How much do you trust your smartphone?
Like many people, you probably always carry your mobile phone in your pocket. You may even have grown fond of your device, to which you entrust all of your most intimate secrets and photos.
However, according to a recent study, Android smartphones are anything but trustworthy.
The study, conducted by teams from the University of Edinburgh in Scotland and Trinity College Dublin in Ireland, uncovered a variety of privacy issues related to the use of Android smartphones by major brands.
Professor Doug Leith from Trinity College Dublin, together with Dr. Paul Patras and Haoyu Liu from the University of Edinburgh received the data sent by six variants of the Android operating system developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and e / OS.
They found that “even with minimal configuration and when the handset is idle, these manufacturer-specific Android variants provide considerable amounts of information to the operating system developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) installed system apps”.
What does your phone share about you?
Among the data collected, the researchers noted the permanent identification systems of smartphones, the usage history of applications and telemetry data.
With the exception of e / OS, all cell phone manufacturers examined collect a list of all apps that are installed on a cell phone, the study emphasizes.
This is potentially sensitive information as it can reveal user interests like the latest dating app in use, etc.
According to the study’s authors, there is no opt-out against this data collection.
“I think we completely missed the massive and continuous data collection from our phones that are not opt-out,” said Leith, who is also the Chair of Computer Systems at the Trinity School of Computer Science and Statistics.
“We focused too much on web cookies and misbehaving apps.”
Strong action is urgently needed to give people real control over the data that leaves their phones.
Professor Doug Leith
Chair of Computer Systems, School of Computer Science and Statistics at Trinity College
The professor hopes this study will be a “wake-up call” for the public, politicians and regulators.
“There is an urgent need for meaningful action to give people real control over the data leaving their phones,” he added.
Xiaomi, Samsung and Huawei lead the race for data sharing
According to the research, the Xiaomi handset sends details of “all the app screens that a user has viewed from a user to Xiaomi, including when and for how long each app is used”.
The time and duration of phone calls are a large part of the exposed data, the study shows.
On the Huawei handset, it’s the Swiftkey keyboard that shares details of app usage with Microsoft over time.
“The effect is similar to using cookies to track users’ activities as they move between web pages,” says Dr. Paul Patras, Associate Professor in the University of Edinburgh’s School of Informatics.
On another level, Samsung, Xiaomi, Realme, and Google collect “long-lived device identifiers,” such as the hardware serial number, alongside “user-resettable advertising identifiers”.
Often on the bottom or back of the device, the hardware serial number is a unique number used for identification and inventory purposes. It is unique to the user and is most often asked for when reporting a phone theft to the police.
As for the user’s advertising ID, its purpose is to allow advertisers to pseudo-anonymously track user ad activity. It’s assigned by the device or operating environment and stored directly on the device itself.
The fact that Android systems can store this data implies that “when a user resets an advertising identifier the new identifier value can be trivially re-linked back to the same device, potentially undermining the use of user-resettable advertising identifiers,” the study says.
How to end these ‘under the hood’ practices?
According to the study, there is only one way to avoid falling prey to this large-scale data collection – the e/OS variant created by Frenchman Gael Duval and derived from LineageOS.
This variant of Android is based on a module that allows the use of Google services without transmitting personal data. Access to personal information is blocked for Google and all third-party applications or services.
Apart from this exception, the researchers conclude that it has become essential to provide personal data in order to enjoy the benefits of smartphones and their services.
“Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread,” Patras said.
“More worryingly, such practices take place ‘under the hood’ on smartphones without users’ knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivise market-leading vendors to follow suit”.