Android phones from China transmit personal info without consent, researchers say
Pre-installed apps on Android phones from some Chinese vendors, as well as third-party apps, are transmitting personal user information without notification or consent from users.
Pre-installed system apps on Android phones from three popular Chinese vendors, as well as third-party apps, are reportedly transmitting personal user information without notification or consent.
Researchers at universities in the United Kingdom examined the Chinese version of the Android OS distributions run by Xiaomi, Realme and OnePlus headsets, experimenting with a number of devices.
The arXiv paper's authors measured the network traffic generated by handsets when in use, using static and dynamic code analysis techniques to look at the data transmitted by the reinstalled system apps.
"We find that these devices come bundled with a number of third-party applications, some of which are granted dangerous runtime permissions by default without user consent, and transmit traffic containing a broad range of geolocation, user-profile and social relationships [personally identifiable information] to both phone vendors and third-party domains, without notifying the user or offering the choice to opt-out," the research showed.
The packages transmitted to many third-party domains contain privacy-sensitive information related to devices, including GPS coordinates, network-related identifiers, phone numbers, app usage data and call histories.
Comparatively, data shared by the Global version of the firmware was found to be mostly limited to device-specific information, which the computer scientists said sheds light on differences in privacy provision enforcement across separate regions.
Notably, the collection does not stop once the device and user leave China, despite the fact that different countries have different privacy laws.
Furthermore, data was found to be sent to mobile operators even when they were not providing service.
"This poses serious deanonymization and tracking risks that extend outside China when the user leaves the country, and calls for a more rigorous enforcement of the recently adopted data privacy legislation," the study said.
The findings, the authors wrote, highlight the need for tighter privacy curbs to "increase the ordinary people’s trust in technology companies, many of which are partially state-owned."