India Plans New Security Testing For Smartphones, Crackdown on Pre-Installed Apps

India plans to force smartphone makers to allow removal of pre-installed apps and mandate screening of major operating system updates under proposed new security rules, according to two people and a government document seen by Reuters. From a report: The new rules, details of which have not been previously reported, could extend launch timelines in the world's No.2 smartphone market and lead to losses in business from pre-installed apps for players including Samsung, Xiaomi, Vivo, and Apple. India's IT ministry is considering these new rules amid concerns about spying and abuse of user data, said a senior government official, one of the two people, declining to be named as the information is not yet public. "Pre-installed apps can be a weak security point and we want to ensure no foreign nations, including China, are exploiting it. It's a matter of national security," the official added. India has ramped up scrutiny of Chinese businesses since a 2020 border clash between the neighbours, banning more than 300 Chinese apps, including TikTok. It has also intensified scrutiny of investments by Chinese firms.

Is this the right problem to address?

[backslashdot]

I thought 99% of malware happens because users install shady apps. Of course apps like WhatsApp are a conduit for that. For example WhatsApp allows random people to create crypto scam group from which they can entice people randomly to send them money and also install malware.

Re:

[Killall -9 Bash]

I'm sure Verizon and Samsung have no ulterior motives for putting their own messages, phone app, and a dozen other basic apps already included in Android on my phone for free.

Re:Is this the right problem to address?

[geekmux]

For example WhatsApp allows random people to create crypto scam group from which they can entice people randomly to send them money and also install malware.

You example only highlights the fact that gullibility hardly takes technology to exploit.

P.T. Barnum proved that long before apps came along.

Ruse?

[q4Fry]

If this is real, I support it. Security updates are critical. Too many phones fall off the update train way inside their serviceable lifetime. Requiring that normie users be allowed to remove bloatware would also be fantastic. (Defaults are powerful, though. I don't expect too many people to take advantage.)

If this is actually a way to get Indian government spyware on there instead, it'd be a shame.

Re:Ruse?

[backslashdot]

If this is actually a way to get Indian government spyware on there instead, it'd be a shame.

Actually, I wonder if this is a way for them to ban end-to-end encrypting apps.

Re:

[currently_awake]

I was not aware phone carriers pre-loaded end to end encryption apps in India.

Re:

[backslashdot]

They have to start somewhere before moving on to heavily regulating app stores and side loading.

Re:Ruse?

[jonadab]

> Requiring that normie users be allowed to remove bloatware would also be fantastic.

Yes, with a caveat: you have to be a little bit careful with the wording on this one, because there are certain genuinely critical apps that you do NOT want normal users uninstalling, because they will end up having to factory-reset their phone, lose all their photos of their deceased relatives, and hate you forever.

The most obvious of these, is the app that is used to install apps. I can think of cases where technical users might want to uninstall that (because they've got other, more technical means of installing apps), but only on a jailbroken device, and only if they're sufficiently technical to do things like edit config files and use the command line. There does not need to be, and should not be, a button in the GUI that uninstalls the app that is used to install apps. That's way more trouble than it's worth. Technical users don't need it, and nobody else is going to have the know-how to get the device into a state where they can install things in some non-standard way.

There might be a couple of other apps that need to be similarly protected as well, for related reasons, e.g., on some devices the settings app may be needed in order to connect to a network, which you may need to do in order to install apps.

There are also underlying OS features that everything depends on, which are usually not considered "apps", but you do want to be careful enough with your wording that they aren't somehow included in the mandate, because that would be bad. On a desktop system this would be things like the init system for example; I'm less familiar with how mobile OSes are structured, but the principle in general terms is the same. And you don't want to just blanket exempt "the operating system", because OS vendors are very good at bundling apps into the OS that you *do* want to uninstall (e.g., Outlook Express was so bundled with deskto MS Windows at one point). Getting the wording right to disallow junk like that but not cause problems with users accidentally uninstalling the window manager or whatever, would require careful thought, and you definitely want some technical people on the team that's writing the wording.

Re:

[q4Fry]

+1 There are downsides to letting people delete whatever they want, but your last paragraph encapsulates the trouble with that. If the default "Store" and "Photo Album" apps are on a list that is exempt from uninstalls, then the manufacturer can just move the malware into those and call it safe, let alone into the OS core.

I expect it doesn't help that Android, generally speaking, is designed to be spyware insofar as it helps Google target ads better.

Re:

[jonadab]

Well, bundled third-party dross wouldn't necessarily make it in if it had to be part of the app store to do so.

But there are still issues. Getting the wording exactly right on this kind of legislation would be critical. Too loose, and you let all kinds of abuse happen. Too tight, and you make even worse problems, like devices getting accidentally bricked by toddlers and all the user's data lost. And it's entirely possible to word the law in such a way that *both* of those problems exist simultaneously.

Re:

[VeryFluffyBunny]

I can imagine a world where root access is legally required on all smartphones, which would allow owners to actually own their phones & decide which apps & features they want & don't want. I can imagine 3rd parties selling configurations for owners' phones, e.g. "We'll lock down your phone for privacy & security for you." or for company/business phones, "We'll add user restrictions so that they can't inadvertently install dodgy 3rd party malware/spyware infested apps." It should be as easy a

Samsung...

[Frederic54]

If you have a Samsung phone, you have Samsung Mail, Samsung Browser, Samsung agenda, Samsung clock, Samsung notes, Samsung doc, Samsung store, Samsung contact, Samsung game, Samsung drive, Samsung pay, Samsung keyboard, Samsung phone dialer, Samsung gallery, etc etc etc

And you cannot uninstall them, all those apps are in double because the original Google Android OS on your phone already have all of them, synchronized to your google account and all. So with Samsung you have 2 kinds of ecosystem not talking to each other doing the same job. I will never have a Samsung phone.

Re:

[drinkypoo]

https://www.getdroidtips.com/h... [getdroidtips.com]

With that linked, ISTR that some Samsung phones lose functionality when bootloader unlocked, like you can lose some or all of your camera functionality.

I won't buy literally anything made by Samsung (or LG, but that's another rant) — not even used. I don't want to have to dispose of it.

Re:

[ctilsie242]

What is a good Android maker to purchase from? Preferably one that has a decent unit, unlocked bootloader, and other things. I want to use LineageOS, or at the minimum magisk, so I can use a Linux firewall, as well as a root based backup system (I think Titanium Backup is long dead, so will need to find something similar.)

Re:

[drinkypoo]

Moto is decent and reasonably priced. Not every phone has an unlockable bootloader, though, depending on SoC. So you still have to do some homework.

Re: Samsung...

[pitch2cv]

I've been on Samsungs for many years for exactly that. I've never let these devices online: unlock then get LineageOS (or, these days, /e/OS) on them before they come online.
I'm very happy with their S-series hardware and they're very well supported.

But indeed. Stock OEM on them is bloated spyware. Even worse, like with any OEM that comes with dozens of apps most people would never use, they're a double waste of storage: initially on the system partition, then updates get doubled on user partition because s

Titanium was really gallium

[Malays2 bowman]

(I think *Titanium* Backup is long dead, so will need to find something similar.)

  And yet the service turned out to be fleeting. Not quite what I would expect from something "titanium". Calling services like this "cloud" this and "cloud" that is far more appropriate given the evaporative nature of these services. :-\

Re:

[business_kid]

I think this is great, and that Europe would do well to copy it. Dead right about Samsung. I buy Samsung purely because they are tough, I have only one hand, so that matters. I think Indian spyware getting through Google filters outside of India is unlikely. Pre-installed apps can not be uninstalled, but they can be disabled. Moving them to user space where they could be deleted would be good.

Who's the bad guy here?

[phfpht]

The new rules, details of which have not been previously reported, could extend launch timelines in the world's No.2 smartphone market and lead to losses in business from pre-installed apps for players including Samsung, Xiaomi, Vivo, and Apple.

They say this like it's a bad thing.

Great

[PPH]

When can I order my next phone from an Indian vendor?

Back in the old 3G/GSM days, when I went to upgrade to new hardware, the carrier offered only carrier locked phones on a plan. Why can't I buy one for cash, unlocked? Sorry. We don't offer that. So I bought the same model (unlocked) phone from a UK shop. Other than the gnarly-looking charger plug, it worked just fine.