Study Warns Android Phones From Samsung, Xiaomi And Others Are Spying On Users

 samsung galaxy s21 in hand back topimage
Everyone who uses an Android phone has probably had some security-conscious acquaintance ask, "don't you know how much data your phone is harvesting?" Most of us shrug it off as one of the unavoidable circumstances of modern life: you want a smartphone, you deal with data harvesting. Still, some folks aren't so willing to make that sacrifice.

A new collaborative study from the University of Edinburgh in Scotland and Trinity College Dublin in Ireland tested Android-based phones from Samsung, Xiaomi, Huawei, and Realme as well as handsets running LineageOS and the open-source, privacy-focused /e/OS. The study found that "even when minimally configured and the handset is idle, the vendor-customized Android variants transmit substantial amounts of information to the OS developer and also third-parties (Google, Microsoft, LinkedIn, Facebook, etc.)"

As the paper's authors note, while much has been said about the privacy concerns surrounding specific apps, relatively little has been written about privacy concerns in the operating system itself. After testing, the authors are enthusiastic that this topic needs much more attention, as they found that devices are gobbling up gigabytes of data even when idle.

data collected by android phones
Credit: Trinity College Dublin

More specifically, the researchers found that Samsung, Xiaomi, Huawei, and Realme handsets collect device and user identifiers, device configuration information, and arguably most damning, user event logging (as a form of "telemetry.") Only Samsung and Xiaomi devices were found to log significant amounts of user interaction event data, though -- the other devices mainly focused on resettable user identifiers.

That's not too comforting given that the researchers also demonstrate how gathered data that is linked to these resettable user identifiers (such as advertising IDs) can still be linked back to the original device and user. Furthermore, the researchers comment that the biggest culprit behind data harvesting is in fact Google itself. In the paper, they say that "Google Play Services and the Google Play store collect large volumes of data from all of the handsets," excepting the /e/OS device, as that OS does not use Google Play services.

data transmission contact points android
Potential for cross-linking data collection with different handsets. Red circles represent data collectors and green circles represent for what specific service instance the data is collected. Credit: Trinity College Dublin

The authors go on to note "the opaque nature of this data collection," commenting that Google doesn't provide any documentation, and that the payloads are delivered as binary-encoded data generated by intentionally-obfuscated code. Apparently, they have been in discussions with Google to have the Android creator publish documentation for this data collection/telemetry, "but to date that has not happened."

The study is quite in-depth and filled with technical jargon, but it's still worth a read if you're even tangentially interested in the topic. You can find the PDF document on the Trinity College Dublin website.