If you aren't the paying customer, you are the product.
Interesting read - Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets
Key Findings
- Samsung, Xiaomi, Huawei and Realme Android variants all transmit a substantial volume of data to the OS developer (i.e. Samsung etc) and to third-party parties that have pre-installed system apps (including Google, Microsoft, Heytap, LinkedIn, Facebook)
- Re-linkability of advertising identifiers. Samsung, Xiaomi, Realme and Google all collect long-lived device identifiers, e.g. the hardware serial number, as well as user-resettable identifiers, such as advertising IDs
- On the Samsung handset the Google Advertising ID is sent to Samsung servers
- What apps are used and when, what app screens are viewed, when and for how long
- Several Samsung system apps use Google Analytics to log user interactions (windows viewed etc)
- Samsung, Xiaomi, Realme, Huawei, Heytap and Google collect details of the apps installed on a handset
- The list of installed apps is potentially sensitive information since it can reveal user interests and traits (a mental health app, a political news app)
- No opt-out. As already noted, this data collection occurs even though privacy settings are enabled
- Xiaomi collects the most extensive data on user interactions, including the timing and duration of every app window viewed by a user
- One example of potentially sensitive metadata is the name, timing and duration of the app windows viewed by a user.
- Data which is not sensitive in isolation can become sensitive when combined with other data
- Android handsets can be directly tied to a person’s identity in at least two ways. Firstly, via the SIM. When a person has a contract with a mobile operator then the SIM. Secondly, via the app store used.
- Use of the Google Play store requires login using a Google account, which links the handset to that account since Google collect device identifiers such as the hardware serial number and IMEI along with the account details
- Sometimes the plaintext data (i.e. after decryption, if needed) is human-readable, e.g. json.
- On a Samsung handset Samsung, Google and Microsoft/LinkedIn all collect data. That raises the question of whether the data collected separately by these parties can be linked together (and of course combined with data from other sources).
Keep Exploring!!!
No comments:
Post a Comment