OEMs: Dump Security-risk Bloatware, and Replace it with Revenue-generating ‘Goodware’

opinionThe following is a guest contributed post by Hachim Badji, CEO of Connectik

If you ask Google, lots more people hate than like bloatware–the pejorative used by many people to describe the pre-installed apps and programs on laptops and smartphones. It’s not even close, which is odd, considering that these programs and apps are supposed to bring “added value” by providing customers with services and applications that will help them communicate, shop, protect their devices, and more.

But, in earnest, that is not why manufacturers and distributors install apps and programs on devices for us. Manufacturers do it because, for most of them, margins are razor-thin. Due to highly competitive markets, prices have dropped and to stay afloat, manufacturers need to make unpopular decisions…

It’s an old story, and despite the great sentiment against pre-installed apps, manufacturers and distributors insist on continuing to load up our devices with programs we do not want, in order to keep themselves in business. For manufacturers, it’s a matter of survival, apparently. It’s annoying, it’s bothersome, and it entails work on our part to remove the unwanted applications. The demand for their removal is so high that a number of web sites offer detailed advice on how to get rid of these apps. But the desire or need of a company to keep costs down by supplying third-party applications which they are paid to load up on our devices–which helps subsidize the cost of devices while enabling the manufacturers to stay in business–is at least understandable.

What is not understandable, though, is the fact that manufacturers would put their loyal customers at risk with this bloatware. This unnecessary risk was highlighted in a new report by Duo Security, which examined the security features of the pre-installed applications on devices from Lenovo, HP, Asus, Dell, and others. According to the study, annoyed should not be the first emotion users feel when they buy a device that includes bloatware. Instead, users should feel fear, because pre-installed apps can be high security risks, practically rolling out a red carpet for hackers.

“It doesn’t take much for one piece of software to negate the effectiveness of many, if not all defenses,” the report says. “One non-ASLR DLL, a predictably mapped RWX memory segment, a trivially exploitable command injection bug—these all make an attacker’s life easier—and OEM software is full of them.” And the vulnerabilities Duo found were just in the updaters of the bloatware, according to the report. “Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”

Mobile devices were not covered in the report, but the pre-installed apps on those devices have their own bloatware issues. Manufacturers of these devices face the same cost squeezes as the laptop makers.

Purchasers of the products made by these companies are up in arms, and rightly so, now that they know about the scandal. It stands to reason that the manufacturers already knew about it, yet continued to supply the same problematic bloatware to their users, despite putting them at risk of being hacked.

What does that say about Lenovo, HP, and company? That might be a question for an attorney experienced in class-action lawsuits to answer. But, beyond the damages the manufacturers may be responsible for, the hit to their reputation could be significant, too. Although Duo focused only on the updaters, “it’s well-known within the security research community that OEM software is a vulnerability minefield,” the report said. “That’s also why OEM software has remained a major security problem — so we decided to dig deep to find out just how bad the issue is, and provide recommendations for consumers to protect themselves against the security gaps and annoyance that bloatware presents.”

But what choice do they have? If manufacturers are reduced to forcing such a security risk upon their customers, in exchange for the ad money they make from the bloatware, how narrow must their margins be? Are profits really that bad? If so, are we stuck with the risky bloatware phenomenon forever?

One thing manufacturers could do, of course, is institute security standards and force the companies that supply them with programs and apps to observe those rules. That would, at least, help fix the security issues, but the annoyance would still be there.

Here’s perhaps a better idea: instead of teaming up with the suppliers of commercial software, manufacturers can work with socially minded organizations to preinstall apps that will allow them to improve their revenue and reduce the irritation to customers. By working with, say, non-profit organizations, manufacturers can help those in need and add to the good side of bloatware. Revenue-sharing apps and programs that will raise money for important causes will likely prove much more popular with users (most people want to help a cause if they can) and also go a long way to enhancing their reputation.

An app like Tinbox, for example, would fit the bill. Tinbox works with corporations, enabling users to direct corporate donations to their preferred causes. With just one click, the sponsoring company will donate a Euro to the charity they are working with. A pre-installed version of Tinbox on a device could generate a “commission” for the manufacturer, with the donating corporation paying the device maker for each donation as part of the deal. Manufacturers get some much-needed money, but escape the reputation and security-damaging aspects of current bloatware–exchanging it for the “goodware” that will help not only others, but themselves.


This article was written by Hachim Badjithe CEO of Connectikwho has more than 20 years of experience at both the International Red Cross the United Nations.