Android devices constantly spy on their owners

Android devices constantly spy their owners

A consolidated team of researchers from several UK universities found many privacy issues with Android smartphones.

The experts tested devices made by Samsung, Xiaomi, Realme and Huawei, as well as operating systems LineageOS and / e / OS (two well-known forks of Android, which are designed to provide long-term support to users and allow you to abandon Google services).

It is important to note that the analysis was about data collection, which is impossible to refuse, that is, there is nothing Android users can do with such telemetry. The researchers emphasize that this is especially important when smartphone manufacturers ship their devices with third-party applications that cannot be removed (they secretly collect data even when the owner of the device is not using it).

 “With the exception of / e / OS, even with minimal settings and in the case when the phone is idle, these custom Android variants transmit a lot of information to the OS developer, as well as third parties (Google, Microsoft, LinkedIn, Facebook, etc.), whose applications are preinstalled in the system, ”experts say.

As you can see in the table below, sensitive user data, including persistent identifiers, app usage, and telemetry, is not only shared with device manufacturers, but also with various third parties. Moreover, almost always Google is also among the recipients of all the collected data.

Experts also noticed that the encrypted data of some built-in system applications, such as miui.analytics (Xiaomi), Heytap (Realme) and Hicloud (Huawei), can sometimes be decrypted, which puts their users at risk of MitM attacks.

Data volume (Kb / hour) transmitted by each vendor

Equally interesting is that when a user resets the advertising IDs for their Google account on Android, the data collection system can still easily associate the new ID with the same device and add it to the same tracking history. People are de-anonymized using a variety of methods, including SIM card data, IMEI, location history, IP address, network SSID, and so on.

Possible cross-referenced data collection points

Edition Bleeping Computer quotes creator / e / OS Gael Duval, who commented on the findings of the report’s authors:

“Today, more and more people are realizing that the advertising model that powers the mobile OS business is based on the collection of personal data on an industrial scale never before seen on a global scale. This negatively affects many aspects of our lives and can even threaten democracy, as has already happened. I believe that we need regulation of personal data protection more than ever. It all started with the GDPR, but that’s not enough, and we need to move to a privacy-by-default model instead of a privacy-as-an option. “

Google experts also commented on the publication of the researchers. In essence, the company said that there is no threat to privacy, and all modern gadgets work in this way.

 “While we value the work of researchers, we disagree that this [device] behavior is unexpected: this is how smartphones work today. As explained in the Google Play Services Help Center article , in a diverse ecosystem of devices and software assemblies, this data is required for basic device services, including push notifications and software updates. For example, Google Play services use data from certified Android devices to support their core functionality. Collecting limited basic information, such as device IMEIs, is essential to reliably deliver critical updates to all Android devices and applications, ”Google says.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply