The 59 Chinese apps banned by the Narendra Modi government, in the backdrop of tensions on the Line of Actual Control, posed significant privacy and security concerns to the unwitting Indians using them. Their presence also raised some grave national security concerns, given the link the developers of most of these apps have with the Chinese government. However, threats to privacy and security continue to linger on from some unsuspecting quarters. One such area is the presence of bloatware on mobile phones.
Also read: Can Chinese apps appeal India’s ban? Section 69A of IT Act has the answer
The bloatware problem
Bloatware may be defined as a system of pre-installed apps on select mobile devices that cannot be removed or even disabled without compromising on the functionality of the phone or exposing it to serious security concerns. These apps are installed primarily by handset manufacturers and often add significantly to their revenue. Several mobile manufacturers are able to keep the price of their device low because they compensate for reduced profits on the sale of devices by making additional profits through these third party apps. The problem is particularly acute with some of the Chinese mobile manufacturers. Xiaomi, for example, by some estimates, earned 9.1% of its revenue in 2018 through these pre-loaded apps and services. Samsung and other manufacturers have also adopted such business models, especially at the lower end of the price spectrum. However, this low price for customers often comes at a significant cost. Apart from consuming unnecessary space on the phone and being a drain on the device’s battery, these apps pose serious security threats because they collect user data in surreptitious ways that can easily be misused.
Surprisingly, the issue has received very little attention in both academic and policy circles. However, a paper titled An analysis of Pre-installed Android Software by researchers at the IMDEA Networks Institute, brings forth significant issues with these pre-installed apps.
Also read: Everyone’s talking about TikTok but ‘100 million’ Indian smartphone users are missing this app
What data is being collected?
These apps are designed to have what can be called custom permission that allows them bulk access to various features that are not available to other apps. Highlighting the gravity of the risk, the paper notes: “These actors have privileged access to system resources through their presence in preinstalled apps but also as third-party libraries embedded in them. Potential partnerships and deals – made behind closed doors between stakeholders – may have made user data a commodity before users purchase their devices or decide to install software of their own”
The paper also found that these apps collect extremely sensitive information that can range from data related to geo-location, information regarding other apps that a consumer is using on the phone to even personally identifiable information. All this data collected is shared with the advertisers and other analytics firms. These pre-installed apps have also been found to have embedded third-party libraries like Rootnik that can expose the users to banks and other kinds of monetary fraud. Such practices raise concerns about the privacy of individual users.
Also read: TikTok distanced itself from China in letter to Modi govt before India banned it: Report
Challenges regulating pre-installed apps
There are challenges in regulating these apps, especially in the absence of a robust data protection law. The device manufacturers work with a large network of vendors, and at times, it becomes difficult to trace the legitimate developer of such an app. This makes it difficult to fix accountability, which is further complicated by long supply chains in the app development business. However, South Korea has sought to regulate use of such apps by imposing obligations on the handset manufacturers. These regulations require the phone makers to allow such pre-installed apps to be deleted, if a user wishes to, without compromising any of the functionalities of the device. Only four categories of apps: Wi-fi connectivity, near-field communication, customer service app and the Play Store have been allowed as an exception from this rule.
China has also adopted a similar approach. While the US and Europe don’t have specific regulations for these apps, they do have fairly robust laws on data protection, which does provide some level of security against these practices.
Also read: Chinese investments enjoy treaty protection. Beijing can drag New Delhi to tribunals
What India can do
Given that India does not yet have a dedicated law on data protection and the heightened privacy concerns associated with these apps, regulators in India must take proactive steps. Possible regulatory approaches can range from outright banning of such pre-installation to regulating it on the lines of South Korea. However, merely giving the option to delete these apps to the consumers may not be very effective in India as a large number of users here are not aware of the hidden risks associated with the use of such apps.
Therefore, the most effective way could be to make it obligatory on the device manufacturers to also provide the users with sufficient information on such apps, including full disclosure on the type of data being collected, the purpose for which data will be used and the entities with which such data will be shared, if any. Also, all this information should be communicated in a language that the user can understand easily. This approach will allow consumers to make an informed choice about the apps they want to use on their phones and risks associated with the same.
It is surprising to see that the issue has not received the attention that it deserves given the stakes involved. However, it is better late than never. Regulators must take note of this potential security lapse, especially in the light of current developments.
Ravi Shankar Jha @ravijhatweets is a Senior Investment Specialist at Invest India, Ministry of Commerce. Views are personal.
ThePrint is now on Telegram. For the best reports & opinion on politics, governance and more, subscribe to ThePrint on Telegram.
Subscribe to our YouTube channel.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .