Study Shows Lenovo, Other OEM Bloatware Still Poses Huge Security Risk

from the history-repeats-itself-history-repeats-itself dept

Lenovo hasn't had what you'd call a great track record over the last few years in terms of installing insecure crapware on the company's products. You'll recall that early last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

The vulnerability was discovered by Duo Labs as part of a larger report on the security of pre-installed OEM software (pdf). The study found consistent security problems specifically in the software used by OEMs to keep all the other bloatware updated. Such software pretty consistently failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents, leaving consumers at consistent risk of remote attack. It also found that some companies even had multiple software updaters that occasionally served duplicate purposes, most of which were trivial to exploit:

"Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right? Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy."

And again, to be clear, Lenovo wasn't alone in being incompetent here. In fact, the firm tried to find any vendor whose bloatware didn't pose a security risk, and they couldn't actually do so: Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?

Filed Under: adware, bloatware, computers, spyware
Companies: lenovo

The Stupidity Of Installing Bloatware That No One Uses... And Everyone Hates

from the just-a-bad-idea-all-around dept

A new study from Strategy Analytics highlights what you almost certainly already know, that no one actually uses the crappy bloatware apps that Samsung puts on its phones. This shouldn't be a surprise at all. But I actually wanted to highlight a different issue I'd noticed recently: which is that not only do people not use the bloatware apps, by making them both default and unintstallable, Samsung pretty guarantees that everyone hates those apps.

Now, I can imagine the execs at various app developers who got all excited when they had a chance to become a default app on a Samsung flagship phone like the S3, S4 or S5. After all, Samsung sells a ton of these phones. So if Samsung approaches you and offers to make you a default, it's got to be hard to say no. Because what they're offering is to put your app in front of many millions of potential users. And given the big hurdle of getting people to even download free apps, that must seem like a huge victory.

Until you realize that everyone hates unnecessary and unwanted bloatware. Beyond the study above showing that no one uses those apps, I recently looked at the Google Play Store reviews of many of the Samsung choices for bloatware. And pretty consistently, the large majority or reviews are about how they don't know why the app is on their phone and they're pissed that they can't delete it. Take, for example, Blurb Checkout, part of Samsung's near-totally-useless "book-making app." People absolutely loathe it almost entirely because it's a bloatware default app. Out of over 22,000 reviews, it has over 16,000 one star reviews. And nearly all of the reviews look like the "highlighted" ones on the page: Or how about the Lumen Toolbar? Frankly, I have no idea what it does, but it's there. The aggregate reviews on this aren't quite as bad as Blurb above, and there do appear to be some people who really do like this toolbar. But the reviews are still filled with angry rants: I'm sure HP thought it was a great way to jumpstart its mobile printing efforts by having its HP Print Service Plugin installed as default bloatware on Samsung (and, apparently, on Nexus) devices. Until everyone started yelling about how they want that crap off their phone. And, of course, none of this even touches on Samsung's own apps, in which it has weak copies of much better apps out there, such as S Health, S Memo and S Voice -- all of which are stuck on your phone, even though there are much better and much more functional alternatives available in the Play Store and elsewhere. The thing is, all of these apps could be the greatest possible apps in the world, but by making them part of preinstalled bloatware and making it so you can't uninstall them, it's pretty much guaranteeing that people will hate on these apps, making it even worse than just not using them -- they're actively harming the reputations of those apps for folks who might actually like them.

Filed Under: android, bloatware, phones
Companies: samsung