A new study by a team of university researchers in the UK has unveiled a host of privacy issues that arise from using Android smartphones.
The researchers have focused on Samsung, Xiaomi, Realme, and Huawei Android devices, and LineageOS and /e/OS, two forks of Android that aim to offer long-term support and a de-Googled experience
The conclusion of the study is worrying for the vast majority of Android users .
With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps. - Researchers.
As the summary table indicates, sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, and Facebook.
And to make matters worse, Google appears at the receiving end of all collected data almost across the entire table.
No way to "turn it off"
It is important to note that this concerns the collection of data for which there’s no option to opt-out, so Android users are powerless against this type of telemetry.
This is particularly concerning when smartphone vendors include third-party apps that are silently collecting data even if they’re not used by the device owner, and which cannot be uninstalled.
For some of the built-in system apps like miui.analytics (Xiaomi), Heytap (Realme), and Hicloud (Huawei), the researchers found that the encrypted data can sometimes be decoded, putting the data at risk to man-in-the-middle (MitM) attacks.
As the study points out, even if the user resets the advertising identifiers for their Google Account on Android, the data-collection system can trivially re-link the new ID back to the same device and append it to the original tracking history..
The deanonymisation of users takes place using various methods, such as looking at the SIM, IMEI, location data history, IP address, network SSID, or a combination of these.
Privacy-conscious Android forks like /e/OS are getting more traction as increasing numbers of users realize that they have no means to disable the unwanted functionality in vanilla Android and seek more privacy on their devices.
However, the majority of Android users remain locked into never ending stream of data collection, which is where regulators and consumer protection organizations need to step in and to put an end to this.
Gael Duval, the creator of /e/OS has told BleepingComputer:
Today, more people understand that the advertising model that is fueling the mobile OS business is based on the industrial capture of personal data at a scale that has never been seen in history, at the world level. This has negative impacts on many aspects of our lives, and can even threaten democracy as seen in recent cases. I think regulation is needed more than ever regarding personal data protection. It has started with the GDPR, but it's not enough and we need to switch to a "privacy by default" model instead of "privacy as an option".
Update - A Google spokesperson has provided BleepingComputer the following comment on the findings of the study:
While we appreciate the work of the researchers, we disagree that this behavior is unexpected – this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device’s IMEI, is necessary to deliver critical updates reliably across Android devices and apps.
Update 2 - A person from the LineageOS development team has reached out to share the following statement with BleepingComputer:
The study linked chose to install "opengapps" on a LineageOS device (per page 6). Google Apps are not preinstalled on LineageOS. We have no control over what data is sent by third party applications a user chooses to install, including packages from Google. Those services are neither required nor recommended, and free open source alternatives (such as microG and F-Droid) exist.
Comments
Mallissin - 2 years ago
They installed Opengapps onto Lineage, which does report some information to Google, and not MicroG and then compare it to /e/OS with MicroG installed.
And they do not mention that /e/OS is a fork of Lineage either.
Are the researchers stupid or bias?
GT500 - 2 years ago
Sure, it would be great to use an alternative/privacy-focused mobile OS, but you actually have to have a phone that someone makes firmware for otherwise you can't install it. To make matters worse, supported phones are usually older ones that aren't going to be ideal to switch to just for some extra privacy, and there's no guarantee that whoever is maintaining the firmware for the phone will continue to do so.
doriel - 2 years ago
Nokia 105 is also phone capable of calling and sending texts, thats what we get for using computers as a cell phone.
Magus007 - 2 years ago
I never thought I would see the day when Bleeping Computer would be prepared to sacrifice its credibility to censor its news to protect Apple. The Oxford report said that both Apple and Android were as bad as each other and yet this story has purged any mention of Apple from it. It would have taken considerable effort to do this, which means that the reporter did it consciously, presumably an Apple fanboy with no interest in writing the truth but very keen on putting their favourite company in a good light. In my day that would have been a sacking offence but then journalism standards have dropped down the toilet and now it seems that even Bleeping Computer is now a member of the Tame Apple Press.
garypdx - 2 years ago
<p>"The Oxford report said that both Apple and Android were as bad as each other and yet this story has purged any mention of Apple from it. … In my day that would have been a sacking offence but then journalism standards have dropped down the toilet and now it seems that even Bleeping Computer is now a member of the Tame Apple Press.” It is you that should be sacked from the forums, sir, as the study linked at the top of the article is titled, “Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets.” It makes zero mention of either Apple or iOS.</p>
JBTito - 2 years ago
Disagree !
I'm using DNS Sink Hole for filtering, and i can see that Huawei phones (P30 with google apps) are terrible with sending data, apple (ip 12pro max to be exact) just a little bit less but still a lot. Realme7 almost nothing, just some occasionally (1-3x times a day) call to app-measurement.com, confe.dc.oppomobile.com and httpdns-euex-push.heytapmobile.com.
Magus007 - 2 years ago
Poor lamb you didnt even read the report as it is entitled "Are iPhones Really Better for Privacy?
Comparative Study of iOS and Android Apps" https://arxiv.org/pdf/2109.13722.pdf even Toms Hardware managed to spot the correct angle https://www.tomsguide.com/uk/news/ios-android-app-privacy-parity.
darkoverlordofdata - 2 years ago
My first impression is yeah, I know it spies on me, what else is new? I actually tried /e/os earlier this year, with microG, and it’s nice, but pretty useless for me - the main application I need on my phone is my credit union app, and that was not available, so I’m back on stock android. The thing is, I’ve never paid for my phone, the carrier gives me one for free, and it’s good enough for time, weather and media. I figure the data they get is payment for my phone. If someone could explain to me why collecting that data is dangerous...
garypdx - 2 years ago
It was not mentioned in the original article because the research study it was about never included iOS in the first place…
“There's one big caveat regarding the [Oxford] study [that troll bait refs]: It was conducted before the introduction of iOS 14.5 in April 2021, which made opt-in to tracking and app privacy labels mandatory on iPhones.”
I think your tinfoil hat is on too tight as it appears to be limiting your ability to reason clearly & think beyond the scope of your paranoia.
d0x360 - 2 years ago
Adguard... That's why EVERYONE should install Adguard on their phone. The one from the website not the play store.
Not only does block ads, trackers and analytics in apps and the browser but it also blocks system level analytics from being sent.
So if you want privacy it's the only true way. Oh it can also be used as a firewall
doriel - 2 years ago
Microsoft? What a bastard! OK, they share user data, but LinkedIn, Microsoft and google recieve this data in silence. Android is not to blame, those greedy giants are to blame. They WANT to recieve this data, thats the reason why this is happening.
DarienGS - 2 years ago
This paper wasn't published by "university researchers in the UK", it's from Trinity College, Dublin!
Taiwo16670 - 2 years ago
Please how can I track my stolen phone with IME number because they have flash the phone
doriel - 2 years ago
Im affraid only phone vendor or police can do that.
If you were "logged out" when phone was flashed, Im affraid you cannot track it anymore :(