Science Foundation Ireland

New study highlights fresh privacy concerns for preinstalled Android apps

Prof. Douglas Leith, CONNECT Investigator at Trinity College Dublin, has published a study that highlights fresh privacy concerns arising from data collected by the Google Messages and Dialer apps on Android phones. 

These essential apps are pre-installed on phones; the Messages app used to send/receive SMS and other messages, the Dialer app to make/receive phone calls. According to Google, both are installed on more than 1 billion phones. In the US, AT&T and T-Mobile recently announced that all Android phones on their networks would use the Google Messages app and the app also comes pre-loaded on all recent Samsung, Xiaomi and Huawei handsets.

Key findings from the study:

– The Google Messages app tells Google whenever a message is sent/received. The information sent includes the time and a hash of the message text that uniquely identifies the message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages, the phone numbers of both sender and receiver are revealed.

– The Google Dialer app tells Google whenever a phone call is made/received. The information sent includes the time and the call duration and allows discovery of whether two handsets are calling one another.

– Each app also tells Google about user interactions with it. For example, when the user views an app screen, an SMS conversation or searches their contacts the nature. This allows a detailed picture of app usage over time to be reconstructed.

– The data sent to Google is tagged with the handset Android ID, which is linked to the handset’s Google user account and so often to the real identity of the person involved in a phone call or SMS message.

– Much of this data is sent via Google Play Services. Earlier studies by researchers Trinity College Dublin have noted the large volume of data sent by Google Play Services to Google servers (>20 times the data that iPhones send to Apple), and the opaque nature of this data collection. This latest study is one of the first to cast light on the content of the data sent by Google Play Services.

– There is no opt-out from this data collection.

Commenting on the study, Prof. Doug Leith said:
“The lack of any opt-out choice is concerning here as the apps looked at in this report serve the basic functions of a phone. Google has engaged positively with us and said that they plan to make several changes to the Google Messages and Dialer apps considering this report. We hope this report shows how even the simplest apps can be an area of concern for the public and regulators.”

CONNECT is the world leading Science Foundation Ireland Research Centre for Future Networks and Communications. CONNECT is funded under the Science Foundation Ireland Research Centres Programme and is co-funded under the European Regional Development Fund. We engage with over 35 companies including large multinationals, SMEs and start-ups. CONNECT brings together world-class expertise from ten Irish academic institutes to create a one-stop-shop for telecommunications research, development and innovation.

Homepage Feature
SFI Partner Logos SFI Partner Logos