Buying a smart phone on the cheap? Privacy might be the price you have to pay
Research by Privacy International shows that cheap smartphones come with a hidden cost: pre-installed apps that can't be deleted and that leak your data.
Last year, a Privacy International member of staff travelled alone to the Philippines to meet with the Foundation for Media Alternatives (FMA), one of our partner organisations. As she arrived in Manila, she realised her phone was broken - a fairly big problem for someone who's on their own, 6,666 miles from home. Her first stop, straight off the plane, was the closest shop to buy a cheap phone to tell her friends and loved ones she'd landed safely. That's how she ended up with a brand new MYA 2, a smart phone by MyPhone, a Filipino brand that cost no more than 19 USD at the time.
Over the past few years, smart phones have become incredibly inexpensive. Cheap smart phones are one of the reasons more than half the world's population is now online, very slowly closing the global digital divide. While growing connectivity is undeniably positive, some device vendors have recently come under scrutiny for siphoning user data and their invasive private data collection practices.
That's why we decided to take a closer look at the MYA 2, once our colleague returned back to the UK. We were particularly interested in the phone's pre-installed apps (often called 'bloatware'), what permissions these app make use of, and how they behave. Earlier this year, the first large-scale study of pre-installed software on Android devices - from more than 200 vendors - found harmful behaviours and backdoored access to sensitive data and services without user consent or awareness.
The first thing we noticed was that the phone was running on Android 6.0, an outdated version of the operating system Android, which was released in 2015. This is curious, given that the MyPhone is a "certified Android Partner", meaning the device has been tested for security and performance, comes with Google apps pre-installed, and is Play Protect certified. Since the phone is running outdated software, users are being exposed to known security vulnerabilities, which have been patched in more up to date versions of Android.
When bloatware gets political
Beside the "usual apps" (calculator, clock, Google services…), our MYA 2 came with the following apps pre-installed:
- MyPhoneRegistration - an app for registering the device with the Manufacturer
- Pinoy - a Portal app, providing various services, such as news, podcasts and well-being themed content
- Facebook Lite - a slimmed version of the Facebook App
- Brown Portal - a portal with a browser-like interface for MyPhone users
Additionally, the phone came with a number of pre-loaded apps, that existed in the phone's filesystem, but were not installed:
- Baidu_Location – Location Service for Baidu Maps
- Xender – A tool for file synchronisation and transmission
As these pre-loaded apps were not active on the device, we didn't test them. These apps are likely destined for MyPhone's alternative market, China, rather than the domestic market of the Philippines.
MyPhoneRegistration is an app that allows you to register your MyPhone device with MyPhone in order to make it easier for you to do things like access warranties or get software updates and for them to send you advertisements and promotional material. The app gets permissions to make and manage phone calls, to send and view SMS messages, and to access storage.
Pre-installed applications can be installed as "privileged apps", giving them far wider access to the phone than user permissions would give them. Also, because they're privileged, they often cannot be removed by the user. Since the app is not available on the Google Store, it cannot receive updates.
MyPhone have confirmed this with the following response to this article: "For the models we have launched before, we have lost access and support to update the apps we have pre-installed, but we remain committed to provide a secure platform to our new and upcoming devices by complying to the latest Google requirements to keep the devices secure."
Based on a network analysis we have conducted using our app testing environment, we have discovered that the app tries to contact the remote server without any security protocol (SSL/TLS). This means that personal information like your IMEI number (a unique number that identifies the device), name, date of birth and gender are shared without encryption with Zed (the company hosting MyPhoneRegistration’s server). It appears that this server is no longer at the path hardcoded into the app. As a result, the phone endlessly tries to transmit the details to the missing server, as the connection always fails. It does so insecurely, giving away the user's name, gender, data of birth and IMEI to any eavesdropper on any network that the user connects to, for example Wifi.
We also identified vulnerabilities that could allow a malicious individual with physical access to the phone to run their own code in the MyPhoneRegistration app context, allowing them to execute code with the same privileges as the MyPhoneRegistration app. When combined with other known vulnerabilities within Android 6.x, this could compromise the device remotely. As this app cannot be updated or deleted by the user, this vulnerability threatens the user permanently.
Brown Portal, which is also not available on the Google Play Store, has permission to access the phone's storage, which means it has access to your photos and files. The pre-installed app, which can't be deleted, also gets access to your network information and has location permission, which means your location can be tracked at all times.
Brown Portal is part of the Brown and Proud movement, a campaign launched by MyPhone's parent company, Solid Group Inc. The campaign was designed to create smart phones and internet of things devices for the Philippines, that celebrate Filipino identity and empower consumers to become leaders. It's unclear what happened to the campaign, but Brown Portal is still included in recent MyPhone devices, at least as of September 2018.
The Pinoy app is another app by MyPhone that comes pre-installed with every MyPhone device. Similar to Brown Portal, Pinoy – a nickname referring to Filipino people – alludes to a sense of national identity. The app offers a number of paid services, such as music or access to news and entertainment (jokes, horoscopes, "guidance", "experience", "advice"…) - much of which is religious or political.
The guidance section, for instance, suggests that users subscribe to a platform called Reform Ph "focusing on reforming the Philippines through improvement of the political systems". Users can also sign up to a service that sends them a "quote to brighten up their day" or to a daily SMS service that "focuses on the beauty of life and the goodness/faithfulness of our God" for just 2.50 Filipino pesos (Php) a day. Other paid services include Bible comics and Christian music, for Php 5 three times a week.
The Pinoy app also contains free services, such as "My Faith", a section that contains downloadable audio recording of Christian prayers, and “My Country”, a section that celebrates Filipino culture with a wide range of content, including a Filipino history book, recordings of famous movie lines, Filipino quotes, riddles, games and "pick-up lines".
Pinoy gets permission to access the phone's contacts, location, SMS, storage and make phone calls. The app cannot be deleted, and also communicates with Zed servers over an insecure channel. It isn't on the Google Play Store and therefore cannot receive updates.
Facebook Lite, an Android app designed for low speed connections and low-cost phones, also come pre-installed with the phone. To function in those conditions, the app uses less RAM and CPU power than the regular Facebook app and is most popular in India and the United States. Lite exists so that Facebook users, who are using old phones that are not supported by the regular app, can still access Facebook.
The app gets permission to access your calendar, camera, contacts, location, microphone, phone, SMS and storage. Facebook Lite is available on the Google Store and can be updated, however when uninstalled through the Play Store, it just reverts to the pre-installed version, which still cannot be uninstalled. In other words, the app cannot be removed.
Facebook Lite was in the news earlier this year, when Facebook left between 200 and 600 million account passwords exposed to its 20,000 employees. The leak, which was revealed in 2019, had been happening since 2012, and affected users who had logged in at least once using Facebook Lite.
Data exploitation by design and by default
Our case study of a single low-cost smartphone shows how data exploitation and poor security is often built into the devices that people rely on as their only means of communication.
We discovered multiple security issues with pre-installed apps that can't be updated or deleted. Since the phone is shipped with an out-dated version of Android, it comes with known vulnerabilities that will not be patched and that can be exploited cheaply by anyone, from scammers to government agencies.
More fundamentally though, our findings raise the question of whether cheap phones are at least partially subsidised by exploitative data practices. Aside from Facebook Lite, the apps we highlighted above are all tied to the manufacturer, MyPhone. Some of them offer paid services, which means there will be extra revenue for MyPhone, others like Brown Portal are there to promote MyPhone as a brand and encourage the purchase of other devices. Since these apps make use of vast permissions, they also get access to a lot of user data. The fact that some apps contain religious and patriotic content, raises questions as to the potential for political parties to exploit cheap phones in countries with limited democratic accountability.
Privacy: a human right, not a luxury
Privacy is a fundamental right guaranteed under the Universal Declaration of Human Rights, at least in theory. In reality, there are stark contrasts between regions that uphold high standards of data protection, and places where users at the mercy of what we call the data wild west. In some places, like the Philippines, there might be a legal framework in place to regulate the processing of personal data, but the accountability and enforcement mechanisms remains a challenge.
For those who live in the data wild west and can only afford cheap phones as their sole way to access the internet, we're now also seeing that privacy is becoming a luxury that few can afford. While buying a recent Apple phone will guarantee you a secure Operating System (OS) and good encryption, buying a brand new MyPhone, like we did, will leave you with an OS with vulnerabilities left unpatched for years, and apps like MyPhoneRegistration that share your personal data in plain text. Even downloading apps that offer secure communications proved extremely difficult.
What Google and manufacturers should do
It is time for this double punishment to end. Being economically vulnerable should not mean losing your fundamental rights and companies have a responsibility to protect their consumers. In particular, it is time for Android to confront its duties and obligations: MyPhone is not a random company that happens to be using the open source Android OS, it’s an official Android certified partner.
Android claims that certified partners are "Play Protect certified Android devices [that] are tested for security and performance and pre-loaded with Google apps". The device we looked at is not only insecure, but it's also pre-loaded with apps that cannot be found on the Google Play Store. This, and the fact that the phone comes with an outdated version of Android, raises questions about the criteria Google applies to certify partners.
Ultimately, pre-installed apps undermine the Android brand, especially when certified partners pre-load their phones with insecure apps that scoop up large amounts of user data. It's up to Google to make sure that manufacturers using their trademarks don't sully their brand, and don't take advantage of customers who can only afford cheap phones.
Phone companies themselves, however, should not escape responsibility. While technology needs to be accessible to all, our human rights should not be the price we have to pay for it.
Jam Jacobs of the Foundation for Media Alternatives said the following about Privacy Internationals research:
That affordable technology is facilitated by compromised individual rights is far too common a phenomenon these days. And while, as a problem, the risks it poses are not restricted to global south jurisdictions like the Philippines, these regions’ populations remain the most vulnerable both in terms of protections and available legal remedies. This report by Privacy International highlights these points and more.
As a civil society organisation advocating for human rights in the digital realm, FMA echoes the call for private companies to take their responsibility of upholding customer rights more seriously. We would add that the government should also proactively take up the cudgels on behalf of its citizens most of whom find themselves beholden to the whims of big businesses. Regulators cannot expect the private sector to get things right all on their own. That would be a sure recipe for failure, and an abandonment of their clear mandate as public servants.
In the creation of this report we contacted both MyPhone and Zed, highlighting our concerns. Zed didn't reply before publication. MyPhone sent the following statement via email on 17 September 2019:
"With our goal to deliver a unique experience to our end-users, we have pre-installed our in-house apps like Brown Portal, Pinoy and Registration, which bring contents based on their interest, promoting Pinoy culture, send them our latest product updates and services. In this way, we can continue to improve our future products and services we offer.
We hope that you will reconsider the messaging that you want to convey on your article. We at MyPhone value the privacy of our consumers as well as you are and we are dedicated to improve our privacy controls towards acceptable standards."