What Android Backgrounds: Privacy Report

What Android Backgrounds: Privacy Report

It was always known that both popular mobile operating systems for these devices, iOS and Android, “phone home” or report data about us back to various servers. But just how much the operating systems themselves did was largely a matter of speculation, especially for Apple devices which are doing things that only Apple can really know for sure. While Apple keeps their mysteries to themselves and thus can’t be fully trusted, Android is much more open which paradoxically makes it easier for companies (and malicious users) to spy on users but also makes it easier for those users to secure their privacy on their own. Thanks to this recent privacy report on several different flavors of Android (PDF warning) we know a little bit more on specifically what the system apps are doing, what information they’re gathering and where they’re sending it, and exactly which versions of Android are best for those of us who take privacy seriously.

First, the paper points out that all of these companies are trivially able to link devices to users. Companies match IMEI numbers and other identifiers of devices to other user data that makes linking these accounts together a simple game of connect-the-dots. Largely the reason for doing this is to target ads, but all of these companies will also share this information indiscriminately with various governmental agencies. They also aren’t perfectly secure, so any black-hat attacker who gets access to this information will have it as well. This shouldn’t be too surprising, but the new information here is that researchers also found this data is shared among companies. For example, Samsung and Google seem to share each other’s data amongst themselves. Swiftkey, a popular keyboard app, also sends information to Microsoft via Google. It’s quite a complex web of data sharing and services from one company to support another’s data gathering efforts. Some of these data gathering efforts also include details such as timestamped app usage and personal contact gathering. While a lot of the information the operating systems are actually gathering is sometimes obfuscated, it’s clear that anything done on any of these devices might as well be recorded as if it was a Twitch stream as there’s evidence to suggest that literally everything could be monitored by someone (or some piece of software), right down to a user’s keystrokes.

The researchers contrast this rampant data gathering activity with /e/OS, a privacy-oriented version of Android. /e/OS is a fork of LineageOS which is specifically devoted to privacy, includes no Google-related software, and gathers essentially no user data on its own apart from information about available updates and some other necessary information. LineageOS is only marginally better than the Android offerings from the major manufacturers when the GApps package is installed with it, largely because the Google system apps are so pervasive at gathering user data. It is possible to use LineageOS without the GApps package but the researchers did not take this approach and largely focused on /e/OS as the de-Googled version of study.

Story Highlights

  • From the Internet of the 1990s and early 2000s, we’ve gone a long way. Not only in terms of technology, capability, and culture, but also in terms of how most of us approach the internet. Before eBay and Amazon popularised online purchasing, most users had a fervent desire to keep any personal or identifying information to themselves beyond the occasional (and frequently wholly fake) a/s/l, and it was unheard of to even type in a credit card number. On today’s internet, we do all of these things with abandon, and to make matters worse, most of us carry around a device that not only stores all of our personal information but also reports everything about us, from our location to our social media posts.

  • The report takes a look at six different “flavors” of Android and what each one is doing behind the scenes. The researchers studied operating systems from Samsung, Xiaomi, Huawei, and Realme which all also produce their own devices, but also looked at two alternative Android-based operating systems — LineageOS and /e/OS — that can be installed on some devices and customized for privacy if the user chooses. /e/OS is built with privacy in mind, while LineageOS is more of a drop-in replacement which doesn’t specifically focus on privacy. It should be no surprise that the four Android versions customized by the device manufacturers report a ton of user data, or that any device with a Google Apps (GApps) package reports a seemingly unending stream of user information back to Google servers, but some of the specific results that the research team found are definitely worth noting.