I awoke this morning to find an email from Evernote, the company that has the product of the same name for note taking, saying that they had been hacked and that I should change my password. T-Mobile installs this software, along with many other pieces of software, on my smartphone by default and does not allow the customer to remove it. Luckily the attack against this product was not against the individual installations of the software but rather against the parent server where all the information is stored.
Unfortunately having unwanted software installed on phones is a security problem. The basic rule is that if the software isn't installed on one's computer then the software cannot be used as an attack vector. My first smartphone came loaded with five pieces of software that I could not remove. The Galaxy S that I purchased last November came with thirty-nine. And that was just the pieces of software that are visible. Last year we heard about CarrierIQ being installed on nearly every smartphone in America. This software had some very scary features that could allow the cellphone carrier, the software owner, or anyone else able to break into the software, access to everything contained within the phone and every message sent and received (including key strokes).
There's another price to be paid for this mandatory software. Updates need to be downloaded and installed which take up space on the smartphone and uses up valuable bandwidth. With cellphone companies complaining about usage of their wireless networks it seems silly that some of this is required by the companies themselves.
So what to do about this problem? Cellphone companies should stop preventing users from removing software from their phones. If they want to load up the device with lots of software that they feel the user might like that's fine but keeping people from removing that software is wrong. If the companies won't stop this bad practice on their own then perhaps if they get enough complaints from customers then they will change their practices. I guess the only other option is rooting our phones or just purchasing them outright. Still it shouldn't be so difficult to maintain a secure computing environment. And with privacy and so much money at stake the problem will only get worse.