In an open letter published yesterday, more than 50 organizations have asked Google to take action against Android smartphone vendors who ship devices with unremovable pre-installed apps, also known as bloatware.
The letter, signed by 53 organizations, was addressed to Google CEO Sundar Pichai.
Signees say Android bloatware has a detrimental effect on user privacy. They say many bloatware apps cannot be deleted and leave users exposed to having their data collected by unscrupulous phone vendors and app makers without their knowledge or consent.
"These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model," the open letter reads.
"This means permissions can be defined by the app - including access to the microphone, camera and location - without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions."
The signees cite research from March 2018 that found that the Android ecosystem of pre-installed apps is a privacy and security mess. According to the research, 91% of all tested pre-installed apps weren't available on the official Google Play Store.
This means that most bloatware apps don't go through Google's app screening process, aren't reviewed for exaggerated permissions, aren't checked for known security bugs or malware, and nor can they be updated via the Play Store mechanism with new versions to fix bugs and security flaws.
The organizations that signed the open letter believe that Android users are most at risk from "the exploitative business practices of cheap smartphone manufacturers around the world" and that "privacy cannot be a luxury offered only to those people who can afford" to buy an expensive phone.
Coincidentally, the open letter was published a day before Malwarebytes revealed the existence of unremovable malware inside two apps pre-installed on cheap low-end smartphones sold to low-income Americans via a government-subsidized program.
Signees want new rules for OEMs
The signees are now asking Pichai to protect's Google brand by imposing new rules for Android OEMs (official equipment manufacturers, aka Android smartphone makers) in terms of the type of bloatware apps they can pre-install on their respective devices.
The three rules the group proposed are as follow:
- Individuals should be able to permanently uninstall the apps on their phones. This should include any related background services that continue to run even if the apps are disabled.
- Pre-installed apps should adhere to the same scrutiny as Play Store apps, especially in relation to custom permissions.
- Pre-installed apps should have some update mechanism, preferably through Google Play and without a user account. Google should refuse to certify a device on privacy grounds, where manufacturers or vendors have attempted to exploit users in this way.
The letter's signees include organizations ranging from privacy groups to universities and from journalism organizations to consumer protection groups. The full list of 53 organizations that signed the open letter is available below.
Privacy International, the driving force behind this initiative, has also set up a petition page where normal users can add their voice to this campaign and put pressure on Google to intervene.
- American Civil Liberties Union (ACLU)
- Afghanistan Journalists Center (AFJC)
- Americans for Democracy and Human Rights in Bahrain (ADHRB)
- Amnesty International
- Asociación por los Derechos Civiles (ADC)
- Association for Progressive Communications (APC)
- Association for Technology and Internet (ApTI)
- Association of Caribbean Media Workers
- Australian Privacy Foundation
- Center for Digital Democracy
- Centre for Intellectual Property and Information Technology Law (CIPIT)
- Citizen D
- Civil Liberties Union for Europe
- Coding Rights
- Consumer Association the Quality of Life-EKPIZO
- Datos Protegidos
- Digital Rights Foundation (DRF)
- Douwe Korff, Emeritus Professor of International Law, London Metropolitan University and Associate of the Oxford Martin School, University of Oxford
- Electronic Frontier Foundation (EFF)
- Forbrukerrådet // Norwegian Consumer Council
- Foundation for Media Alternatives
- Free Media Movement (FMM)
- Freedom Forum
- Fundación Karisma
- Gulf Centre for Human Rights (GCHR)
- Homo Digitalis
- IJC Moldova
- Initiative for Freedom of Expression- Turkey (IFox)
- Irish Council for Civil Liberties
- Media Foundation for West Africa
- Media Institute of Southern Africa (MISA)
- Media Policy and Democracy Project (University of Johannesburg)
- Media Policy Institute (MPI)
- Media Watch
- Metamorphosis Foundation for Internet and Society
- Open Rights Group (ORG)
- Palestinian Center For Development & Media Freedoms (MADA)
- Paradigm Initiative
- PEN Canada
- Philippine Alliance of Human Rights Advocates (PAHRA)
- Privacy International
- Public Citizen
- Red en Defensa de los Derechos Digitales (R3D)
- Syrian Center for Media and Freedom of Expression (SCM)
- The Danish Consumer Council
- The Institute for Policy Research and Advocacy (ELSAM)
- The Tor Project
- Unwanted Witness
- Vigilance for Democracy and the Civic State