmful material. A pre-installed library that subtly sends information to a server may not be considered harmful. It can even go unnoticed