Guest Commentary: In the past few weeks, T-Mobile has been trying to shake up the mobile phone industry by offering no-contract plans in conjunction with the iPhone 5. Notably, their USA CEO John Legere put the issue of subsidized phones front-and-center, saying, “This is the biggest crock of shit I’ve ever heard in my life! Do you have any idea how much you’re paying?” He’s talking about how subsidized phones are bad for customers around pricing, but there are other negative factors, as well.
The root of the problem is this: With subsidized Android phones, your carrier takes away your control of your phone in exchange for that subsidy, which has direct, negative consequences for your security, privacy, and battery life. Because of my experience with this I won’t be buying another subsidized Android phone, and I think you should consider avoiding them, as well.
As a Verizon customer, I have direct experience with this. I purchased a subsidized Motorola Droid X2 in June 2011 (after my HTC Incredible broke). In my case, two things prompted my to avoid subsidized Android as a platform in the future:
1. Lack of operating system updates: When I purchased this phone, it was running Android 2.3.4. Within a month, Android 2.3.5 came out and was applied to my phone. That’s the last operating system update I’ve received. When 2.3.6 came out in September 2011, it wasn’t offered to my phone. No subsequent updates have ever been offered. Any security person will tell you that running an operating system with no updates for over a year and a half is fundamentally a security risk. This version has at least six publicly known security vulnerabilities that are unpatched. This is not acceptable for any operating system, but most especially for one that has seen over half a million pieces of malware and other threats emerge (nearly all of that over the time I’ve had this phone).
I’m not the only one that feels this way: the ACLU has just filed a complaint with the FTC calling the lack of updates “unfair and deceptive business practices” and urging customers on vulnerable versions be allowed out of their contracts. And it’s no wonder they’ve filed this: Google’s own statistics show that this unpatched-in-over-a-year-and-a-half OS is the most widely used version of Android out there.
2. Bloatware has become unwanted software. For decades we’ve dealt with “bloatware,” a term for software that’s pre-loaded on your system. Think back to Windows 95 with a “Try AOL” application on the desktop, courtesy of the OEM you bought it from. To a degree, we’ve accepted that OEMs will install bloatware in exchange for lowering the price of the system. But with Android we’re seeing the carriers go further by making it impossible to uninstall pre-installed apps and, in some cases, turning bloatware into unwanted software by having it run without your consent or control.
In my case, my phone came with several apps that could not be uninstalled. One of these apps, Slacker Radio, not only cannot be uninstalled but runs on every reboot and cannot be prevented from running. This is a huge security and privacy issue as it increases the attack surface of my phone and has permissions to access stored information without my consent. And because Slacker Radio runs all the time, it drains battery and CPU resources. All of these uninstallable apps take resources as they have to be regularly updated to ensure a minimal level of security.
What I have learned from this experience is that when evaluating mobile devices, consider the question of ongoing operating system support and the inclusion of bloatware/unwanted software.
My experience reinforces something that I’ve known before (and likely should have thought of when getting this phone): Within the security and privacy space, wireless carriers and handset makers have terrible reputations. This experience reinforces my belief that you don’t want to be a customer only of a carrier like Verizon and a handset maker like Motorola. You want to be a customer of another, established software company with a good reputation for security.
In practical terms this means being a customer in some way of Apple, Google, BlackBerry or Microsoft. Apple’s iPhone and Google’s Nexus (running pure Android) provides strong support for OS security updates and an aggressive stance prohibiting preinstalled 3rd party apps. BlackBerry and Microsoft also provide strong support for OS security updates. Their devices do come with some 3rd party apps preinstalled but both BlackBerry and Microsoft enforce baseline standards around security and privacy. In other words, you can look at them as your advocate to check the carriers and handset makers. And unlike on subsidized Android phones, you can uninstall preinstalled 3rd party apps.
Another problem with Android centers on provenance. We think of “Android” as an OS from Google, but it really is an OS provided by Google around which carriers and handset makers make their own OS. This leads to the forking that Android advocates fret over. It also means that you’re really a customer of your carrier and handset maker and not at all of Google. This, by the way, is why Android is so popular with carriers and handset makers: it gives them total ownership of the customer and freedom from interference from Apple, BlackBerry, Google and Microsoft. It’s a zero-sum game, though: what’s good for the carriers and handset makers is bad for you and me. That’s why we want an advocate in our corner.
For now, I am patiently waiting until my contract with Verizon expires in a few more months and then I will consider whose customer I want to be next: Apple, BlackBerry, Google, or Microsoft. The odds are I will pay more in terms of money but I will pay less in terms of risks to my security, privacy, and battery life. And I’m definitely watching what happens with T-Mobile. What they’re doing by getting out of the handset subsidy game could be a true industry game-changer that benefits everyone. In the future, we may more clearly and cleanly be customers of the carriers for the network, customers of the handset makers for the hardware, and customers of the software companies for the OS and apps.
Editor’s Note: Budd joined two other experts on our GeekWire radio show this past Friday to discuss the latest in digital security, hacking and protecting yourself online.
Christopher Budd works for Trend Micro, focusing on communications in the areas of online security and privacy, incident response, and crisis communications. Prior to that, he was an independent consultant and before that a ten-year veteran of the Microsoft Security Response Center (MSRC). He combines his prior career as an engineer with his communications expertise to help bridge the gap between the technical and communications realms. Follow him on his personal blog or on Twitter @christopherbudd.