Android Mobile OS snooping

These papers are a continuation of my focus on privacy concerns. My endeavour is to put out the scholarly work, rather than the technology write ups. Here’s another.

Liu, Haoyu, Paul Patras, and Douglas J. Leith. n.d. “Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets.” (here)

[embeddoc url=””%5D

The key points:

  • The analysis of whether mobile apps disclose sensitive information to their associated back-end servers has been the focus of much research [1], [2], [3], [4], [5], especially with a view to risks such user de-anonymization, location tracking, behaviour profiling, and cross-linking of data by different stakeholders in the device/software supply chain
  • Mobile OS behaviour has come to the fore only recently, with analyses of the Google-Apple Exposure Notification (GAEN) system that underpins Covid contract tracing apps [6] and following revelations of mass surveillance of journalists, politicians, and human rights activists though spyware exploiting zero-touch vulnerabilities
  • We report on an in depth measurement study of the data shared by a range of popular proprietary variants of the Android OS, namely those developed by Samsung, Xiaomi, Huawei and Realme1
  • We report on the data shared by the LineageOS and /e/OS open-source variants of Android
  • We focus on defining simple scenarios that can be applied uniformly to the handsets studied and that generate reproducible behaviour
  • We find that the Samsung, Xiaomi, Huawei and Realme Android variants all transmit a substantial volume of data to the OS developer (i.e. Samsung etc) and to third-party parties that have pre-installed system apps
  • We manually examined the decompiled app to find the code that writes each value and so establish how the value is generated
  • 1) Mobile OS Developers: We observe that Samsung, Xiaomi, Realme and Huawei all collect data from user handsets, despite the user having opted out of data collection/telemetry/analytics and making no use of services offered by these companies
  • It is hard to justify the necessity of such data collection, i.e. that users should have no opt-out, when two mobile OSes adopt an opt-in approach
  • It is worth noting that it can be hard to distinguish between diagnostics for existing software and beta testing for new or updated software/features
  • We present an in-depth analysis of the data sent by the Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS variants of Android
  • With the notable exception of e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and to third-parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system apps

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.