How a recently published study raises the alarm about data collection by proprietary versions of the Android OS
A paper titled Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets published on Monday by Haoyu Liu, Paul Patras and Trinity College Dublin computer scientist Douglas Leith, author of an earlier study on the topic, has found that handset vendors collect data with their pre-installed proprietary versions of Android even when the handset is idle. Pre-installed system apps include the Google Apps package, as well as Microsoft, LinkedIn and Facebook system apps.
Although a mobile OS may need to communicate with servers to check for updates or send telemetry, what the researchers found was that five out of the six studied proprietary variants of the Android system would transmit substantial amounts of information to both the OS developer and to third-parties that have their system apps pre-installed on the handset.
/e/OS – the fork of LineageOS, an open-source Android distribution with a reputation for being Google-free – is the only exception among the studied operating systems as it sends no data to Google or third parties and basically no information to /e/OS developers either. Although Prof. Douglas Leith has already pointed out in a study from April that large reams of data are being collected by Android and iOS devices such as IMEI number – a mobile’s 15-digit long “fingerprint”, SIM serial number, phone number, location and telemetry – pre-installed vendor versions of Android have proved to reveal even more about the owner of the handset. Even functions allowing the user to reset an ad identifier to protect their privacy are of little use as the new identifier value can be trivially re-linked back to the same device.
The study has also found that the data collected by different parties from the same handset can be crosslinked – for example, a Google advertising ID is sent to Samsung, while Microsoft’s OneDrive system app relies on Google’s push service. Furthermore, the Xiaomi handset has been found to transmit data on when the device’s screen has been viewed and for how long, and five of the handset makers also collect a list of all the apps installed on a mobile, which also raises rather serious privacy concerns.
In a statement Prof. Doug Leith said: “I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps… I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.”