Study Reveals Android Phones Constantly Snoop On Their Users

Study Reveals Android Phones Constantly Snoop On Their Users

A new study by a team of university researchers in the UK has unveiled a host of privacy issues that arise from using Android smartphones.

The researchers have focused on Samsung, Xiaomi, Realme, and Huawei Android devices, and LineageOS and /e/OS, two forks of Android that aim to offer long-term support and a de-Googled experience

The conclusion of the study is worrying for the vast majority of Android users .

With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps. – Researchers.

As the summary table indicates, sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, and Facebook.

Also Read: 4 Best Practices On How To Use SkillsFuture Credit

Summary of collected data
Source: Trinity College Dublin

And to make matters worse, Google appears at the receiving end of all collected data almost across the entire table.

No way to “turn it off”

It is important to note that this concerns the collection of data for which there’s no option to opt-out, so Android users are powerless against this type of telemetry.

This is particularly concerning when smartphone vendors include third-party apps that are silently collecting data even if they’re not used by the device owner, and which cannot be uninstalled.

For some of the built-in system apps like miui.analytics (Xiaomi), Heytap (Realme), and Hicloud (Huawei), the researchers found that the encrypted data can sometimes be decoded, putting the data at risk to man-in-the-middle (MitM) attacks.

Also Read: 3 Reasons Why You Must Take A PDPA Singapore Course

Volume of data (KB/h) transmitted by each vendor
Source: Trinity College Dublin

As the study points out, even if the user resets the advertising identifiers for their Google Account on Android, the data-collection system can trivially re-link the new ID back to the same device and append it to the original tracking history..

The deanonymisation of users takes place using various methods, such as looking at the SIM, IMEI, location data history, IP address, network SSID, or a combination of these.

Potential cross-linking data collection points
Source: Trinity College Dublin

Privacy-conscious Android forks like /e/OS are getting more traction as increasing numbers of users realize that they have no means to disable the unwanted functionality in vanilla Android and seek more privacy on their devices.

However, the majority of Android users remain locked into never ending stream of data collection, which is where regulators and consumer protection organizations need to step in and to put an end to this.

Gael Duval, the creator of /e/OS has told BleepingComputer: 

Today, more people understand that the advertising model that is fueling the mobile OS business is based on the industrial capture of personal data at a scale that has never been seen in history, at the world level. This has negative impacts on many aspects of our lives, and can even threaten democracy as seen in recent cases. I think regulation is needed more than ever regarding personal data protection. It has started with the GDPR, but it’s not enough and we need to switch to a “privacy by default” model instead of “privacy as an option”.

Update – A Google spokesperson has provided BleepingComputer the following comment on the findings of the study: 

While we appreciate the work of the researchers, we disagree that this behavior is unexpected – this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device’s IMEI, is necessary to deliver critical updates reliably across Android devices and apps.

Privacy Ninja

Recent Posts

Role of Enhanced Access Controls in Safeguarding Personal Data in Telecommunications

Role of Enhanced Access Controls in Safeguarding Personal Data in Telecommunications that every Organisation in…

2 weeks ago

Role of Effective Incident Response Procedures in Strengthening Data Security

Effective Incident Response Procedures in Strengthening Data Security that every Organisation in Singapore should know…

2 weeks ago

Strengthening Your Cyber Defenses: The Crucial Role of Regular Vulnerability Scanning

Crucial Role of Regular Vulnerability Scanning that every Organisation in Singapore should know. Strengthening Your…

2 weeks ago

Enhancing Data Security with Multi-Factor Authentication

Enhancing Data Security with Multi-Factor Authentication that every Organisation in Singapore should know. Enhancing Data…

3 weeks ago

A Strong Password Policy: Your Organization’s First Line of Defense Against Data Breaches

Strong Password Policy as a first line of defense against data breaches for Organisations in…

3 weeks ago

Enhancing Website Security: The Importance of Efficient Access Controls

Importance of Efficient Access Controls that every Organisation in Singapore should take note of. Enhancing…

4 weeks ago