Informatics researchers raise privacy concerns about data sharing on Android phones

[2021] Dr Paul Patras and his student, Haoyu Liu, collaborated with Prof. Doug Leith from Trinity College Dublin to investigate levels of data collection and information sharing from a range of popular mobile phones.

Mobile phone user

The study found that six Android devices collect and share extensive amounts of data with third parties, with no opt-out available for users. 

The team examined the Operating Systems (OS) developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and e/OS and data that these collect. 

With the notable exception of e/OS, they found that even when the mobiles were minimally configured and the handsets idle, they transmitted substantial amounts of information to their OS developer and to third parties such as Google, Microsoft, LinkedIn and Facebook.  

Researchers said they expected some communication with the OS developers, but the surprising volume of data transmission they observed raises a number of privacy concerns. 

All the devices examined, aside from those running e/OS, collect a list of every app installed on their handsets. This potentially sensitive information can reveal user interests, including the use of mental health apps, religious faith apps, dating apps and political news apps. Users have no opt-out from this data collection. 

The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used.  

On the Huawei handset, the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar or searching for contacts.

Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, such as the hardware serial number, alongside user-resettable advertising identifiers.   

Third-party system apps from Google, Microsoft, LinkedIn and Facebook are pre-installed on most of the handsets and silently collect data, with no opt-out. 

Researchers say they hope their findings will serve as a wake-up call to politicians and regulators. They called for meaningful action to give the public real control over the data that leaves their phones.

Although we've seen protection laws for personal information adopted in several countries in recent years, including by EU member states, Canada and South Korea, user-data collection practices remain widespread. More worryingly, such practices take place “under the hood” on smartphones without users' knowledge and without an accessible means to disable such functionality. Privacy-conscious Android variants are gaining traction though and our findings should incentivise market-leading vendors to follow suit.

Paul Patras
Reader in the School of Informatics at the University of Edinburgh 

I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out. We’ve been too focused on web cookies and on badly-behaved apps. I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones.

Professor Doug Leith
Chair of Computer Systems at the School of Computer Science and Statistics, Trinity College Dublin

Related links

Technical report

Paul Patras personal page 

Trinity College Dublin