SECURE SYSTEMS Editors: Patrick McDaniel, [email protected]; Sean W. Smith, [email protected]

Bloatware Comes to the

Patrick McDaniel | Pennsylvania State University

hances are, if you purchased a and privacy implications of the C new cell phone in the last year, now-common industry practice you also received a large number of installing bloatware on phones of applications you didn’t ask for, sold by cellular carriers. Is it merely don’t want, and can’t get rid of. This annoying, or do smartphone users practice—­known as bloatware—is face more serious concerns? Do the now pervasive in the smartphone economic advantages outweigh the industry. Many cellular carriers security and privacy concerns? load each new phone with dozens of applications that often can’t be A History removed. Whereas some industry of Subsidized Applications leaders suggest that the inclusion Before delving into these discus- of such is a way to demon- sions, it’s instructive to reflect on strate phone and network features, the history of bloatware in the PC others provide a more frank (and, market. Bloatware isn’t a recent phe- in my opinion, credible) explana- nomenon. Commodity desktop and tion: it’s about cost. Simply put, the laptop computers are often sold with subsidies the bloatware application dozens of “subsidized” productivity, developers provide offset the high game, and utility applications prein- cost of the handset and provide bet- stalled. (Historically, this has been ter profits for the cellular carriers. most prevalent in Windows-based My research group recently pur- systems.) The economic model chased a new Android-based Droid driving bloatware in the PC market RAZR phone from a major carrier. is a consequence of market pressures (Herein, I focus on one carrier, but and changing consumer demands. bloatware is pervasive throughout As more companies enter the PC the industry.) It’s a great phone with market, margins become tighter, and nice features and a terrific interface. pennies per unit make a difference Unfortunately, when we first booted in bottom-line profitability. Manu- up the phone, we saw pages and facturers and resellers found that pages of applications that we had customers would accept bloatware if no need for. There were more than they could purchase a PC at a lower 60 applications for services, games, cost. Lower unit costs are subsidized and tools that we didn’t want. We by application developers. Develop- tried deleting them but couldn’t. ers pay the manufacturers to prein- After consulting technical support stall software and recoup costs when and newsgroups, we concluded that users adopt the software and pur- the applications were there forever chase licenses. As consumers found unless we took it upon ourselves to the cost advantage acceptable, the jailbreak the phone. market embraced bloatware as com- Here, I explore the security mon practice.

1540-7993/12/$31.00 © 2012 IEEE Copublished by the IEEE Computer and Reliability Societies July/August 2012 85 SECURE SYSTEMS

The amount of bloatware placed include bloatware, sometimes in seems reasonable to assume that on new systems became unwieldy large quantities, on sold phones. some do. Moreover, users don’t as the practice grew. Resources were Notably, Apple has largely pre- know how and when their privacy drained; computers ran slower and vented bloatware from being placed and security are being violated. became buggier. Customers began on resold by carriers. Apple The interfaces used to communi- to get angry. Vendors who were carefully protects the user experi- cate applications’ rights and behav- more aggressive in providing bloat- ence on resold devices, both in the iors are coarse, and the developers’ ware were criticized by the techni- US1 and internationally.2 Given intent is opaque. For example, the cal community and press, and their Apple’s history and the strength of Android platform defines a single brands were damaged. The public the position it has taken regarding permission, INTERNET, to enable reaction led to a reduction of bloat- its platforms, it seems unlikely that communication over network ware by some manufacturers and in this will change. interfaces. Once granted, the appli- some markets, but the practice is There are indirect consumer cation isn’t restricted in the way in still widely used today. costs for smartphone bloatware. which it can use the network. Users At the heart of the debate over First, counter to what many claim, have no idea what the application bloatware is the complexity of these preinstalled applications do intends to do with the network, removing it. Often, removing it affect the system, even if the con- and more often than not, the end- is difficult and hazardous—a PC sumer never uses them. Applica- user license agreement (EULA) often can become unstable after tions in systems such as Android is no help. Moreover, applications removing a seemingly innocu- comprise background and fore- often fail to disclose behaviors that ous application. Consequently, a ground programs. User interfaces users might not like in EULAs. secondary market for bloatware are provided through foreground Because users can’t opt out of these uninstaller utilities emerged and processes. Background processes applications, user privacy is at risk continues to thrive. are used by applications that poll by default. data or constantly update state even Although it’s debatable whether Moving toward when not in use, for example, by it’s bloatware, the recently exposed the Smartphone polling for new instant messages. CarrierIQ software might have the The smartphone market has Many applications will start back- potential to violate user privacy.5 recently rediscovered the economic ground processes when the phone Purportedly placed on phones advantages of bloatware. Increased boots up, regardless of whether by several carriers to enhance the competition, constant consumer they’re used. My group’s new phone user experience, critics have sug- demand for the “latest and great- starts about a dozen background gested that it can be used to spy on est” phone hardware, moves to new processes when booted. As far as users by listening to and recording network technologies such as LTE I know, we’ve never opened the phone conversations, collecting text (3 GPP Long Term Evolution), and interfaces associated with many of messages, tracking user location, other factors have greatly affected these background processes or used recording interface keystrokes, and the costs of handsets and the net- the services they support, yet they much more. There’s a good deal of works that serve them. Many continue to consume computing controversy about how carriers use industry leaders argue that rev- resources. From an interface per- the software and what it does, but enue sources are necessary. Where spective, users have to sift through if critics’ reports are true, it has the once the wholesale cost of cheap pages of applications on the phone ability to invade users’ privacy with- cell phones was less than US$100, to find the ones they need. The out their knowledge or consent. new now commonly interface is an ugly, unwieldy mass Oddly, until recently, some carri- cost more than $500. At the same of useless applications. ers deployed Apple’s iPhone with time, the explosion of smartphone- Another cost is the potential CarrierIQ. Apple has removed it in supported information services loss of privacy. Researchers have response to the public outcry fol- has created more opportunities found that many applications leak lowing its discovery. for extracting profits from value- private data, such as GPS loca- But what about security? Do cel- added services. For this reason, tion, hardware IDs, and phone lular carriers analyze applications partnerships between cellular car- numbers.3,4 Could these installed to ensure they don’t contain mal- riers and software developers are but largely unknown applications ware or expose exploitable bugs? It’s naturally symbiotic and profitable. carry such privacy-violating func- unclear what precautions providers Thus, many cellular carriers in the tions? Given the pervasiveness of take, but it’s an important question. smartphone market have begun to the practice in current markets, it Independent of these factors, the

86 IEEE Security & Privacy July/August 2012 introduction of many applications applications. Users can perma- costs associated with the prein- can only increase the phone’s threat nently prevent an application from stalled applications. Will users be surface. Many of the most serious running but can’t remove it. There willing to pay an additional fee PC security vulnerabilities were are early indications that some not to be exposed to the risks and the result of noncritical and under­ vendors are allowing the disabling resource costs of these additional utilized software interfaces. Thus, of some bloatware (our phone applications? It isn’t clear. The mar- the inclusion of dozens of applica- had a “hide” feature, although we ket will sort this out, but only when tions from myriad developers with couldn’t authoritatively determine and if users are given the opportu- whom the user has no relationship what this feature did). But whether nity to make an informed decision seems, at best, like bad practice. the industry will broadly adopt this based on the yet-to-be-understood is unclear. risks of bloatware. Who Owns My Phone? The real debate on this topic seems The High Price of References to be about control. Can and should Cheap Phones? 1. R. Ritchie, “True Cost of Apple carriers be able to lock users into The fundamental truth is that bloat- Control: No Carrier Bloatware on applications that potentially violate ware opens the door to a loss of iPhone,” iMore, July 2010; www. user privacy and security? More security and privacy “at purchase.” imore.com/2010/07/22/true generally, is the phone the user’s Although cellular carriers and cell- -cost-apple-control-bloatware property or the provider’s? Should phone manufacturers might use -. users be able to remove sponsored due diligence in evaluating appli- 2. J. Aimonetti, “Apple Holds Strong applications that they don’t trust, or cations, ultimately, they are (or over Bloatware in Japan,” CNET, do they relinquish that right by sav- should be) responsible for any Nov. 2011; http://reviews.cnet. ing money on the initial purchase? damages they cause. Just like the com/8301-19512_7-57325506 Undeletable applications, par- market increasingly holds software -233/apple-holds-strong-over ticularly coming from third-party vendors responsible for the sys- -bloatware-in-japan. providers are inherently hazard- tems they produce, so too should 3. W. Enck et al., “A Study of Android ous. Forcing users to possess and the market punish bad applications Application Security,” Proc. 20th run unwanted applications means foisted on customers. Usenix Security Symp., Usenix Assoc., forcing them to accept a security The central technical question of 2011; www.enck.org/pubs/enck stance that might not be accept- bloatware is whether the provider— -sec11.pdf. able to them. This is particularly or anyone—can verify that an appli- 4. W. Enck et al., “TaintDroid: An troubling for organizations. Smart- cation is trustworthy. Sadly, such a Information-Flow Tracking System phones are now commonly used query is definitionally flawed. There’s for Realtime Privacy Monitoring for professional communication, no one set of behaviors or permis- on Smartphones,” Proc. 9th Usenix and the exposure to risk might not sions on which everyone will agree Symp. Operating Systems Design and be acceptable. An informal review is appropriate for an application. The Implementation (OSDI 10), Usenix of popular vendors’ EULAs was most we can hope for is a clear and Assoc., 2010; http://appanalysis. inconclusive; it wasn’t entirely clear accurate description of what prein- org/tdroid10.pdf. whether removal of bloatware vio- stalled applications will and can do 5. Z. Lutz, “Carrier IQ: What It Is, lated the service contract. to users and their data. Yet, we as What It Isn’t, and What You Need On the other hand, users can a technical community don’t have to Know,” , 1 Dec. 2011; often (but not always) purchase the tools or knowledge to answer www.engadget.com/2011/12/01/ phones that aren’t bound to a spe- this question for arbitrary applica- carrier-iq-what-it-is-what-it-isnt cific provider at a premium and tions, and the application developers -and-what-you-need-to. avoid the bloatware that comes with haven’t been forthcoming on appli- them. The cost is higher, but users cation behaviors in EULAs. Patrick McDaniel is a professor at have more control. Is the lesson that Pennsylvania State University’s if you want security and privacy, you Computer Science and Engineer- have to pay for it by bypassing car- ike many things in privacy and ing Department. Contact him at rier subsidies of the phone? Maybe. L security, the human-scale issue [email protected]. Interestingly, the Android com- underlying bloatware hinges on munity has started to react to bloat- informed consent. Users should be Selected CS articles and columns ware. Android recently introduced able to buy cheap phones, but only are also available for free at software that lets users “disable” with the knowledge of the indirect http://ComputingNow.computer.org. www.computer.org/security 87