Mobiles snoop on users even when handset is idle

Mobiles snoop on users even when handset is idle

How a recently published study raises the alarm about data collection by proprietary versions of the Android OS

A paper titled Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets published on Monday by Haoyu Liu, Paul Patras and Trinity College Dublin computer scientist Douglas Leith, author of an earlier study on the topic, has found that handset vendors collect data with their pre-installed proprietary versions of Android even when the handset is idle. Pre-installed system apps include the Google Apps package, as well as Microsoft, LinkedIn and Facebook system apps.

Although a mobile OS may need to communicate with servers to check for updates or send telemetry, what the researchers found was that five out of the six studied proprietary variants of the Android system would transmit substantial amounts of information to both the OS developer and to third-parties that have their system apps pre-installed on the handset.

/e/OS – the fork of LineageOS, an open-source Android distribution with a reputation for being Google-free – is the only exception among the studied operating systems as it sends no data to Google or third parties and basically no information to /e/OS developers either. Although Prof. Douglas Leith has already pointed out in a study from April that large reams of data are being collected by Android and iOS devices such as IMEI number – a mobile’s 15-digit long “fingerprint”, SIM serial number, phone number, location and telemetry – pre-installed vendor versions of Android have proved to reveal even more about the owner of the handset. Even functions allowing the user to reset an ad identifier to protect their privacy are of little use as the new identifier value can be trivially re-linked back to the same device.

The study has also found that the data collected by different parties from the same handset can be crosslinked – for example, a Google advertising ID is sent to Samsung, while Microsoft’s OneDrive system app relies on Google’s push service. Furthermore, the Xiaomi handset has been found to transmit data on when the device’s screen has been viewed and for how long, and five of the handset makers also collect a list of all the apps installed on a mobile, which also raises rather serious privacy concerns.

In a statement Prof. Doug Leith said: “I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps… I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.”

Copyright Lyonsdown Limited 2021

Top Articles

Is your security in need of an update this Cybersecurity Awareness month?

Cyber security experts tell teiss about the evolving threat landscape and how organisations can bolster their cyber security defenses

A new case for end-to-end encryption

How a hacker group got hold of calling records and text messages deploying highly sophisticated tools that show signs of originating in China

Telcos in Europe put muscle behind firewalls as SMS grows

Messaging is set to be one of the biggest traffic sources for telcos worldwide prompting them to protect loss of revenue to Grey Route practices 

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]