A team of university researchers from the United Kingdom published a study which highlights the privacy issues that arise when using Android smartphones.
Researchers focused on Android devices from Samsung, Xiaomi, Realme and Huawei, as well as in LineageOS and / and / OS, two Android forks claiming to offer long-term support and a free Google experience
With the exception of / and / OS, all other Android variants transmit substantial amounts of information to the operating system developer as well as to third parties. (Google, Microsoft, LinkedIn, Facebook, etc.) whose apps are pre-installed, even when they are minimally configured and the phone is idle.
As indicated in the summary table below, sensitive user data such as persistent identifiers, application usage details, and telemetric information, are not only shared with device manufacturers, but also go to various third parties such as Microsoft, LinkedIn and Facebook.
As expected, Google appears as the recipient of almost all data collected.
Researchers note that is a data collection for which there is no opt-out., so Android users are helpless.
This is especially worrisome when smartphone makers include third-party applications that silently collect data, even if they are not used by the device owner and cannot be uninstalled.
In the case of some of the applications built into the system, such as miui.analytics (Xiaomi), Heytap (Realme) and Hicloud (Huawei), the researchers found that encrypted data can be decrypted in certain cases, posing a risk of man-in-the-middle (MitM) attacks.
A Google spokesman stated the following about the study’s findings:
While we appreciate the researchers’ work, we disagree that this behavior is unexpected – that’s how modern smartphones work.
As explained in our Google Play Services Help Center article, this data is essential for key device services, such as push notifications and software updates, across a diverse ecosystem of devices and software versions.
For example, Google Play services use data from certified Android devices to support the device’s core functions. Collecting limited basic information, such as a device’s IMEI, is required to reliably deliver critical updates across all Android devices and apps.