"Don't Be Evil," They Said: Android Is Tracking Us With No Way to Opt-Out

Written by z3nch4n | Published 2021/12/01
Tech Story Tags: android | security | cybersecurity | data-privacy | privacy | google | digital-footprint | rom | web-monetization

TLDRThe new research analyzed preinstalled apps in Samsung, Realme, Xiaomi, and Huawei phones and the data sent to these companies and third parties. The research found that data is constantly sent even if the apps are unused or never used. Users cannot delete these preinstalled apps, and the only way to remove them is by rooting your phone. via the TL;DR App
“And remember… don’t be evil, and if you see something that you think isn’t right — speak up!” — Google Code of Conduct before April, 2018

Researchers Find Android Tracks Users And Share Data to OS's Developers

TL;DR:

  • The new research analyzed preinstalled apps in Samsung, Realme, Xiaomi, and Huawei phones and the data sent to these companies and third parties.
  • The research found that data is constantly sent even if the apps are unused or never used.
  • Users cannot delete these preinstalled apps, and the only way to remove them is by rooting your phone.
When I heard that Google removed the famous "Don't be evil" from their code of conduct, I was disappointed. But, even worse, researchers recently proved that the phrase is not just a slogan but crucial for protecting our privacy, considering that Google is everywhere for everyone now.
In May, Google announced that it would follow industry standards concerning privacy obligations. By Q2 of 2022, developers will be required to disclose:
  • the type of data collected;
  • the type of data stored;
  • the way of such data is used.
These requirements complement other elements, such as new security practices, enforcement of data deletion upon uninstallation of the app, etc. That's excellent news, and android users, at least those who install apps via the Google Play store, are less likely exposed to malicious apps.

New Problems Found

If you use an Android phone and are concerned about privacy, you should probably read my "Keep Trackers and Advertisers at Bay with these Browser Privacy Tips" and take care of the unnecessary digital footprints. Even better, you may want to keep your digital self clean and tidy, so you follow my steps in "The KonMari Method for Your Digital Footprint."
The bad news is that none of the measures above are enough to make you "tracker-free." Yeah, I know, it is very frustrating. But, sadly, according to a recent research paper from Trinity College in Dublin, "Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets":
…even when minimally configured and the handset is idle these vendorcustomized Android variants transmit substantial amounts of information to the OS developer and also to third-parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system app.

The Ultimate Vigilance — so-called "Systems Apps."

Hardware manufacturers preinstalled apps on devices to offer more "customizations" and "features," such as replacing the stock camera app with the branded one or messages app. Unfortunately, Android usually packages these apps into what's called "read-only memory" (ROM), which means you can't delete or modify these apps directly.
Everything inside the ROM is "untouchable" by normal users since they can only work with the devices outside the system files. However, to change the system structure, you need higher permission, i.e., root. Thus, if "system apps" track users, you can only stop them by rooting the device.
And until you do, the researchers found they were continually transmitting device data back to their parent company and more than a few third parties — even if you never opened the app at all. According to the report, the built-in apps on the Samsung, Xiaomi, Huawei, and Realme phones sent many data to the OS developers. But not everyone would agree they also send data to third parties, including Google, with the Google Mobile Services and Google Play Store apps being the most comprehensive data sources.
Moreover, Facebook, Microsoft (in the SwiftKey keyboard or OneDrive cloud storage), and LinkedIn are other data destinations, depending on which preinstalled "system apps" were present on the device.

What About Custom ROM?

Advanced users may think Android provides a platform for them to customize their operating system. But that doesn't necessarily mean the problem doesn't exist.
  • LineageOS — is one of the popular alternative ROM. One thing we need to understand is that Google Apps are not preinstalled on LineageOS. But if you choose to install it, like what the researchers did in the study, LineageOS didn't collect data but still sent data to Google via its system apps.
  • /e/ — a free and open-source Android-based mobile operating system, sent minimal data back to its developers, showing that it could make Android work without significant data harvesting. However, be reminded that/e/ is a heavy rework of the stock android ROM, which means the user experience may not be the same as other devices.Google's Reply: It's Normal
A Google spokesperson has provided BleepingComputer the following comment on the findings of the study:
While we appreciate the work of the researchers, we disagree that this behavior is unexpected — this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device’s IMEI, is necessary to deliver critical updates reliably across Android devices and apps.
Unfortunately, as an android user, you can't do much if you are annoyed by this. As mentioned before, there's no way to opt-out of the system-app data acquisition. Even though you can reset any identifiable data, they can easily be "re-identified" by cross-referencing them with IDs you can't reset, such as the phone's IMEI number.

Final Words

Findings in the report are concerning. Luckily we still have things we can do like Installing a custom OS like /e/. But getting it to work needs more effort than the ordinary. Alternatively, you could always switch to an iPhone, but while Apple highlights the importance of user privacy, it's still impossible to escape all tracking with iOS.
Meanwhile, as I mentioned in my last article, iPhone apps were just as snoopy as Android apps, with 60% of iOS apps sharing data with Google. So, to conclude, as Google told us that it is normal to have our data collected without a way out, we need to, ultimately, choose between privacy and convenience again.
Thank you for reading. May InfoSec is with you🖖.
Written by z3nch4n | Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.
Published by HackerNoon on 2021/12/01
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy