The name “bloatware” might suggest the answer, but it’s worth taking a few moments to examine the risks — and the mitigations.
Bloatware is defined as the applications pre-loaded onto a smartphone beyond what comes with the base operating system. In some cases, these are added by the smartphone vendor, while in others, they come from the phone carrier.
It’s called bloatware because the additional software tends to “bloat” the device: slows it down, takes up storage and generally affects user productivity. The practice began with Windows, where hardware vendors loaded up their devices on the way out the door to compensate for a lack of functionality in the base OS. Users ended up with a dozen or more tools they didn’t understand or want, all from different vendors, with no real integration. Without patching or updates, these tools turned into security and PR problems, often condemned as spyware.
Android Additions: From the Vendor…
Android additions are less easily characterized and less polarizing. In many cases, hardware vendors have added vital tools for their specific hardware platform. While some might call them bloatware, these apps can be critical for taking advantage of hardware features that aren’t easily integrated into existing Android tools, such as personal health data from smartphones or wearable sensors.
Other types of vendor applications can help users find the vendor’s application store or provide small utilities missing from Android — voice recorders, for example, are common.
The difference with these tools from the Windows systems is that the vendors take full responsibility for them — including security. For example, when Samsung ships Samsung Connect on new Galaxy smartphones, they’re backing it with their name and reputation.
Although some end users bristle at these tools being added to their new smartphone or tablet, others feel that they’re getting a better experience by having important missing pieces included on their devices. Although app stores have a pretty good record at keeping malware and spyware out, having the device manufacturer pick out and approve a tool that complements the basic Android OS can save users hours of searching, installing, testing and uninstalling applications.
…and the Carrier
When a phone comes from a carrier, there’s typically an additional handful of tools pre-loaded. One is usually for account maintenance, but others might be pure marketing add-ons, such as music, sports or video streaming, designed to take advantage of plan zero-rating.
Some carriers have earned a poor reputation for including paid tools such as GPS navigation services that do little, if anything, more than what is freely available elsewhere. Similarly, ringtone stores, phone accessory stores, carrier cloud tools, and caller ID services are designed to drive more revenue to the carrier, rather than help the end user.
More infuriating, and dangerous, are applications that change the Android experience, such as by adding toolbars to browsers or always-active widgets to the home screen.
Carriers outsource development of these tools or strike marketing agreements where security is generally the last priority for both parties. The result can be problematic: not because the software is drawing resources away from the device, but because it often comes as thinly disguised spyware, reporting back on user location, browsing history, or uploading contacts. These intrusive applications treat the end user as someone to be marketed to, or sold to other marketing companies — which in turn generates more demands to install applications or browser extensions. The low priority for security has a cost, and the user pays most of it.
So, Is It a Security Problem or Not?
From a pure security point of view, IT managers should consider any additional tool loaded on enterprise devices a potential problem. “Potential” is the operative word here — but the track record for carrier-added tools is particularly dismal. Mitigation is in order.
First, IT managers can simply buy unlocked phones, untouched by carriers. The initial cost may seem higher, but the flexibility, quicker access to security patches, greater distribution control of software updates and lack of lock-in to carrier contracts even these costs out quickly. IT managers can use manufacturer tools like Samsung Knox Configure to pre-configure phones and immediately unload or replace applications at the first installation.
When carrier phones are inevitable because of contracts or existing relationships, IT managers should use both whitelisting and blocklisting capabilities in their mobile device management (MDM) or enterprise mobility management (EMM) tools to wipe out bloatware over the long term. Even small businesses without MDM/EMM can take advantage of this type of capability by leveraging device manufacturer cloud-based MDM/EMM tools, such as Knox Manage. These aren’t intended to replace high-end MDM/EMM toolkits, but they are able to clean out and keep off excessive bloatware.
Finally, IT managers should publish simple guidelines for uninstalling or disabling any unwanted tools for their own end users. Although this information can be found with a simple web search, IT managers should update and personalize the instructions with specifics matched to the Android version installed on the organization’s own devices and the bloatware their own users are likely to encounter.
It’s certainly not fair to say that all carrier and vendor-installed software is a major security risk. But users and IT managers often want to pare down or replace those tools — with security improvement a principle benefit.
Take our mobile security assessment to find out if your company is covered against attacks — and how you can stay ahead of the curve.