The Real Cost of Cheap Phones
November 20, 2019
By:
Lianne M. Bacorro
The prices of smartphones have gone down significantly in recent years, making them accessible to more people. This is a noteworthy development since for many users in the low-income strata, their smartphones are their only access to the Internet. As more people gain access to the internet and digital technology, a larger segment of the population is also able to enjoy benefits previously available only to a few: vast information, educational resources, connectivity, and additional forms of recreation, among others. Unfortunately, using cheap phones comes with a price that most users are unaware of, or, in the case of others, they would reluctantly assume for lack of better or at least more affordable options.
In a recent forum entitled, “Digital Dilemma: Surveillance and other Issues Involving Digital Apps” held here in Manila, Privacy International (PI), an independent charity that promotes the human right to privacy around the world, discussed their research on low-cost devices and the privacy and security issues that surround them. They noted how hardware that used to be very expensive are now becoming an affordable commodity. New phones are being released more frequently, punctuated by the emergence of ultra low-cost smartphones, particularly of the Android variety. At present, devices running on the Android operating system comprise 88% of the global market. Many of them sell for less than $100, with some sporting a price tag even lower than $50. In 2017, the Blu R1 HD, an American phone, was the top-selling phone on Amazon at $60. Here in the Philippines, a unit manufactured by MyPhone, a local brand, can be purchased at $50 or less.
According to PI’s research, mobile phones are becoming loss leaders or products that are sold at a loss or below cost to attract customers, or to sell them additional products and services. This means many companies actually lose money when making phones. They find other ways to maintain and sustain revenue. There are those, for instance, that pivot their services from hardware to software. Apple is a good example. The company is now focusing on building online services to make people pay constantly—i.e., when they avail of cloud services, pay for news access, Apple TV, and other similar services. Meanwhile, other device makers cut corners in terms of the kind of hardware they manufacture and services they offer in order to lower the costs. Unfortunately, this also results in low-end hardware and low-quality services. And then there are those who have resorted to user monetization, which often ends up affecting or compromising the privacy and security of users. This makes it important to now check the software or operating system installed on any given phone. In the case of cheap Android phones, a closer look into the systems they run on often reveals the subpar quality of services and security they offer, compounded by the corresponding privacy risks that go along with them.
One glaring problem with cheap phones is the existence of pre-installed apps or “bloatware.” They are software with unnecessary features that are preinstalled on computers and mobile devices and which usually take up a large amount of space. Software vendors pay device makers to install them in the latter’s phones to market them to users. The apps then end up slowing down the device and expose it to a large number of cybersecurity risks. What’s worse is that they cannot be easily deleted. When PI inspected a US$19 smartphone manufactured by local firm, MyPhone, they discovered several bloatware such as MyPhoneRegistration, Pinoy, Facebook Lite, and Brown Portal. Most of these apps are not available on the Google Play Store so they cannot be updated, making them susceptible to hackers and other security threats.
Cheap phones have also been found to have outdated operating systems. This is a critical issue since security patches are run when the device is updated. These patches are meant to address security vulnerabilities and fix bugs in existing software. In the case of old operating systems, security measures do not run automatically. Thus, they inevitably become susceptible to cyber threats, including phishing campaigns and malware attacks. In the case of MyPhone, PI found out that the Android operating system itself cannot be updated in the phone unit. Troubling, if you consider the fact that MyPhone is supposed to be an official Android certified partner.
Meanwhile, some pre-installed apps have also been found to be sending personal data to remote servers. With MyPhone, PI discovered that the MyPhoneRegistration app is constantly trying to contact Zed, the company supposedly hosting the app’s server, without any security protocol. This allows personal information—such as the user’s IMEI number (a unique number that identifies each phone device), name, birth date, and gender—to be shared with Zed without encryption. Oddly enough, however, the server is apparently missing (i.e., cannot be reached). Nonetheless, the entire process is still exposing personal data.
To be fair, this is not unique to MyPhone or the Philippines. In 2016, a study in the US found that preinstalled software in Android phones by American manufacturer, Blu Products, was monitoring user activity and sending massive amounts of personal data to the Chinese software developer, Shanghai Adups Technology. The software also had access to the “command and control channel”, which allows the software developer to execute commands on the phone as if it were the user. When confronted, the Chinese company claimed that it was a mistake since the software was not intended for American phones. However, in 2017, analysts at Kryptowire still found the same software activity on other phones.
It is also common for inexpensive phones to carry malware. In 2017, researchers at Sophos found that an app called “Sound Recorder”, which was pre-installed in a low cost Android phone, was not the legitimate version. They concluded that quality control was inadequate and unable identify this problem. Sophos tried reaching out to MediaTek, the CPU and firmware manufacturer of the phone, but to no avail. Similarly, a report by Avast Threat Labs explained that in 2016, low cost Android Phones were shipping with malware but the manufacturers did not do anything about it.
For PI, a lot of the vulnerabilities they unearthed are actually caused by the design of the apps found on these cheap phones, as intended by their developers. Others, on the other hand, may be attributed to sloppy development of these gadgets. Just the same, regardless of the actual cause of these issues, it is clear that cheap phones do come with a steep price. Sadly, the people who are most likely to be exploited (or at least inconvenienced) are also those who have no other choice available to them in light of their financial woes.
This is a reality that needs to be addressed. People should not be placed at a greater risk for having a lower socio-economic status. Software developers and device makers should be made accountable to the users of their products. They should enable people to have more control over the apps in their devices and the information these miniature machines collect and share with others. Indeed, to echo PI’s call in this regard: privacy should not be seen as a mere luxury, and should instead be treated for what it truly is—a fundamental human right.
In a recent forum entitled, “Digital Dilemma: Surveillance and other Issues Involving Digital Apps” held here in Manila, Privacy International (PI), an independent charity that promotes the human right to privacy around the world, discussed their research on low-cost devices and the privacy and security issues that surround them. They noted how hardware that used to be very expensive are now becoming an affordable commodity. New phones are being released more frequently, punctuated by the emergence of ultra low-cost smartphones, particularly of the Android variety. At present, devices running on the Android operating system comprise 88% of the global market. Many of them sell for less than $100, with some sporting a price tag even lower than $50. In 2017, the Blu R1 HD, an American phone, was the top-selling phone on Amazon at $60. Here in the Philippines, a unit manufactured by MyPhone, a local brand, can be purchased at $50 or less.
According to PI’s research, mobile phones are becoming loss leaders or products that are sold at a loss or below cost to attract customers, or to sell them additional products and services. This means many companies actually lose money when making phones. They find other ways to maintain and sustain revenue. There are those, for instance, that pivot their services from hardware to software. Apple is a good example. The company is now focusing on building online services to make people pay constantly—i.e., when they avail of cloud services, pay for news access, Apple TV, and other similar services. Meanwhile, other device makers cut corners in terms of the kind of hardware they manufacture and services they offer in order to lower the costs. Unfortunately, this also results in low-end hardware and low-quality services. And then there are those who have resorted to user monetization, which often ends up affecting or compromising the privacy and security of users. This makes it important to now check the software or operating system installed on any given phone. In the case of cheap Android phones, a closer look into the systems they run on often reveals the subpar quality of services and security they offer, compounded by the corresponding privacy risks that go along with them.
One glaring problem with cheap phones is the existence of pre-installed apps or “bloatware.” They are software with unnecessary features that are preinstalled on computers and mobile devices and which usually take up a large amount of space. Software vendors pay device makers to install them in the latter’s phones to market them to users. The apps then end up slowing down the device and expose it to a large number of cybersecurity risks. What’s worse is that they cannot be easily deleted. When PI inspected a US$19 smartphone manufactured by local firm, MyPhone, they discovered several bloatware such as MyPhoneRegistration, Pinoy, Facebook Lite, and Brown Portal. Most of these apps are not available on the Google Play Store so they cannot be updated, making them susceptible to hackers and other security threats.
Cheap phones have also been found to have outdated operating systems. This is a critical issue since security patches are run when the device is updated. These patches are meant to address security vulnerabilities and fix bugs in existing software. In the case of old operating systems, security measures do not run automatically. Thus, they inevitably become susceptible to cyber threats, including phishing campaigns and malware attacks. In the case of MyPhone, PI found out that the Android operating system itself cannot be updated in the phone unit. Troubling, if you consider the fact that MyPhone is supposed to be an official Android certified partner.
Meanwhile, some pre-installed apps have also been found to be sending personal data to remote servers. With MyPhone, PI discovered that the MyPhoneRegistration app is constantly trying to contact Zed, the company supposedly hosting the app’s server, without any security protocol. This allows personal information—such as the user’s IMEI number (a unique number that identifies each phone device), name, birth date, and gender—to be shared with Zed without encryption. Oddly enough, however, the server is apparently missing (i.e., cannot be reached). Nonetheless, the entire process is still exposing personal data.
To be fair, this is not unique to MyPhone or the Philippines. In 2016, a study in the US found that preinstalled software in Android phones by American manufacturer, Blu Products, was monitoring user activity and sending massive amounts of personal data to the Chinese software developer, Shanghai Adups Technology. The software also had access to the “command and control channel”, which allows the software developer to execute commands on the phone as if it were the user. When confronted, the Chinese company claimed that it was a mistake since the software was not intended for American phones. However, in 2017, analysts at Kryptowire still found the same software activity on other phones.
It is also common for inexpensive phones to carry malware. In 2017, researchers at Sophos found that an app called “Sound Recorder”, which was pre-installed in a low cost Android phone, was not the legitimate version. They concluded that quality control was inadequate and unable identify this problem. Sophos tried reaching out to MediaTek, the CPU and firmware manufacturer of the phone, but to no avail. Similarly, a report by Avast Threat Labs explained that in 2016, low cost Android Phones were shipping with malware but the manufacturers did not do anything about it.
For PI, a lot of the vulnerabilities they unearthed are actually caused by the design of the apps found on these cheap phones, as intended by their developers. Others, on the other hand, may be attributed to sloppy development of these gadgets. Just the same, regardless of the actual cause of these issues, it is clear that cheap phones do come with a steep price. Sadly, the people who are most likely to be exploited (or at least inconvenienced) are also those who have no other choice available to them in light of their financial woes.
This is a reality that needs to be addressed. People should not be placed at a greater risk for having a lower socio-economic status. Software developers and device makers should be made accountable to the users of their products. They should enable people to have more control over the apps in their devices and the information these miniature machines collect and share with others. Indeed, to echo PI’s call in this regard: privacy should not be seen as a mere luxury, and should instead be treated for what it truly is—a fundamental human right.
