A new study in March 2021 by Computer Science Professor Doug Leith from Trinity College Dublin revealed that smartphones running iOS or Android are sending data like location, unique identifiers of the device or even MAC addresses of nearby devices to Apple and Google. This even happens when minimally configured on average every 4 and a half minutes. Let’s have a closer look at the paper to see, which data is transmitted in detail and if there are any ways to prevent this data sharing.
To collect the data sent by each smartphone, the devices were jailbroken or rooted and connected to the Wi-Fi hotspot of a laptop that acts as an intermediary. This allowed the researchers to first read out the network traffic and then forward it to the correct destination. Data transmission was analysed in a few different scenarios, like inserting a SIM card, viewing the settings screen and the device lying idle. It’s important to know that the research team did not select the respective options to share data with Apple and Google, the study was done from the perspective of a privacy-conscious user.
On the first start-up after a factory reset, the iPhone 8 on iOS 13.6.1 sent its unique device identifier and the hardware serial number to Apple. This is unavoidable since the device cannot be set up without an internet connection. The Google Pixel 2 on Android 10 in the same situation also sent device identifiers and serial numbers, the MAC address and the IMEI to Google.
Both sent telemetry and logging data despite deselecting that option during the setup, although it seems to be possible to install Android without a network connection so some data transmission could have been avoided. The iPhone regularly sends device identifiers and serial numbers as well as a cookie that can act as an identifier when idle even if a user is not logged into an Apple account. Inserting a SIM card automatically sends SIM identifiers and the phone number to Apple and when location services are enabled, the location along with MAC addresses of devices on the same network are included. Strangely enough, even though Android also sends a lot of identifying telemetry data, it doesn’t seem to include location or nearby MAC addresses. It does however send much more data in terms of file size, around 20 times more than iOS.
It’s not clear if this actually includes more information or if it’s for example just a weaker compression algorithm. Of course, telemetry is not inherently a privacy intrusion, it can be useful for example for setting the correct user language or getting software updates. But much of the data analysed in this study can be linked together and again: This was tested without the user logged in anywhere. The native app stores can only be used with accounts, so unless you abstain from all third-party apps or you have the technical knowledge to install a third-party app store, you need an account at some point. Both Apple and Google operate payment services, supply popular web browsers and benefit from advertising. Those are rich data sources. The website Ars Technica received rather reserved statements from both companies.
An Apple spokesperson claimed the paper got things wrong and referred to iOS’ privacy protections, Google also supposedly identified some flaws in the paper and concluded that’s just “how smartphones work”. Study author professor Leith mentions that he did not receive a response from Apple prior to publishing the paper but Google is at least planning to provide detailed documentation of Android telemetry data.
Unfortunately, the study closes with a rather depressing result: There currently aren’t many realistic options for preventing this data sharing. It is possible on Android to install custom operating systems without many of the Google services. That would probably be the most private solution, but it requires technical knowledge an average smartphone user doesn’t have. iPhone users could maybe use some privacy tweaks after jailbreaking but in general, iOS is much more locked down, so the vast majority is dependent on Apple’s intentions.