Study: What Android whispers about you

Following on from a recent article “Still online, still chatting" I came across a rather interesting study by researchers from the University of Edinburgh. It deals with the data that the device sends to Android mobile phone manufacturers and to Google itself.

The researchers wiped all tested devices to factory settings and opted out (did not listen) to all "requests" from manufacturers to provide data and use their applications and specific services during their initialization. Phones were tested in idle mode, i.e. with a minimum of user interactions and only with the manufacturer's pre-installed applications. Nevertheless, the researchers came to the following conclusion:

"We observe that Samsung, Xiaomi, Realme and Huawei all collect data from user handsets, despite the user having opted out of data collection/telemetry/analytics and making no use of services offered by these companies. This data is tagged with long-lived identifiers that tie it to the physical device, including across factory resets."

One example for all

And what does that actually mean? Even if you don't actively allow detailed information to be sent out, it still happens. Moreover, they are connected to your specific device through various permanent identifiers (such as the phone's IMEI, or the immutable number of the SIM slot, which is unique to every mobile phone in the world).

To give an example, let's take the commonly used SwiftKey application currently owned by Microsoft (and I will quote freely from the study, page 9 and 10). Every time SwiftKey is used, Microsoft is sent:

  • the name of the application that SwiftKey opened,
  • number of characters entered,
  • timing of the entire activity (start and end),
  • language used
  • number of words guessed,
  • number of repairs,
  • and much more information.

Essentially, all that is missing are the exactly used characters and written words, and Microsoft knows… What actually prevents him from enabling such logging in one of the next versions? Maybe a conscience? 😊

Read more

If you are interested in the full text of the study, you can find it here: https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf

Part III is certainly very interesting for more technically oriented readers. THE CHALLENGES OF SEEING WHAT DATA IS SENT, which describes in relative detail how it was possible to collect and decrypt the sent data. In section V. RESULTS, the authors summarize in detail what information is sent from individual devices.