The issue of privacy in the Android world is back in topicality as a result of a study with very few reassuring results conducted by the University of Edinburgh and Trinity College Dublin. Google’s response to the question was not long in coming.
After that in the last few days, there was talk of privacy calling into question two giants like Huawei and Microsoft, this time the discussion becomes broader.
Android & User Data
The aforementioned study conducted by the University of Edinburgh and Trinity College Dublin highlights an allegedly widespread privacy problem in the Android world. The researchers focused their attention on brands such as Samsung, Huawei, Xiaomi, Realme; but also on two custom ROMs such as LineageOS and/OS. The data found is that all customizations continuously exchange data with remote servers, with the only exception of/and. The conclusions of the study are very eloquent:
With the notable exception of /e/OS, even when minimally configured and the phone is idle, these custom Android variants transmit significant amounts of information to the OS developer and even to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) with only the pre-installed system apps.
In the table you see below, the researchers summarized the types of sensitive user data that are exchanged by each of the customizations analyzed in the first launch phase, such as persistent identifiers, details on the use of apps and telemetry information.
In addition to this, it is pointed out that the data in question is not even shared only with the manufacturer, but also with third parties such as Microsoft, LinkedIn and Facebook. The most alarming fact is that this sharing takes place without having installed a single app outside of those that come pre-installed.
In all of this, it is Google, which obtains them in all cases or almost all of the data shared by Android smartphones. On the Samsung smartphones tested, the Google advertising identifier is sent to the Samsung servers and several Samsung system apps collect data using Google Analytics.
Google’s push service is used in the Microsoft OneDrive system app, while on the tested Huawei smartphone, Microsoft’s Swiftkey keyboard sends the Google Advertising ID to Microsoft’s servers. Similarly, the Xiaomi smartphone tested on the Google Advertising ID of the device also ends up on Xiaomi’s servers.
For Android users, there is no way out or opt-out mechanism and the data is especially worrying in the face of the possibility that apps that cannot be uninstalled are natively included in the customizations and collect user data even if not used. Not to mention the fact that some native apps – such as miui.analytics (Xiaomi), Heytap (Realme), Hicloud (Huawei) – use ciphers that can be decrypted, opening up the possibility of man-in-the-middle attacks.
The conclusive part of the study highlights how it is not possible to escape this continuous sharing of data even by restoring the advertising identifiers of one’s Google account on Android. The reason for this is that the system is able to link the new ID to the same device and synchronize the previous tracking history.
Although the user on the card remains anonymous, the data collected make him recognizable; on the other hand, SIM data, smartphone IMEI, location history, IP addresses, network SSID, put together, allow us to trace the identity of the Android user with a good approximation.
In the midst of all this, /e/OS represents whitefly: the fork is not connected to any manufacturer and was born with the aim of protecting privacy, detaching itself in all respects from Google and its services.
Google’s Official Answer
For Google’s official answer to this question, we don’t need to go too far. Big G talks about the sharing of data necessary for the proper functioning of the main services on Android devices. Here is the full text of the message:
While we appreciate the researchers’ work, we disagree that this behavior is unexpected – that’s how modern smartphones work. As explained in our Google Play Services support article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services use data on certified Android devices to support core device features. Collecting limited basic information, such as a device’s IMEI, is necessary to reliably deliver critical updates on Android devices and apps.