The Motorola Razr has been one of my favorite phone designs of the modern era. Unlike flip phones from other manufacturers, they were among the first to allow you to use every app on the outer display. You could truly use the phone as a mini smartphone. Plus, toss on a physical keyboard, and it’s a cool, though flawed, Blackberry-like Android device. Perhaps that’s why Clicks decided to make something just like that.
However, Motorola has done something sketchy, and I’m not sure I’d want a device made by them again. How can you trust a company that makes suspicious software, then gives reasoning behind it that makes little sense?
Users caught Motorola adding affiliate links into anything purchased on Amazon from their devices, allowing them—or someone else—to tack purchases and profit from everything you bought on Amazon. Affiliate link hijacking is a popular way to make money from unsuspecting users, and large companies have already been caught doing it. So why was Motorola doing it?
More importantly, how can you trust them after that?
In This Article:
Security-Violating Affiliate Links
Motorola’s “Smart Feed” is supposed to open the right app for the right link, providing users a feed of stories and content from across the web, personalized for them. However, when trying to open the Amazon app on newer Motorola devices, it was making a detour. First, through Device Native’s website, who helped Motorola make the feature. Then, it seemingly went to a website that appeared to belong to a fashion influencer, Kira Abboud. There, devices picked up an affiliate cookie before continuing to Amazon. That allows the owner of the affiliate cookie to make money from anything you may purchase on Amazon.
An affiliate link could potentially track users and their purchases. It’s not just a harmless way to scrape some money from purchases, it could track users elsewhere. Anytime your devices are doing something you didn’t ask them is a potential security and privacy issue.
Motorola may not have intended to send users somewhere to get an affiliate link attached to their browsing sessions, but they certainly made it possible.
No Such Thing as an Accident
To claim this is an accident is likely true, but not the whole truth. Imagine cutting a large hole in the wall of a bathroom and claiming the floor to ceiling window someone else installed in that hole wasn’t your intention. What else did they expect? Smart Feed allows the system to do something else before opening the app you’ve tapped. Obviously that wasn’t an accident, you don’t make such a completed feature by accident. You only worry once you’ve been caught doing something wrong because someone else took advantage of a sketchy feature you’ve added to your devices.
Modern software development includes peer review of multiple developers, product review, planning, epics and structure and tickets and pointing. Software is planned, executed, refined, and maintained, especially at a company as large as Motorola. Claiming you accidentally installed something that just so happens to have the potential to invade privacy and induce profit is offensive. Users aren’t so naïve.
Disabling Smart Feed
I’ll never understand why phone manufacturers try to make unwanted customizations on top of Android. Even my Motorola Razr has some huge flaws. They force their own launcher on the outer display and force you to use Gboard on the outer display too (part of the reason I prefer a hardware keyboard). Why? Just let me use Niagara Launcher and a more privacy-focused keyboard everywhere!
Smart Feed collects stories and content from across the web to give you a personalized feed. Which is pretty much what every social media app does, though I’m willing to bet they do it better than Motorola. You likely aren’t using it. So, to disable it, go to Settings > Apps or Apps & Notifications > View All Apps. Then find Smart Feed. Select it, and then select “Disable.” You can’t uninstall it, unfortunately, but you can at least prevent this unnecessary Android manufacturer add-on from opening unwanted links on your device.
Giving them the Benefit of the Doubt…
“Recently, Motorola acted quickly to resolve an issue that was identified, which caused some users in the US launching the Amazon Shopping app to be routed through a web tracking link before opening the app. This behavior was unintended and resulted in an inconsistent user experience.”
– Allison Yi, Executive Director of Product Management at Motorola
The fact that this wasn’t an affiliate link owned by Motorola does lend itself to the idea that this was not intentional on their part. Device Native, also, likely did not intentionally add it. Still, they paved a road, put up a “do not enter sign,” and acted surprised when someone trespassed. You can’t build a tool that allows redirects when an app is opened and not expect it to be misused, that’s one of the key ways hackers get information and money from Android users.
The hacker may have either worked for Motorola or its partner, Device Native. Otherwise, it may have simply been someone who found a flaw and took advantage of it, but this feels like something that may have required access to internal systems. The website the hack opened seemed to be for an influencer, but her socials don’t list that site. The affiliate code that the cookie adds is also not one of hers. It seems whoever did this hid their intentions under multiple layers. They may have created a fake website in her name and directed traffic to it in a number of ways, including through Motorola’s Smart Feed.
Motorola may not have developed the software themselves. But they did create something that could be influenced by a third party. Device Native describes their software as a “personalized, in-device mobile ad serving without sharing user data.” Until recently, they had their SDK for operating with Motorola’s software on their website, but, around the time this flaw was discovered, they took it down. It’s still accessible on the Internet Archive, because thank goodness for the Internet Archive keeping the web’s history honest. I don’t know what we’d do without them.
Motorola may or may not have opened this security flaw, but it happened on their system, with a tool they may have planned to use for ad delivery, and had the sketchy ability to redirect a user before opening apps. In one way or another, their priorities lead to this issue, though it’s at least not as sinister as it looked.
Trust Eroded
“Upon identifying the issue, we promptly corrected the routing configuration. Users can now expect all installed apps to launch directly as intended.”
– Allison Yi, Executive Director of Product Management at Motorola
Can we?
Fortunately, I don’t do anything of importance on my Android devices. Mostly that’s because I assume Google is doing something akin to this. On top of that, I know Google uses their services to train AI and “improve ads.” But creating a pre-installed app that every Motorola user would get in their newest smartphones and giving it the ability to hijack app opening is diabolical. There’s no good reason to create a service or launcher that doesn’t open the app a user taps on right away, instead allowing them to be redirected. Even if Motorola didn’t make this to add affiliate links and ads, they certainly created the possibility, and it’s not something that should ever exist on a mobile device.
As a software developer, I know how much work goes into planning features like this. At large companies I’ve worked at, I’ve insisted on doing “pre-mortems” for large feature launches, where we “red team” the feature, finding ways that the feature could be abused or hacked. There’s no way this feature would have passed through such an examination. On top of that, it’s clearly one that enables a feature that users wouldn’t want anyway, either to serve up ads or for this very purpose, to install tracking cookies or affiliate codes.
Motorola would have to make some large changes to gain back my trust. Unfortunately, the entire Android ecosystem is tainted by Google’s inclusion anyway, so it’s hard to really see Motorola as worse than anything else Google is doing.
Thank goodness for Android Open Source products, de-Googled versions of Android, and Linux phones. I hope we start to see them spread as consumers become more wary of Google and other company’s tracking capabilities. Motorola just reminded me why I avoid Android. Until more secure Android devices become more mainstream, I, like many privacy-conscious users, am stuck using boring old iOS.
Sources:
- Kabir Jain, Gizbot
- Rajesh Pandey, Android Police
- Dominic Preston, The Verge
- Ben Schoon, 9to5Google, [2]
- Hadlee Simons, Android Authority, [2]