Top Android phones from China collect more user data than previously thought

[17/02/2023] Phone makers like Xiamoi, OnePlus, and Oppo Realme, some of the most popular in China, are all collecting large amounts of sensitive user data via their respective operating systems, as are a variety of apps that come pre-installed on the phones. Paul Patras and his student Haoyu Liu, with their collaborator Doug Leith of Trinity College Dublin, have been researching privacy of the Android OS firmware, examining those versions available on the Chinese market. 

Image of smartphone being held in a hand with padlock icons hovering around the screen

Their recent research, findings of which will appear in ACM WiSec later this year, looked into how smartphones commercialised in China behave and how they may track their users. This information is collected even when the owners are outside of China.  

This new piece of research follows up from their initial work in 2021, which previously raised concerns over android mobiles produced in China.  

Researchers conducted a cross-regional analysis to study the data transmitted by the preinstalled system apps on Android smartphones from the most popular vendors in both China and EU, including Xiaomi, Samsung, Huawei, Oppo and Oneplus.  

In general, researchers assumed that the owner of the device has opted out of sending analytics and personalization data to providers and doesn’t use cloud storage or any other optional third-party services. 

They found that an alarming number of preinstalled system, vendor and third-party apps transmit to backend servers privacy-sensitive information related to the user's device (persistent identifiers), geolocation (GPS coordinates, network-related identifiers), user profile (phone number, app usage) and social relationships (e.g., call history), without consent or even notification. 

The tested phones did so even when these network operators were not providing service – no SIM card was present or the SIM card was associated with a different network operator. 

The devices in question send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators. 

Although the firmware is produced by the same companies, Chinese versions transmit much more sensitive information than the EU counterparts.  

This poses serious deanonymization and tracking risks that extend outside China when the user leaves the country, and calls for a more rigorous enforcement of the recently adopted data privacy legislation, which is supposed to protect Chinese consumers from data collection without consent. 

Related links

Link to project website

Link to full paper