Researchers Find Android Phones Still Follow You, Even When You Exclude

If you use an Android phone and are (rightly!) Concerned about digital privacy, you’ve probably already taken care of the basics. You have removed the most snoopie of the snoopy apps, have chosen not to track whenever possible, and have taken every other precaution that popular privacy guides have directed you to do. The bad news, and you may want to sit back and listen to this, is that none of those steps is enough to get you completely track-free.

Or at least, that’s the central idea of ​​a new paper by researchers at Trinity College in Dublin who looked at the data-sharing habits of some popular variants of the Android operating system, including those developed by Samsung, Xiaomi, and Huawei. According to the researchers, “with little configuration” out of the box and when left idle, these devices would incessantly send device data to operating system developers and a host of selected third parties. What’s worse is that there is often no way to exclude yourself from this data ping, even if users want to.

Much of the blame here, as the researchers point out, lies with the so-called “system apps.” These are applications that are pre-installed by the hardware manufacturer on a given device to offer a certain type of functionality: a camera or a message application are examples. Android generally packages these apps in what’s known as the device’s “read-only memory” (ROM), which means you can’t delete or modify these apps without, well, rooting your device. And until it did, the researchers found that they were constantly sending device data to their parent company and more than a few third parties, even if they never opened the app.

Here’s an example: Let’s say you own a Samsung device that’s bundled with some pre-installed Microsoft bloatware, including (ugh) LinkedIn. Although there’s a good chance you’ll never open LinkedIn for any reason, that encrypted app is constantly pinging Microsoft’s servers with details about your device. In this case, it is called “telemetry data”, which includes details such as the unique identifier of your device and the number of Microsoft applications that you have installed on your phone. This data is also shared with any third-party analytics providers that these apps may have connected to, which generally means Google, as Google Analytics is the reigning king of all analytics tools out there.

Data collection chart

As for hard-coded apps that you can open from time to time, even more data is sent with every interaction. Researchers spotted Samsung Pass, for example, by sharing details like timestamps detailing when you were using the app and for how long, with Google Analytics. The same goes for Samsung’s Game Launcher, and every time you open Samsung’s virtual assistant, Bixby.

Samsung is not alone here, of course. Google’s messaging app that comes pre-installed on Samsung’s competitor Xiaomi phones was captured sharing timestamps of every user interaction with Google Analytics, along with logs of each time that user sent a text message. Huawei devices were caught doing the same. And on devices where Microsoft’s SwiftKey came pre-installed, logs detailing each time the keyboard was used in another application or elsewhere on the device were shared with Microsoft.

We’ve barely scratched the surface here when it comes to what each app does on each device these researchers examined, so you should check out the whitepaper or, better yet, check out our handy guide on spying on Android data. share practices yourself. But for the most part, you’ll see pretty, well, boring looking data being shared: event logs, details about your device’s hardware (like model and screen size), along with some sort of identifier, such as a phone’s hardware serial number and mobile ad identifier, or “AdID.”

On their own, none of these data points can identify your phone as uniquely yours, but together they form a unique “fingerprint” that can be used to track your device, even if you try to opt out. The researchers note that while the Android Advertising ID can be technically reset, the fact that apps generally include it with more permanent identifiers means that these apps, and the third parties they are working with, will know who you are from everyone. modes. Researchers found this to be the case for some of the other resettable IDs offered by Samsung, Xiaomi, Realme, and Huawei.

To its credit, Google has some developer rules intended to thwart particularly invasive apps. It tells developers that they can’t connect a device’s unique ad ID to something more persistent (like that device’s IMEI, for example) for any kind of advertising-related purpose. And while analytics providers can make that link, they can only do so with the “explicit consent” of the user.

“If reset, a new advertising identifier must not be connected to a previous advertising identifier or data derived from a previous advertising identifier without the explicit consent of the user,” Google explains on a separate page detailing these development policies. “You must comply with a user’s ‘Disable interest-based advertising’ or ‘Disable ad personalization’ settings. If a user has enabled this setting, they cannot use the advertising identifier to create user profiles for advertising purposes or to target users with personalized advertising. “

It’s worth noting that Google doesn’t set rules about whether developers can collect this information, only what they can do with it once it’s collected. And because these are pre-installed apps that are often stuck on your phone, the researchers found that they were often allowed to bypass the user’s explicit privacy opt-out settings simply … by scrolling in the background, regardless of whether or not. that user opened them. And without an easy way to remove them, that data collection will keep happening (and will continue to happen) until the owner of that phone gets creative with rooting or dumps their device in the ocean.

Google, when asked about this data collection by the folks at BleepingComputer that you cannot opt ​​out, replied that this is simply “how modern smartphones work”:

As explained in our Google Play Services Help Center article, this data is essential for core device services, such as push notifications and software updates, across a diverse ecosystem of devices and software builds. For example, Google Play services use data on certified Android devices to support the main functions of the device. The collection of limited basic information, such as a device’s IMEI, is necessary to reliably deliver critical updates across all Android devices and applications.

Which sounds logical and reasonable, but the study itself shows that it’s not the whole story. As part of the study, the team examined a device equipped with / e / OS, an open source privacy-focused operating system that has been billed as a “Google removed” version of Android. This system exchanges Android’s built-in applications, including the Google Play store, with free and open source equivalents that users can access without the need for a Google account. And you wouldn’t know, when these devices were left idle, they didn’t send “any information to Google or other third parties” and “essentially no information” to the / e / developers.

In other words, this aforementioned tracking hell is clearly only unavoidable if you feel like Google’s presence on your phones is unavoidable too. Let’s be honest here, it is for most Android users. So what can a Samsung user do besides, you know, be tracked?

Well, it can make legislators worry to begin with. The privacy laws we have on our books today, such as GDPR in the EU and CCPA in the US, are designed almost exclusively to address how technology companies handle identifiable forms of data, such as your name and. address. So-called “anonymous” data, such as the hardware specifications of your device or the identification of the advertisement, generally does not comply with these laws, although it can generally be used to independently identify you. And if we can’t successfully demand a review of our country’s privacy laws, then perhaps one of the many massive antitrust lawsuits Google is looking down at right now will have the company put a cap on some of these invasive practices. .

Leave a Reply

Your email address will not be published. Required fields are marked *