Are pre-installed Android apps safe? Apparently not!
What's the story
Bloatware has always been an annoyance on Android devices. A new study from Trinity College in Dublin claims that the pre-installed apps on Android devices are far more dangerous.
The apps reportedly relay app screens viewed, web activity, and phone call data to various Big Tech companies, all without any way for consumers to opt-out of data collection.
Here are more details.
Big Tech caught
Smartphones were found sending data to manufacturers, third parties
Researchers at the university examined data sent to third parties by six Android operating system (OS) skins developed by Samsung (OneUI), Xiaomi (MIUI), Realme (Realme UI), Huawei (EMUI), LineageOS, and e/OS.
Worryingly, the study found that these smartphones consistently send data to the OS developers and third parties, including Google, Microsoft, LinkedIn, and Facebook. Unfortunately, customers cannot choose to opt out.
No way out
Variants except e/OS transmitted 'substantial amounts' of data
The culprits were found to be native apps that are pre-loaded on phones from these manufacturers. Even if devices are devoid of bloatware, most phones have indispensable suites of Google and Microsoft apps.
These apps reside in the ROM and cannot be deleted conveniently. Not using the apps doesn't help matters either. The apps continue to send data even if you've never opened them.
What is collected?
Xiaomi collects acutely specific app interaction data
Xiaomi's collected data includes application screens, how long people viewed these screens, and how people interacted with them. Huawei's Swiftkey keyboard was caught sending typing data to Microsoft, including when a user is typing in the search bar, writing a text, or searching for contacts.
The apps also collect the time and duration of phone calls and when messages are sent and received.
No anonymity
Collected data associated with long-lasting identifiers like device serial numbers
The study claims that data collection isn't anonymous.
Samsung, Xiaomi, Google, and Realme collect long-lasting device identifiers like hardware serial numbers so even if users reset advertising identifiers, it's fruitless because the new advertising identifier would still be associated with the device serial number.
Combined with this level of user identification, the collected data catalyzes profiling of users' preferences, daily life, and traits.
Currency
Researchers believe companies even share the data among themselves
The researchers highlighted that Xiaomi was found to be the manufacturer collecting and transmitting the most data.
While most handsets sent data to servers within Europe, Xiaomi was found transmitting data to servers in Singapore as well.
The researchers opined there could be an ecosystem where the data collected from a handset is shared between different Big Tech companies and we couldn't agree more.
Solution
Rooting device could help, but it's only for advanced users
To circumvent the problem, one could root their Android smartphone. Root access would let users delete persistent native applications from the ROM and even install a custom, open-source, privacy-centric Android skin.
However, rooting is a complicated and risky process recommended only for advanced users since it risks bricking your device. Moreover, smartphone manufacturers lock bootloaders and don't make it particularly easy to root smartphones.