Prof. Doug Leith at Trinity College Dublin along with Dr. Paul Patras and Haoyu Liu at the University of Edinburgh examined the data sent by six variants of the Android OS developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS.
Even when minimally configured and the handset is idle, with the notable exception of e/OS, these vendor-customized Android variants transmit substantial amounts of information to the OS developer and to third parties such as Google, Microsoft, LinkedIn, and Facebook that have pre-installed system apps. There is no opt-out from this data collection.
While occasional communication with OS servers is to be expected, the authors of the study say the observed data transmission goes well beyond this and raises a number of privacy concerns.
Prof. Doug Leith, chair of computer systems at the School of Computer Science and Statistics in Trinity College Dublin, said: “I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps.
I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.”
Dr. Paul Patras, Associate Professor in the School of Informatics at the University of Edinburgh, said: “Although we’ve seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread.
Privacy-conscious Android variants are gaining traction though and our findings should incentivise market-leading vendors to follow suit.”
Key findings from the study:
- With the exception of e/OS, all of the handset manufacturers examined collect a list of all the apps installed on a handset. This is potentially sensitive information since it can reveal user interests, e.g., a mental health app, a Muslim prayer app, a gay dating app, a Republican news app. There is no opt out from this data collection.
- On the Huawei handset the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar, searching for contacts.
- Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, e.g., the hardware serial number, alongside user-resettable advertising identifiers. This means that when a user resets an advertising identifier the new identifier value can be trivially re-linked back to the same device, potentially undermining the use of user-resettable advertising identifiers.
- Third-party system apps, e.g., from Google, Microsoft, LinkedIn and Facebook, are pre-installed on most of the handsets and silently collect data, with no opt out.
- There may exist a data ecosystem where data collected from a handset by different companies is shared/linked. Notably, the privacy focused e/OS variant of Android was observed to transmit essentially no data.
A new study published today takes an in-depth look at how apps used in schools are sharing children’s data with third parties. The research found the majority of school apps transmit data and that Android is 8x more likely to be sending that data to “very high-risk” third parties than iOS.
The new study was performed and published by the Me2B Alliance, a nonprofit with the goal of “fostering the respectful treatment of people by technology.” It included a random sample of 73 mobile apps used by 38 schools, “covering at least a half a million people (students, their families, educators, etc.) who use those apps.”
In the big picture including both iOS and Android, Me2B found 6 out of 10 school apps send student data to third parties and that on average, “each app sent data to 10.6 third-party data channels.”
The analysis found that the majority (60%) of school apps were sending student data to a variety of third parties. These included advertising platforms such as Google, to which about half (49%) of the apps were sending student data, as well as Facebook (14%). On average, each app sent data to 10.6 third-party data channels.
But getting more specific, the study revealed Android is a much bigger culprit than iOS.
91% of Android apps send data to high-risk third parties compared to only 26% of iOS apps, and 20% of Android apps sent data to very high-risk third parties, compared to 2.6% of iOS apps.
That means Android is 3.5x more likely than iOS to share student data with high-risk third parties and 8x more likely to share with very high-risk third parties.
Me2B says that Apple’s new App Tracking Transparency (ATT) feature that launched with iOS 14.5 reduces the risk of profile building on Apple devices by third parties and “increases the ‘respectfulness gap’ between iOS and Android apps.” However, the report says that ATT in iOS “may not fully remove the risk of profile building.”
Another concern is that the Me2B researchers believe “upwards of 95% of the third-party data channels are active even when the user isn’t signed in.”
The report also called out both Google and Apple for not detailing what third parties apps share data with:
Further, neither the Google Play Store nor the Apple App Store include details on which third parties are receiving data, leaving users no practical way to understand to whom their data is going, which may well be the most important piece of information for people to make informed decisions about app usage.
Me2B’s key takeaways from the study:
- There is an unacceptable amount of student data sharing with third parties – particularly advertisers and analytics platforms – in school apps.
- School apps – whether iOS or Android, public or private schools – should not include third-party data channels.
- iOS apps were found to be safer than Android apps, and with ongoing improvements the “privacy gap” between iOS and Android apps is expected to widen unless Google makes some changes.
- People still have too little information about which third parties they’re sharing data with, and the app stores (Apple and Google Play) must make this information clearer.
More information: Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets. www.scss.tcd.ie/Doug.Leith/And … d_privacy_report.pdf