Don't buy an Android phone in China, boffins have warned, as they come crammed with preinstalled apps transmitting privacy-sensitive data to third-party domains without consent or notice.
The research, conducted by Haoyu Liu (University of Edinburgh), Douglas Leith (Trinity College Dublin), and Paul Patras (University of Edinburgh), suggests that private information leakage poses a serious tracking risk to mobile phone customers in China, even when they travel abroad in countries with stronger privacy laws.
In a paper titled "Android OS Privacy Under the Loupe – A Tale from the East," the trio of university boffins analyzed the Android system apps installed on the mobile handsets of three popular smartphone vendors in China: OnePlus, Xiaomi and Oppo Realme.
The researchers looked specifically at the information transmitted by the operating system and system apps, in order to exclude user-installed software. They assume users have opted out of analytics and personalization, do not use any cloud storage or optional third-party services, and have not created an account on any platform run by the developer of the Android distribution. A sensible policy, but it doesn't seem to help much.
The pre-installed set of apps consists of Android AOSP packages, vendor code and third-party software. There are more than 30 third-party packages in each of the Android handsets with Chinese firmware, the paper says.
These include Chinese input apps like Baidu Input, IflyTek Input and Sogou Input on the Xiaomi Redmi Note 11. On the OnePlus 9R and Realme Q3 Pro, there's Baidu Map as a foreground navigation app and the AMap package, which runs continuously in the background. And there are also various news, video streaming, and online shopping apps bundled into the Chinese firmware.
Within this limited scope, the researchers found that Android handsets from the three named vendors "send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators."
The tested phones did so even when these network operators were not providing service – no SIM card was present or the SIM card was associated with a different network operator.
"The data we observe being transmitted includes persistent device identifiers (IMEI, MAC address, etc.), location identifiers (GPS coordinates, mobile network cell ID, etc.), user profiles (phone number, app usage patterns, app telemetry), and social connections (call/SMS history/time, contact phone numbers, etc.)," the researchers state in their paper.
No comments:
Post a Comment