droidx2Guest Commentary: In the past few weeks, T-Mobile has been trying to shake up the mobile phone industry by offering no-contract plans in conjunction with the iPhone 5. Notably, their USA CEO John Legere put the issue of subsidized phones front-and-center, saying, “This is the biggest crock of shit I’ve ever heard in my life! Do you have any idea how much you’re paying?” He’s talking about how subsidized phones are bad for customers around pricing, but there are other negative factors, as well.

The root of the problem is this: With subsidized Android phones, your carrier takes away your control of your phone in exchange for that subsidy, which has direct, negative consequences for your security, privacy, and battery life. Because of my experience with this I won’t be buying another subsidized Android phone, and I think you should consider avoiding them, as well.

As a Verizon customer, I have direct experience with this. I purchased a subsidized Motorola Droid X2 in June 2011 (after my HTC Incredible broke). In my case, two things prompted my to avoid subsidized Android as a platform in the future:

1. Lack of operating system updates: When I purchased this phone, it was running Android 2.3.4. Within a month, Android 2.3.5 came out and was applied to my phone. That’s the last operating system update I’ve received. When 2.3.6 came out in September 2011, it wasn’t offered to my phone. No subsequent updates have ever been offered. Any security person will tell you that running an operating system with no updates for over a year and a half is fundamentally a security risk. This version has at least six publicly known security vulnerabilities that are unpatched. This is not acceptable for any operating system, but most especially for one that has seen over half a million pieces of malware and other threats emerge (nearly all of that over the time I’ve had this phone).

I’m not the only one that feels this way: the ACLU has just filed a complaint with the FTC calling the lack of updates “unfair and deceptive business practices” and urging customers on vulnerable versions be allowed out of their contracts. And it’s no wonder they’ve filed this: Google’s own statistics show that this unpatched-in-over-a-year-and-a-half OS is the most widely used version of Android out there.

2. Bloatware has become unwanted software. For decades we’ve dealt with “bloatware,” a term for software that’s pre-loaded on your system. Think back to Windows 95 with a “Try AOL” application on the desktop, courtesy of the OEM you bought it from. To a degree, we’ve accepted that OEMs will install bloatware in exchange for lowering the price of the system. But with Android we’re seeing the carriers go further by making it impossible to uninstall pre-installed apps and, in some cases, turning bloatware into unwanted software by having it run without your consent or control.

In my case, my phone came with several apps that could not be uninstalled. One of these apps, Slacker Radio, not only cannot be uninstalled but runs on every reboot and cannot be prevented from running. This is a huge security and privacy issue as it increases the attack surface of my phone and has permissions to access stored information without my consent. And because Slacker Radio runs all the time, it drains battery and CPU resources. All of these uninstallable apps take resources as they have to be regularly updated to ensure a minimal level of security.

What I have learned from this experience is that when evaluating mobile devices, consider the question of ongoing operating system support and the inclusion of bloatware/unwanted software.

My experience reinforces something that I’ve known before (and likely should have thought of when getting this phone): Within the security and privacy space, wireless carriers and handset makers have terrible reputations. This experience reinforces my belief that you don’t want to be a customer only of a carrier like Verizon and a handset maker like Motorola. You want to be a customer of another, established software company with a good reputation for security.

In practical terms this means being a customer in some way of Apple, Google, BlackBerry or Microsoft. Apple’s iPhone and Google’s Nexus (running pure Android) provides strong support for OS security updates and an aggressive stance prohibiting preinstalled 3rd party apps. BlackBerry and Microsoft also provide strong support for OS security updates. Their devices do come with some 3rd party apps preinstalled but both BlackBerry and Microsoft enforce baseline standards around security and privacy. In other words, you can look at them as your advocate to check the carriers and handset makers. And unlike on subsidized Android phones, you can uninstall preinstalled 3rd party apps.

Another problem with Android centers on provenance. We think of “Android” as an OS from Google, but it really is an OS provided by Google around which carriers and handset makers make their own OS. This leads to the forking that Android advocates fret over. It also means that you’re really a customer of your carrier and handset maker and not at all of Google. This, by the way, is why Android is so popular with carriers and handset makers: it gives them total ownership of the customer and freedom from interference from Apple, BlackBerry, Google and Microsoft. It’s a zero-sum game, though: what’s good for the carriers and handset makers is bad for you and me. That’s why we want an advocate in our corner.

For now, I am patiently waiting until my contract with Verizon expires in a few more months and then I will consider whose customer I want to be next: Apple, BlackBerry, Google, or Microsoft. The odds are I will pay more in terms of money but I will pay less in terms of risks to my security, privacy, and battery life. And I’m definitely watching what happens with T-Mobile. What they’re doing by getting out of the handset subsidy game could be a true industry game-changer that benefits everyone. In the future, we may more clearly and cleanly be customers of the carriers for the network, customers of the handset makers for the hardware, and customers of the software companies for the OS and apps.

Related Post: Windows Phone Diary: 5 things for Microsoft to fix, and 1 for Apple to steal

Editor’s Note: Budd joined two other experts on our GeekWire radio show this past Friday to discuss the latest in digital security, hacking and protecting yourself online. 

christopherbuddChristopher Budd works for Trend Micro, focusing on communications in the areas of online security and privacy, incident response, and crisis communications. Prior to that, he was an independent consultant and before that a ten-year veteran of the Microsoft Security Response Center (MSRC). He combines his prior career as an engineer with his communications expertise to help bridge the gap between the technical and communications realms. Follow him on his personal blog or on Twitter @christopherbudd.

Comments

  • sb

    And that’s why I’m happy with my Nexus 4 I bought directly from Google.

    • http://www.facebook.com/wcate Will Cate

      I did the same thing. Own your phone, get a prepaid plan.

      • http://twitter.com/snookasnoo Idon’t Know

        On a lousy network.

  • LD

    This is the essential problem with subsidized phones, and one of the reasons that subsidy-less phones are available everywhere in the EU – doing so keeps it obvious where the buck stops when it comes to mobile management.
    Apple broke the mold and made it possible for subscribers to have a closer relationship to their OEM (well, at least, less obfuscated by the carrier). D*mn good thing, too.

    • http://www.facebook.com/sdellysse Shawn Dellysse

      This is the internet. We can say “damn” here.

  • http://www.facebook.com/jasondouglasfarris Jason Farris

    I love my Nokia 920. It would take a significant bribe to get me back on an Android device.

  • B.E. Ward

    Would a Nexus purchased from a carrier not have the same problems?

    • http://www.christopherbudd.com Christopher Budd

      Thanks for reading and the question. The short answer is: I’m not sure. I spoke with Google and they told me that the Nexus they sell is bloatware free. But I am getting reports from folks that there are Nexus devices that do have stuff loaded by the carriers.

      I think the safest answer is if you want Android: get it from Google directly.

  • Guest

    Not sure what all these endorsements are supposed to mean. “I have a Nexia 420 from THC with iOS 7.8 and love it blablabla” … Who cares? Why don’t you guys compare what you love about your respective spouses, after all I’d assume those are more important to you than your mobiles, right? Oh, personal preference? Exactly!

    Whatever you ended up buying, I’m sure you made the right choice, or wrong choice. Good for you.

  • GeneralmotorsGravytrain

    Why should Google keep updating older Android smartphones? Google’s bread and butter is dependent upon saying how many activations it gets per day. Google wants consumers to constantly buy new Android smartphones so it appears that Android market share is constantly rising. If Google was smart it would stop updating the less-expensive model Android smartphones every six months to keep the churn going. That’s what’s called smart business tactics. Sort of like planned obsolescence.

    • http://www.christopherbudd.com Christopher Budd

      Hi, thanks for reading and the comment.

      What I’m saying they should do doesn’t undermine planned obsolecense per se. It’s not that they should necessarily be offering new features, but at least ensuring that security issues found in what you purchased are addressed.

      It’s industry standard practice to do that with desktop operating systems and it really needs to be fully standard for mobile operating systems as well. Otherwise, we’re looking at a real security problem.

  • Bob

    Root, ROM, done

    • Jace Nelson

      While also voiding your warranty and potentially bricking your device.

      • AndroidFanBoi

        not if you know what you are doing and READ the instructions properly

        • Jace Nelson

          Well here’s the thing about that. There are no official instructions. The aforementioned ‘instructions’ almost always state that they aren’t responsible for bricked devices. Regardless, it doesn’t matter if you brick your phone or not, your warranty is still voided.

          • imaginarynumber

            I first reflashed a custom ROM in 2004, i considered myself to be slightly more than a novice, nevertheless i managed to brick a phone back in 2008. It’s easy to make a mistake…

  • Dan

    I worry about privacy, Google does stuff and lies about it and who knows what we don’t know that they do. Get the original phone that rebooted the cell phone industry, get the iPhone.

  • http://www.facebook.com/mayela.esquivel.14 Mayela Esquivel Stoddard

    Or you can root your phone and get all the updates you want and get rid of bloatware and all sorts of fun stuff… It’s all in your tinkering ability

    • http://www.christopherbudd.com Christopher Budd

      Thanks for reading and thanks for the comment.

      To your and Bob’s point, that is an option. But my feeling is that it’s not an option that everyone can use (like mom and dad). Beyond that, though, at least on the security angle, it’s also an option people shouldn’t have to use.

      It’s really about how mobile operating systems need to conform to the same industry standards around security as desktop operating systems.

  • meowth

    Sometimes competitors buy out all the stock of a newly released or popular phone. So by locking it this prevents this from happening. This is what Winds excuse is.

  • thecrud

    Just go ahead and tell the yes here is my 99 dollars and 20 a month is just fine.
    No I dont need service good luck with that. so much for no contract still the only way is to pay out right.

    No contract phone is so misleading that it is out and out fraud.

    • sjdjjdjx

      Yes. Fraud. Kind of like being on a 2 year contract and not getting a discounted bill when the contract is up. Dumbass.

  • http://www.facebook.com/people/Derek-Dickerson/1071002621 Derek Dickerson

    FYI the OS is not even buy google its busybox….

  • John Nevill

    Did the same. Bought a Galaxy Nexus a year ago from Google and switched to t-mobiles 30 dollar a month plan (100 minutes, unlimited text and data). Totally worth it.

  • Steveo

    Dude, Cyanogenmod means that this whole article is redundant.

    • don’tbeignorant

      Redundant is the wrong word and not everyone is knowledgeable enough or willing to toss third party operating systems on their phones.

    • http://twitter.com/snookasnoo Idon’t Know

      “Dude”, only a handful of geeks can be expected to replace the roms are their smartphones. The better answer is for the Google and the Android manufactures to man up with the carriers as Apple has always done and allow direct downloads of app updates and no bloatware. But google doesn’t care because their only goal is to show you ads and track your online activities so they can sell it.
      The sorry state of updates and bloatware is a direct consequence of you being the product and the ad agencies being the customer.

  • Phil Enzler

    I’ve had two Androids, both HTC, both from VZW, neither lasted more than a month without being at least rooted. My Droid (cha*ching, George Lucas) Incredible runs Android 4.0.4 (Verizon stopped releasing updates somewhere around 2.3) and my new Inc 4G LTE runs Android 4.2.2. Neither have any unwanted software and both have improved battery life and performance over the stock ROM. I think the biggest mistake Verizon has made in the last year is denying it’s customers the right to unlock their phones despite the manufacturers (specifically Motorola and HTC) allowing it. Every owner of an HTC phone in the world can use HTC’s developer network to unlock their device and load any software they want, except if that owner is also a client of Verizon.

    I’d also like to mention that I’ve never used a manufacturer-modified version of Android (Motoblur, HTC Sense, etc.) that is in anyway an improvement over the software it’s based on. Why take something that so well thought out and developed and change it into something unrecognizable? It’s like they’re ashamed to just use the AOSP and call it a day.

  • http://twitter.com/flemingsean Sean Fleming

    I have a Motorola Droid too. The OS has always been a crock (oh the irony). But the main reason I’m unlikely to own another Android device is that as soon as you say in public “I’m unhappy with my Android phone” you get loads of *helpful* advice, which to the average person’s ears might as well be telling you there’s a magic fairy hiding in your house who, when you find her, will grant all your wishes.

    Seriously… super secret OSes and “rooting” (try telling an Australian you can fix his wife’s phone by rooting and see how he reacts). Anyone would think the purpose of such advice is not to help but to intimidate.

    This is why Apple does so well… Fisher Price it may be, but that’s all some people want.

  • iLove2argue

    Malwaredroid device the nature called ”LAG”.

  • Whitehorse

    What’s a subsidized phone?

  • Joel

    I used to have a Nexus and I loved it but then a switched and got hooked up on the Z10. Probably the wrong forum place for me to post :), but I just wanted to let anyone know if they are looking to sell their phones just as I was when I made the switch the following website is the place to go:

    sell my blackberry

    Of course if you do not mind the hassle you can always go with eBay or Craigslist and get a little more money.

  • NeedName

    And now we find out that Google’s official update policy is “18 months,” 6 months from end of sales. Mobile hardware today can last longer than that, and buying an unlocked Nexus one should get much longer support. . .

    So, Now it’s official. Buy any Android device and you are getting piss poor support from the OEM! I’m done with Android.

  • Boris

    Buying an unsubsidized phone isn’t going to fix the lack of phone updates or the inclusion of bloatware – at least on Verizon. If you stay with Verizon and pay full price for a phone this won’t be any different. While you make good points about these issues, I don’t see how they relate to the argument to not buy a subsidized phone.

Job Listings on GeekWork