Everyone who uses an Android phone has probably had some security-conscious acquaintance ask, "don't you know how much data your phone is harvesting?" Most of us shrug it off as one of the unavoidable circumstances of modern life: you want a smartphone, you deal with data harvesting. Still, some folks aren't so willing to make that sacrifice.
A new collaborative study from the University of Edinburgh in Scotland and Trinity College Dublin in Ireland tested Android-based phones from Samsung, Xiaomi, Huawei, and Realme as well as handsets running LineageOS and the open-source, privacy-focused /e/OS. The study found that "even when minimally configured and the handset is idle, the vendor-customized Android variants transmit substantial amounts of information to the OS developer and also third-parties (Google, Microsoft, LinkedIn, Facebook, etc.)"
As the paper's authors note, while much has been said about the privacy concerns surrounding specific apps, relatively little has been written about privacy concerns in the operating system itself. After testing, the authors are enthusiastic that this topic needs much more attention, as they found that devices are gobbling up gigabytes of data even when idle.
Credit: Trinity College Dublin
Credit: Trinity College Dublin
More specifically, the researchers found that Samsung, Xiaomi, Huawei, and Realme handsets collect device and user identifiers, device configuration information, and arguably most damning, user event logging (as a form of "telemetry.") Only Samsung and Xiaomi devices were found to log significant amounts of user interaction event data, though -- the other devices mainly focused on resettable user identifiers.
That's not too comforting given that the researchers also demonstrate how gathered data that is linked to these resettable user identifiers (such as advertising IDs) can still be linked back to the original device and user. Furthermore, the researchers comment that the biggest culprit behind data harvesting is in fact Google itself. In the paper, they say that "Google Play Services and the Google Play store collect large volumes of data from all of the handsets," excepting the /e/OS device, as that OS does not use Google Play services.
The authors go on to note "the opaque nature of this data collection," commenting that Google doesn't provide any documentation, and that the payloads are delivered as binary-encoded data generated by intentionally-obfuscated code. Apparently, they have been in discussions with Google to have the Android creator publish documentation for this data collection/telemetry, "but to date that has not happened."
The study is quite in-depth and filled with technical jargon, but it's still worth a read if you're even tangentially interested in the topic. You can find the PDF document on the Trinity College Dublin website.
Read well
