A study of data collection by Android devices
source link: https://lwn.net/Articles/872639/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
A study of data collection by Android devices
We find that the Samsung, Xiaomi, Huawei and Realme Android variants all transmit a substantial volume of data to the OS developer (i.e. Samsung etc) and to third-party parties that have pre-installed system apps (including Google, Microsoft, Heytap, LinkedIn, Facebook). LineageOS sends similar volumes of data to Google as these proprietary Android variants, but we do not observe the LineageOS developers themselves collecting data nor pre-installed system apps other than those of Google. Notably, /e/OS sends no information to Google or other third parties and sends essentially no information to the /e/OS developers.
(Log in to post comments)
A study of data collection by Android devices
Posted Oct 12, 2021 14:07 UTC (Tue) by jhoblitt (subscriber, #77733) [Link]
A study of data collection by Android devices
Posted Oct 12, 2021 14:44 UTC (Tue) by Herve5 (subscriber, #115399) [Link]
A study of data collection by Android devices
Posted Oct 12, 2021 20:49 UTC (Tue) by Smon (guest, #104795) [Link]
A study of data collection by Android devices
Posted Oct 12, 2021 20:55 UTC (Tue) by divested (guest, #154722) [Link]
That is however the smallest of their issues.
A study of data collection by Android devices
Posted Oct 12, 2021 23:52 UTC (Tue) by Smon (guest, #104795) [Link]
A study of data collection by Android devices
Posted Oct 13, 2021 0:58 UTC (Wed) by divested (guest, #154722) [Link]
https://community.e.foundation/t/divestos-vs-e-os-securit...
My comments are under name SkewedZeppelin.
There is also an interesting response from Gaël, the /e/ founder, there.
A study of data collection by Android devices
Posted Oct 13, 2021 12:06 UTC (Wed) by busman (subscriber, #7333) [Link]
As it happens, I agree with his approach (for now). I have been using /e/OS for around 18 months now. I took it up after years of Jolla and LineageOS use. You are absolutely correct that there are safer options. However, I don't want to be safe alone :) I want my friends and family also have an opportunity to have more privacy and security than they currently have. That requires big enough actor (which E foundation is not ... yet) that can provide a usable enough product that they can use. So it's a trade off at this point. Maybe later when it has single digit market share in Europe ...;P
E seems to have the required staying power. More than a few developers, designer(s?), marketers, community people, ... IIRC it already has had some funding from different European development programs. With EU having issues with Google, Facebook, TikTok, Huawei, ... I assume that that push for more pro-privacy and made-in-Europe solutions increases. E just needs to be big and credible enough to benefit from that.
My only remaining concern with them is about their app store. I hope somebody does the research on it (and other independent app stores) and verifies their claims there too. And just maybe we can finally get the trustworthy app store that doesn't require user identification for downloading and using free-as-in-beer apps.
/e/ OS and their Appstore -> F-Droid
Posted Oct 14, 2021 12:38 UTC (Thu) by Herve5 (subscriber, #115399) [Link]
Now, on the /e/ Appstore there are a couple of extra, non-open-source apps that are very helpful too (my favorite newspapers, banking... all of that without calling home -which /e/ prevents by default anyway)
A study of data collection by Android devices
Posted Oct 13, 2021 15:33 UTC (Wed) by Smon (guest, #104795) [Link]
A study of data collection by Android devices
Posted Oct 12, 2021 23:00 UTC (Tue) by jebba (✭ supporter ✭, #4439) [Link]
> ...the privacy focused phones are hobbled by dated hardware.
https://doc.e.foundation/devices
Their supported device list has one device released in 2021, four devices released in 2020, and and twenty-five devices released in 2019.
LG phones can't be unlocked after end of 2021
Posted Oct 13, 2021 16:07 UTC (Wed) by tim_small (guest, #35401) [Link]
LG phones will no longer be unlockable after the end of 2021, because LG is closing their mobile phone division, and along with it the web server which is part of the bootloader unlocking process.
If you or anyone you know has an LG phone get your key while you can...
A study of data collection by Android devices
Posted Oct 15, 2021 11:52 UTC (Fri) by luca020400 (guest, #143673) [Link]
They take either LineageOS trees or some random tree on the internet.
I'm not even sure they have most of the devices they offer support for.
A study of data collection by Android devices
Posted Oct 12, 2021 15:20 UTC (Tue) by Henning (subscriber, #37195) [Link]
This is perhaps unsurprising but Google Apps is optional for LineageOS and privacy minded people do avoid it in many cases so it might not be a need for panic for those of us in this category.
A study of data collection by Android devices
Posted Oct 12, 2021 15:41 UTC (Tue) by spaetz (guest, #32870) [Link]
A study of data collection by Android devices
Posted Oct 12, 2021 18:08 UTC (Tue) by beagnach (subscriber, #32987) [Link]
Have you a source for that?
What parts of "the AOSP system" are connection to Google?
As for the applications - are those google applications or third-party?
A study of data collection by Android devices
Posted Oct 12, 2021 18:38 UTC (Tue) by divested (guest, #154722) [Link]
1. NTP servers, public pools
2. SUPL servers for A-GPS data from Google and carriers
3. XTRA A-GPS data from Qualcomm servers
4. Google servers for connectivity checks
5. Google servers for fallback DNS
6. Google servers for default Chromium autofill nonsense
all of the code that does that^ however is FOSS.
If you want a ROM better then /e/OS, I recommend GrapheneOS or my personal DivestOS.
A study of data collection by Android devices
Posted Oct 12, 2021 20:52 UTC (Tue) by Smon (guest, #104795) [Link]
Or is there any tracking/user-specific data sent?
A study of data collection by Android devices
Posted Oct 12, 2021 20:56 UTC (Tue) by divested (guest, #154722) [Link]
Intented to allow carriers to perform access control, but arguable has other nefarious uses.
A study of data collection by Android devices
Posted Oct 12, 2021 23:51 UTC (Tue) by Smon (guest, #104795) [Link]
A study of data collection by Android devices
Posted Oct 14, 2021 2:17 UTC (Thu) by NYKevin (subscriber, #129325) [Link]
I'm surprised to learn that it's contacting *Google* specifically, because Google's public NTP implements leap smearing, and "[w]e recommend that you do not mix smeared and non-smeared NTP servers."[1] Regardless, the privacy policy (linked from that same page) basically says they keep your IP address for 30 days (for abuse, debugging, etc.) and then throw it away, and do not combine it with data from other Google services.
> 2. SUPL servers for A-GPS data from Google and carriers
> 3. XTRA A-GPS data from Qualcomm servers
No comment, I have no idea what this is.
> 4. Google servers for connectivity checks
In other words, they hit http://www.google.com/gen_204 (note unencrypted HTTP) or another, identically-behaved URL, for the purpose of checking whether your WiFi actually works or tries to redirect to a captive portal. I'm not specifically aware of any privacy policy for those requests, but at most they're getting your IP address, cookies, and a small subset of browser fingerprint data (it always returns HTTP 204 No Content, so any fingerprinting which requires Javascript etc. is not going to work).
It's *terrible* that this is even necessary. In an ideal world, captive portals would be a standardized part of the DHCP negotiation, and this kind of MitM chicanery would not exist. Unfortunately, not only do captive portals MitM arbitrary HTTP traffic, some of them don't even have the courtesy of redirecting you properly, and serve HTTP 200 for all requests (impersonating whatever site you asked for). They will usually(!) then give you some Javascript(!!) which redirects you via window.location or some such nonsense. Fortunately, everyone is now using HTTPS for everything that matters, so they can't actually MitM you any more (and CORS, the same-origin policy, etc. work as they were intended), but this is a double-edged sword because you are now wholly dependent on the OS detecting the captive portal.
> 5. Google servers for fallback DNS
The privacy policy for DNS is quite a bit more extensive than the NTP policy: [2]. IMHO it's likely to be acceptable to most users, but you can (and should!) read it and make up your own mind. I would also suggest comparing and contrasting Cloudflare's policy,[3] which by my reading is stricter in terms of data retention. Concerned users may want to switch to Cloudflare's DNS offering, or to another service.
> 6. Google servers for default Chromium autofill nonsense
Eh... at least that's relatively easy to turn off. I'm not thrilled with it being on-by-default, however.
Disclaimer: I work for Google, opinions are my own. However, I can tell you that in my experience, Google's internal controls on PII are very strict. I cannot look at your data, nor do I want to. I recognize that many of the commenters here likely have different threat models than I do in terms of privacy, and that's fine. I'm only commenting because I wanted to provide factual information, which you can and should evaluate on its own merits. I firmly believe that everyone should have the right to make up their own mind about the disposition of their data.
[1]: https://developers.google.com/time/faq#services
[2]: https://developers.google.com/speed/public-dns/privacy
[3]: https://developers.cloudflare.com/1.1.1.1/privacy/public-...
A study of data collection by Android devices
Posted Oct 14, 2021 4:24 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
A study of data collection by Android devices
Posted Oct 14, 2021 4:39 UTC (Thu) by divested (guest, #154722) [Link]
> I'm surprised to learn that it's contacting *Google* specifically,
That isn't Google, just regular old public pools.
> 5. Google servers for fallback DNS
This is basically never used in normal cases except for tethering iirc.
> Eh... at least that's relatively easy to turn off.
This cannot be turned off for the WebView without a compile time patch.
And was cause for recent issue:
https://gitlab.com/LineageOS/issues/android/-/issues/4010
A study of data collection by Android devices
Posted Oct 14, 2021 4:51 UTC (Thu) by divested (guest, #154722) [Link]
AOSP only sends a hardcoded user agent for connectivity checks.
No cookies or anything else extra.
https://cs.android.com/android/platform/superproject/+/ma...
A study of data collection by Android devices
Posted Oct 13, 2021 9:04 UTC (Wed) by Rigrig (subscriber, #105346) [Link]
[1] page 6:
> Hardware and Software Used: ... Google Pixel 2/Android 10 (LineageOS build 17.1-20210316, opengapps 10.0-nano-20210314)
A study of data collection by Android devices
Posted Oct 12, 2021 16:30 UTC (Tue) by flussence (subscriber, #85566) [Link]
Hostile tech in general is easily pacified once the vendor loses interest in it - I guess that's why Windows XP/7 have a die hard fanbase.
A study of data collection by Android devices
Posted Oct 12, 2021 17:02 UTC (Tue) by divested (guest, #154722) [Link]
CyanogenMod 13.0/6.0 actually has trackers:
https://lists.osuosl.org/pipermail/replicant/2020-Novembe...
Not to mention the regular stats that CyanogenMod 13.0 has:
https://github.com/LineageOS/android_packages_apps_CMPart...
Or the lack of absolute must security updates since 2019-04 and no recommended security patches since 2017-10:
https://divestos.org/index.php?page=patch_levels#branchPa...
A study of data collection by Android devices
Posted Oct 14, 2021 18:50 UTC (Thu) by flussence (subscriber, #85566) [Link]
CM's proprietary apps have had a hard time hiding from `rm` in my experience, and the stats collection stays off when turned off in the settings. My network IDS would let me know, and I would let others know, if that were insufficient. And it would be cheaper for a prospective attacker to bribe or simply ask me than target my phone. Exploits are all about the profit margin these days.
A study of data collection by Android devices
Posted Oct 14, 2021 20:29 UTC (Thu) by divested (guest, #154722) [Link]
Earnestly, AmbientSDK was compiled into the following apps: Contacts, ContactsProvider, Phone, Dialer, InCallUI, Messaging, Trebuchet, SetupWizard, and the general CM SDK used by Settings.
A study of data collection by Android devices
Posted Oct 12, 2021 18:57 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]
Sadly, I think the big Windows XP/7 fanbase is from people who have apps that work on that version and who effectively can't change. I'm in that category for at least some of my software. I would love to migrate everything to a newer version of Windows, but I have some software that can't be updated (lack of developer support) and I haven't been able to get working on a newer version of Windows. It's just easier to keep a system around that does what I need than to deal with the difficulty of finding new software for the task.
A study of data collection by Android devices
Posted Oct 12, 2021 20:12 UTC (Tue) by Wol (subscriber, #4433) [Link]
The problem is that many of those 32-bit apps have a 16-bit installer, and it's the install program that won't run. And digging in to the mess that is a windows install with dlls and stuff scattered everywhere is not something that I expect appeals to many people.
Cheers,
Wol
A study of data collection by Android devices
Posted Oct 12, 2021 21:18 UTC (Tue) by HelloWorld (guest, #56129) [Link]
A study of data collection by Android devices
Posted Oct 13, 2021 16:10 UTC (Wed) by NAR (guest, #1313) [Link]
A study of data collection by Android devices
Posted Oct 13, 2021 21:20 UTC (Wed) by Wol (subscriber, #4433) [Link]
Google for "Self Service for Mobile". afaict it is NOT a genuine MS site, but if you ask Windows to activate by phone, you can type the code it gives into this site, and it will give you the activation code back. It's re-activated a couple of XP instances of mine that wanted re-activation.
Cheers,
Wol
A study of data collection by Android devices
Posted Oct 12, 2021 19:39 UTC (Tue) by anarcat (subscriber, #66354) [Link]
A study of data collection by Android devices
Posted Oct 12, 2021 20:58 UTC (Tue) by divested (guest, #154722) [Link]
However I strongly find their default inclusion of apps like Signal and DuckDuckGo Browser to be questionable.
A study of data collection by Android devices
Posted Oct 12, 2021 23:22 UTC (Tue) by developer122 (subscriber, #152928) [Link]
A study of data collection by Android devices
Posted Oct 13, 2021 0:53 UTC (Wed) by divested (guest, #154722) [Link]
But as it stands today you can't give it to your mum to daily drive.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK