How much do you trust your smartphone?
Like many people, you probably carry your mobile phone in your pocket at all times. You may even have grown fond of your device, to which you entrust all your most intimate secrets and photos.
Yet Android smartphones are far from being trustworthy, according to a recent study.
The study – which was conducted by teams from the University of Edinburgh in Scotland and Trinity College Dublin in Ireland – has uncovered a host of privacy issues related to the use of Android-powered smartphones by major brands.
Professor Doug Leith at Trinity College Dublin, along with Dr Paul Patras and Haoyu Liu at the University of Edinburgh, examined the data sent by six variants of the Android OS developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and e/OS.
What they found is that “even when minimally configured and the handset is idle, these vendor-customised Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system apps”.
What is your phone sharing about you?
Among the collected data, researchers noted the permanent identification systems of smartphones, the usage history of applications, and telemetry data.
With the exception of e/OS, all of the handset manufacturers examined collect a list of all the apps installed on a handset, the study highlights.
This is potentially sensitive information since it can reveal user interests, such as the latest dating app used, and so on.
According to the authors of the research, there is no opt out from this data harvesting.
“I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out,” Leith, who is also Chair of Computer Systems at Trinity’s School of Computer Science and Statistics, said.
“We’ve been too focused on web cookies and on badly-behaved apps”.
The professor hopes this study will act as a “wake-up call” to the public, politicians, and regulators.
“Meaningful action is urgently needed to give people real control over the data that leaves their phones,” he added.
Xiaomi, Samsung and Huawei to lead the data share race
According to the research, the Xiaomi handset sends details “of all the app screens viewed by a user to Xiaomi, including when and how long each app is used”.
The timing and duration of phone calls are a large part of the exposed data, the study reveals.
On the Huawei handset, it’s the Swiftkey keyboard that shares details of app usage over time with Microsoft.
On another level, Samsung, Xiaomi, Realme, and Google collect “long-lived device identifiers,” such as the hardware serial number, alongside “user-resettable advertising identifiers”.
Often on the bottom or back of the device, the hardware serial number is a unique number used for identification and inventory purposes. It is unique to the user and is most often asked for when reporting a phone theft to the police.
As for the user’s advertising ID, its purpose is to allow advertisers to pseudo-anonymously track user ad activity. It’s assigned by the device or operating environment and stored directly on the device itself.
The fact that Android systems can store this data implies that “when a user resets an advertising identifier the new identifier value can be trivially re-linked back to the same device, potentially undermining the use of user-resettable advertising identifiers,” the study says.
How to end these ‘under the hood’ practices?
According to the study, there is only one way to avoid falling prey to this large-scale data collection – the e/OS variant created by Frenchman Gael Duval and derived from LineageOS.
This variant of Android is based on a module that allows the use of Google services without transmitting personal data. Access to personal information is blocked for Google and all third-party applications or services.
Apart from this exception, the researchers conclude that it has become essential to provide personal data in order to enjoy the benefits of smartphones and their services.
“Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread,” Patras said.
“More worryingly, such practices take place ‘under the hood’ on smartphones without users’ knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivise market-leading vendors to follow suit”.