Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
A UK team of researchers has carried out a study discovering some Android privacy issues related to Android smartphones.
Huawei Android devices, Realme, Xiaomi, and Samsung represented the experts’ focus during their research. Besides, they also analyzed LineageOS and /e/OS.
Android Privacy Issues: What Is All About?
Regarding the Android privacy issues, the ones who investigated this topic summarized the data collected by each Android OS variant in a table that can be found in their research paper.
Therefore, it seems that some sensitive user information, besides being shared with device vendors, is also being shared with third parties like, for example, Facebook, Linked In, and Microsoft. As we can see from the table above, this shared data includes also:
- Persistent identifiers
- Details related to the application usage
- Telemetry data
As it comes out from the table, Google seems to appear almost everywhere, being the most common data receiving end.
With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps.
Further Insight Into the Matter
The same study explains that there is no “Opt-out” option available for Android users to choose as a mitigation measure against this type of data collection. Some smartphones vendor include third-party apps sometimes. This means that these third-party apps perform data collection in a silent way, so it does not matter if the owner of the device does not make use of them. What’s more, is that they cannot be removed.
In regards to apps like miui.analytics (Xiaomi), Heytap (Realme), and Hicloud (Huawei) which are basically build-in applications, the information can serve as a goal of man-in-the-middle (MitM) cyberattacks and this is because the information encrypted on these apps is possible to be decrypted.
The experts under discussion have also shared a diagram of the data volume in KB/h that each vendor transmits:
What’s interesting to mention as emphasized by the researchers is the fact that even if Google Account advertising identifiers are reset on Android, this does not prevent the data collection system make the new ID relink to the same device.
What Google Said About It
Following the revealing of the study under discussion, Google has addressed the matter in a declaration to BleepingComputer:
While we appreciate the work of the researchers, we disagree that this behavior is unexpected – this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device’s IMEI, is necessary to deliver critical updates reliably across Android devices and apps.
As Google explains, it seems that data collection is a necessity that goes hand in hand with some core device features and the delivery of usual updates.
Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!
