Skip to content


If you’re using an Android phone and worry (rightfully!) About digital privacy, you’ve probably already taken care of the basics. You’ve removed the snoopiest of snoopy apps, turned off tracking where possible, and taken all the other precautions popular privacy guides have given you. The bad news – and you might want to sit down for that – is that none of these steps are enough to be completely tracker-free.

Or at least, that’s the thrust of a new article by researchers at Trinity College Dublin that looked at the data sharing habits of some popular variants of the Android operating system, most notably those developed by Samsung, Xiaomi. and Huawei. According to the researchers, “with little configuration” out of the box and when left idle, these devices continually send device data back to operating system developers and a large number of selected third parties. . And the worst part is that there is often no way to turn off this data ping, even if users want to.

As the researchers point out, much of the fault lies with so-called “system apps”. These are apps that are preinstalled by the hardware manufacturer on a certain device in order to provide a certain type of functionality – a camera or messaging app are examples. Android typically bundles these apps into what’s known as the device’s “read-only memory” (ROM), which means you can’t delete or edit these apps without rooting your device. And until you do, the researchers found that they constantly send data from the device back to their parent company and several third parties, even if you never open the app.

Here’s an example: let’s say you have a Samsung device that has some preinstalled Microsoft bloatware, including (ugh) LinkedIn. Even though there’s a good chance you’ll never open LinkedIn for whatever reason, this hard-coded app constantly sends back details about your device to Microsoft’s servers. In this case, it is “telemetry data,” which includes details like your device’s unique identifier and the number of Microsoft apps you have installed on your phone. This data is also shared with any third-party analytics providers that these apps may have plugged in, which usually means Google, since Google Analytics is the reigning king of all available analytics tools.

When it comes to hard-coded apps that you can actually open every now and then, even more data is sent with each interaction. Researchers caught Samsung Pass, for example, sharing details like timestamps detailing when you used the app and for how long with Google Analytics. Same goes for Samsung’s game launcher, and every time you open Samsung’s virtual assistant, Bixby.

Samsung is not alone here, of course. The Google messaging app preinstalled on the phones of Samsung’s competitor Xiaomi was caught sharing timestamps of every user interaction with Google Analytics, as well as logs of every time that user sent a message. text. Huawei devices were caught doing the same. And on devices that had Microsoft’s SwiftKey preinstalled, logs detailing whenever the keyboard was used in another app or elsewhere on the device were shared with Microsoft instead.

We’ve barely scratched the surface here when it comes to what each app does on every device these researchers review, which is why you should check out the document or, better yet, check out our how-to guide to snooping data on your phone. ‘Android. share your practices yourself. But for the most part, you’ll see shared data that looks pretty, well, boring: event logs, details about your device’s hardware (like model and screen size), as well as some sort of identifier, such as a phone’s hardware serial number and mobile ad identifier, or “AdID”.

On their own, none of these data points can identify your phone as yours, but taken together they form a unique ‘fingerprint’ that can be used to track your device, even if you try to unsubscribe. Researchers point out that while Android’s Advertising ID is technically resettable, the fact that apps are typically associated with more permanent identifiers means that those apps – and whatever third parties they work with – will know who you are. in any event. Researchers found this to be the case with some of the other resettable IDs offered by Samsung, Xiaomi, Realme, and Huawei.

To its credit, Google has a few development rules meant to hinder particularly invasive apps. It tells developers that they can’t connect a device’s unique advertising ID to something more persistent (like that device’s IMEI, for example) for advertising purposes. And while analytics providers are allowed to make this link, they can only do so with the “explicit consent” of a user.

“If reset, a new Advertising ID must not be connected to a previous Advertising ID or to data derived from a previous Advertising ID without the explicit consent of the user,” Google explains on a separate page detailing these policies. of development. “You must adhere to a user’s ‘Turn off interest-based advertising’ or ‘Turn off ad personalization’ setting for a user. If a user has this setting enabled, you cannot use the Advertising ID to create user profiles for advertising purposes or to target users with personalized ads.

It should be noted that Google does not impose any rules as to whether developers can collect this information, only what they are allowed to do with it after it is collected. And because these are preinstalled apps that often get stuck on your phone, researchers found that they were often allowed to bypass explicit user privacy disabling settings by … not that user the most. opened. And with no easy way to remove them, this data collection is going to go on (and on) until the owner of that phone gets creative with rooting or throws their device into the ocean.

Google, when asked about this non-skippable data collection by BleepingComputer employees, replied that it was simply “how modern smartphones work”:

As explained in our Google Play Services Help Center article, this data is essential for core device services, such as push notifications and software updates in a diverse ecosystem of devices and software releases. For example, Google Play Services uses data on certified Android devices to support basic device functionality. Collecting limited basic information, such as a device’s IMEI, is necessary to reliably deliver critical updates to Android devices and apps.

Which sounds logical and reasonable, but the study itself proves that’s not the whole story. As part of the study, the team looked at a device equipped with / e / OS, an open source, privacy-focused operating system that was touted as an “deGoogled” version of Android. This system replaces Android’s built-in apps, including the Google Play store, with free and open-source equivalents that users can access without needing a Google account. And wouldn’t you know, when these devices were idle, they sent “no information to Google or other third parties” and “essentially no information” to the developers themselves.

In other words, this aforementioned hellish tracking landscape is clearly only inevitable if you feel that Google’s presence on your phones is inevitable as well. Let’s be honest here, it’s sort of for most Android users. So what else does a Samsung user need to do other than be tracked?

Well, you can get lawmakers to care, for a start. The privacy laws we have in place today, like the GDPR in the EU and the CCPA in the US, are almost exclusively designed to fit the way tech companies treat people. identifiable forms of data, such as your name and address. So-called “anonymous” data, like your device’s hardware specifications or advertising ID, generally falls between the cracks of these laws, although it can generally be used to identify you anyway. And if we can’t successfully demand an overhaul of our country’s privacy laws, then maybe one of Google’s many massive antitrust lawsuits right now will end up causing the company to put it down. a cap on some of these invasive practices.