Some versions of Android share users' personal data with no chance to opt-out

A new report published by researchers at Dublin's Trinity College (via Gizmodo) examines versions of Google's Android operating system developed by manufacturers like Samsung, Huawei, and Xiaomi. The researchers discovered that even when the software is "minimally configured" and an Android phone is sitting on a desk not being used at the moment, these Android variants are transmitting "substantial" amounts of information back to the developers and other companies that have "pre-installed system apps" such as Facebook, Google, LinkedIn, and Microsoft.

The "pre-installed" system apps are those that are found on the phone out of the box and cannot be deleted. And here is a chilling thought: even if you never opened one of these apps, they still sent data back to the app's parent company and many third-party firms. Unfortunately, there is no way to opt out of this dissemination of data.

The researchers intercepted and analyzed the data that was sent by the Android OS including the pre-installed system apps that we previously mentioned. The study assumes a situation where the device owner doesn't enable his phone to share data but uses the default settings for everything else. The research team printed a chart that shows the data collected by each of the Android OS variants.

All of the companies whose Android OS variants were tracked shared information that can help identify a particular mobile device such as a handset's unique IMEI number. This data is transmitted along with data that the user can reset such as advertising IDs. But since the data is sent as a pair, resetting the advertising ID won't help the user since his device will always link to its IMEI identifier.

Google collects a large amount of data from multiple devices; on the Samsung handset used in the study, the Google advertising number is sent to Samsung servers and several Samsung system apps use Google Analytics to collect data. Google's push service is used with the Microsoft OneDrive system app, and on the Huawei phone tested, the Microsoft Swiftkey keyboard sent the phone's Google Advertising ID to Microsoft servers. Similarly, the Xiaomi handset used in the study sent its Google Advertising ID to Xiaomi servers.

The report also notes how system apps can track certain information related to app usage such as the name of apps that are being used, when they are being used, what app screens are viewed, when and for how long. As an example, the default system keyboard used on the Huawei handset is Microsoft's Swiftkey (as we already duly noted). Information such as when the keyboard is used within an app and app usage is sent to Microsoft's servers.

Some of the Android OS variants also collect a list of installed apps on a phone. While not as invasive as tracking app usage, the data is gold for advertisers who can determine a person's interests from the kind of apps he or she installs on a device. If they see multiple sports apps, apps for stock quotes, apps for Broadway, or apps for cooking, a profile can be created that will help advertisers decide which products should be pitched to a particular user.

Google recently added restrictions on the collection of data of this type, but it only applies to apps from the Play Store, not the system apps that the researchers examined. The report notes that "A handset can also become linked to a person’s identity when data is collected that allows their identity to be inferred or guessed with high probability. On way that this might happen is via a handset’s location time history. Many studies have shown that location data linked over time can be used to de-anonymize users."

Some of the variant Android operating systems (looking at you Samsung and Xiaomi) and third-party system apps by Google and Microsoft log user interactions. Some of this logging of data is needed by developers to catch issues with their apps early. Still, the collection of this data can become intrusive and a major security issue.

The guys (and gals?) over at BleepingComputer asked Google about its ability to collect data while not allowing users to opt-out and the company said that this is "how modern smartphones work."