Apple’s new privacy features built into iOS 14 made the news quite a few times in the first half of the year, mostly because of the massive resistance from Facebook. Apple’s new privacy features force developers to disclose the data they collect from iPhone users. But the most important feature is the one that forces all developers who want to track users to ask them for permission. Google is far from replicating the features on Android, although plans are in the works to match some of Apple’s offerings at some point in the future. What that means is that developers can track users on Android much easier than on iPhone. And a new study shows that Android phones from several manufacturers can track you even if you think you’ve opted out of everything that’s tracking you.
Researchers at the Trinity College in Dublin looked at handsets from various popular Android smartphone vendors. They found the handsets contain all sorts of built-in apps that keep pinging home with user-related information. The “home” differs depending on the device in use and the preinstalled apps. It’s often apps that come with the handset that collect user information. And that’s why opting-out of tracking makes it actually impossible to prevent tracking inside the system apps, aka the “bloatware.”
These system apps are packaged inside the read-only memory (ROM), which means you can’t delete them or modify their behavior with ease. Most people don’t know how to root their devices to eliminate culprits. That’s the only way to remove these systems apps that are sending data to their parent companies.
How Android might be tracking you with system apps
An app like Microsoft’s LinkedIn might come preinstalled on a Samsung device. Whether you use the app or not, the app will still send data to Microsoft’s servers. This data might include your device’s unique identifier and the number of other Microsoft apps you might have installed on the phone. Separately, the data might reach third-party analytics providers that the apps use for stats. Google’s Analytics is one example of an app that can collect data on behalf of Microsoft in this example.
The researchers found that the quantity of user data sent to handset vendors or app developers increases if you actually use the system apps. The researchers found that Samsung apps like Pass, Game Launcher, and Bixby collect information about your interactions with them. Samsung will get information about the time you accessed the apps and how long you used them. The data can also reach Google Analytics.
The researchers also observed similar behavior for system apps on smartphones from Huawei, Realme, and Xiaomi.
As Gizmodo points out, these data points alone can’t track you independently. But when you combine them, you get a rather unique “fingerprint” that allows companies to keep tracking you online. Even if you reset your Android phone’s advertising ID, the apps still continue to collect data associated with you, and they can figure out who you are.
No way to track who is tracking you
Android does have some privacy protections in place, like the unique advertising ID above. Google set clear rules to prevent developers from abusing tracking powers. For example, apps can’t associate ad Ids to a device’s IMEI, which is also unique for advertising purposes. And analytics providers who want to connect those dots must ask for consent.
Also, developers must not associate previous advertising identifiers with a new one without consent from users. And advertising companies must respect the user’s ‘Opt out of Interest-based Advertising’ or ‘Opt out of Ads Personalization’ setting.
But the paper indicates that Android users can’t really know whether they’re being tracked. And they might not know that system apps still track them, even after they’ve opted out of everything they can on the device.
Google told Bleeping Computer that this tracking behavior is normal. That’s “how modern smartphones work.” The data collection you can’t opt out from is necessary.
The same researchers showed that it doesn’t have to be the case. They installed /e/OS and replaced the default system apps in Android with equivalents. The researchers found that the apps did not phone home like the default system apps. They did not send information to Google, third parties, and /e/OS.
As for /e/OS, it’s an open-source version of Android that focuses on privacy. But like with rooting, you’d have to know what you’re doing to get it.
The full paper is available at this link.