Android Phones Sharing Significant User Data Without Opt-Outs

Written by

Android mobile phones are undertaking significant data sharing without offering opt-outs for users, according to a new report by researchers at Trinity College Dublin and the University of Edinburgh.

The authors said the scale of data transmission taking place is far beyond what is to be expected, raising major privacy concerns.

For the study, the team analyzed six variants of the Android OS to determine the amount of data they are sending to developers and third parties with pre-installed system apps, such as Google, Microsoft, LinkedIn and Facebook. The phones manufacturers included in the study were Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS.

All of the developers, with the exception of e/OS, collected a list of all the apps installed on a handset. The researchers noted this information is potentially sensitive, as it can reveal user interests, such as sexual orientation or political views, e.g., a Republican news app.

The Xiaomi handset was revealed to be sending details of all app screens viewed by users to Xiaomi, including when and for how long each app is used. This data appeared to be sent outside Europe to Singapore. The Huawei handset sent tech giant Microsoft details of app usage, including when the user is writing a text or using the search bar.

Four firms – Samsung, Xiaomi, Realme and Google – were shown to collect long-lived device identifiers, such as the hardware serial number and user-resettable advertising identifiers. This data allows a new identifier value to be trivially re-linked back to the same device when a user resets an advertising identifier.

Additionally, the researchers noted that third-party system apps from companies such as Google, Microsoft, LinkedIn and Facebook are pre-installed on most handsets analyzed and silently collected data without opt-out. This even occurs when the phone is minimally configured and the handset is idle.

Interestingly, the privacy-focused e/OS variant of Android was observed to transmit virtually no data.

Prof Doug Leith, chair of computer systems at the School of Computer Science and Statistics, Trinity College Dublin, commented: “I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps.  

“I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.”

Dr Paul Patras, associate professor in the School of Informatics, University of Edinburgh, said: “Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread. More worryingly, such practices take place “under the hood” on smartphones without users’ knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivize market-leading vendors to follow suit.”

Commenting on the research, Niamh Muldoon, global data protection officer at OneLogin, warned many phone developers could be facing the prospect of large fines if changes are not made. "This research is really interesting as it highlights the risk and financial business impact of not investing in a robust privacy program, which is something that not all businesses pay attention to.

“The business impact is the financial cost associated with legal fees and potential privacy regulatory fines as a result of not adhering to GDPR compliance requirements. There are also financial implications with employee compensation if found that the privacy of their data was not adhered to both from a business collection purpose and/or if adequate protection controls were not in place leading to the result of their data being breached.”

What’s hot on Infosecurity Magazine?