Mobile device-tracking by Apple and Google take center stage in a report revealing that, despite both allowing users to opt out of sharing telemetry data – they do anyway.
“Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this,” wrote researcher Douglas Leith from Trinity College in Ireland, in a recently published academic report.
The research, entitled Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google (PDF), also found that Google collects up to 20 times more data from its Android Pixel users compared to the amount of data that Apple collects from iOS users.
“The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc. are shared with Apple and Google,” according to the report. “When a SIM is inserted, both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple, together with their GPS location. Currently there are few, if any, realistic options for preventing this data sharing.”
Parameters of the testing did not include pre-installed apps baked into the manufacturers’ mobile operating system, or third-party apps. Rather, research focused on data collected by OS-level handset components and functions, such as Apple’s Bluetooth UniqueChipID, Secure Element ID and the transmission of the devices’ Wi-Fi MAC addresses.
“Google collects a notably larger volume of handset data than Apple,” Leith wrote. “During the first 10 minutes of startup, the Pixel handset sends around 1MB of data to Google, compared with the iPhone sending around 42KB of data to Apple. When the handsets are sitting idle, the Pixel sends roughly 1MB of data to Google every 12 hours, compared with the iPhone sending 52KB to Apple — i.e., Google collects around 20 times more handset data than Apple.”
He noted that the operating systems connect to their back-end servers on average every 4.5 minutes, whether they’re in use or not.
On an informal basis, Leith did examine a number of the pre-installed apps and services, specific to the phone manufacturers. He noted that they also make network connections, despite never having been opened or used.
“In particular, on iOS these include Siri, Safari and iCloud; and on Google Android these include the YouTube app, Chrome, Google Docs, Safetyhub, Google Messaging, the Clock and the Google SearchBar,” he said.
When Leith reached out to both Apple and Google to comment on his research he received mixed results.
“To date, Apple have responded only with silence (we sent three emails to Apple’s director of user privacy, who declined even to acknowledge receipt of an email,” Leith wrote. Since then, Apple has made public statements critical of Leith’s research and insisting privacy and opt-out measures do exist.
“Google responded with a number of comments and clarifications,” he wrote. “They also say that they intend to publish public documentation on the telemetry data that they collect.”
In a statement to the numerous publications following the release of the research, Google said:
“We identified flaws in the researcher’s methodology for measuring data volume and disagree with the paper’s claims that an Android device shares 20 times more data than an iPhone. According to our research, these findings are off by an order of magnitude, and we shared our methodology concerns with the researcher before publication.
This research largely outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently.”
The privacy dangers of a handset sharing this type of telemetry data are twofold, the researcher noted. One is that Google and Apple can use data to identify a user and track purchases, Leith said. Two, Apple and Google could abuse users’ trust and track their movements.
That said, the researcher does point out that the transmission of user data to a device-maker’s backend is necessary for pushing out security updates for specific models. Collecting user data becomes problematic when it’s tied to a specific user, he said.
“Many studies have shown that location data linked over time can be used to de-anonymize [the individual],” he said.
In the report, the author outlines a number of methods a user can take to avoid sharing mobile data. While he said there are no workaround options to prevent an iPhone from sharing data with Apple, there are steps Pixel users can take to prevent the “vast majority” of the data sharing with Google.
“With Pixel, a user can choose to start up the phone with the network connection disabled,” he explained. “Next, before the user enables the network connection they can disable Google-specific services such as Google Play, YouTube before enabling the network connection.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: