Some Android Devices Send a Lot of Data Back Despite Enabled Privacy Settings, Researchers Show

Bitdefender Family Pack 2018

Researchers from the University of Edinburgh in the UK and Trinity College Dublin in Ireland analyzed the traffic sent in the background by Android devices from Samsung, Xiaomi, Huawei, Oppo, LineageOS and /e/OS. Even with the OS set up to send as little data as possible back, they found, native and third-party apps continue to send data that seems to go beyond regular communication with the servers.

While Samsung, Xiaomi, Huawei and Oppo are well-known phone manufacturers, LineageOS and /e/OS don’t actually make devices. They are open-source Android variants, with LineageOS gathering a total of 30 million users. /e/OS is even less known, but it’s an OS focused on privacy.

It’s no secret that manufacturers and developers pull data from devices, and it’s even expected in some situations. Smartphones have to communicate with servers, but the scope of that communication is not always clear. Furthermore, determining whether companies share the data they collect is a murky endeavor as well.

University researchers used various methods to track the traffic, including rooted devices, reverse engineering and controlled Wi-Fi networks. They found that not only the default OS apps send a lot of data back — third-party apps do so as well.

“We find that the Samsung, Xiaomi, Huawei and Realme Android variants all transmit a substantial volume of data to the OS developer (i.e. Samsung etc) and to third-party parties that have pre-installed system apps (including Google, Microsoft, Heytap, LinkedIn, Facebook),” saidthe researchers in their study.

“LineageOS sends similar volumes of data to Google as these proprietary Android variants, but we do not observe the LineageOS developers themselves collecting data nor pre-installed system apps other than those of Google. Notably, /e/OS sends no information to Google or other third parties and sends essentially no information to the /e/OS developers.”

The research also shows that user-resettable identifiers, such as advertising IDs, can be easily relinked, even if the user resets the device. Researchers also say that cross-linking of data collected by these different parties is possible, which could allow the creation of shadow profiles. Finally, some devices and OSs record user interactivity with the smartphone and apps, sending detailed statistics back to the owners. Moreover, all of this data is exchanged even when privacy settings are enabled.

Both Google and Huawei responded to the paper, and the researchers included the manufacturers’ information.