If you’re an Android phone user, now might be a good time to invest in a good pair of ear plugs. Fans of iPhones aren’t known for being shy when it comes to telling Android users that Apple products are superior, and things may be about to get worse, thanks to a new research paper (pdf).
Researchers of the School of Computer Science and Statistics at Trinity College Dublin, Ireland decided to investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. Whilst it may not be the smoking gun some think it is (we think the sheer amount of telemetry data may come as a surprise for both sides of the argument), it didn’t go well for Android.
To get fair results a researcher needs to define experiments that can be applied uniformly to the handsets studied, to allow for direct comparisons, and the experiment needs to generate reproducible behavior. The research team decided to focus on the handset operating system itself, separate from optional services such as maps, search engines, cloud storage, and other services provided by Google and Apple. Although these come with practically every device, privacy-conscious minds are prone to disable these services.
The user profile was set to mimic a privacy-conscious but busy/non-technical user, who when asked does not select options that share data with Apple and Google. Otherwise, the handset settings were left at their default value.
Data transfer was measured at 6 specific points of action during the phones’ normal use:
- On first startup following a factory reset
- When a SIM was inserted/removed
- When a handset was left idle
- When the settings screen was viewed
- When geolocation services were enabled/disabled
- When the user logged in to the pre-installed app store
Both iOS and Google Android transmit telemetry, despite the user settings. According to the research, both Android and iOS handsets shared data with Google and Apple servers every 4.5 minutes, on average.
Android handsets however, share 20 times more telemetry data than iPhones, it seems. During the first 10 minutes of startup the Pixel handset in the test sent around 1MB of data to Google, compared with the 42KB of data the iPhone sent to Apple. When the handsets were sitting idle the Pixel sent roughly 1MB of data to Google every 12 hours compared with the iPhone’s 52KB sent to Apple.
We should be careful not to draw too many conclusions from just the size of the data though. The quantity of data can be affected by things like the choice of protocols and whether or not compression is used. What matters far more, is the type of information being shared.
Type of information
Researchers noted that devices on default privacy settings share information related to the IMEI, SIM serial number, phone number, hardware serial number, location, cookies, local IP address, nearby WiFi MAC addresses, and advertising ID. When a user has not yet logged in, Android phones don’t send location, IP address, and nearby WiFi MAC addresses, while iPhones don’t send their own WiFi MAC address.
Unused apps and services
Several of the pre-installed apps/services are also observed to make network connections, despite never having been opened or used. In particular, on iOS these include Siri, Safari and iCloud. On Google Android these include the YouTube app, Chrome, Google Docs, Safetyhub, Google Messaging, the Clock and the Google Search bar.
The collection of so much data by Apple and Google raises some major concerns. Firstly, this device data can be fairly easily linked to other data sources. This is certainly no hypothetical concern since both Apple and Google operate payment services, supply popular web browsers, and benefit commercially from advertising.
Secondly, every time a handset connects with a back-end server it necessarily reveals the handset’s IP address, which is a rough proxy for location. The high frequency of network connections made by both iOS and Google Android (on average every 4.5 minutes) therefore potentially allow tracking by Apple and Google of device location over time.
And last but not least, the apparent inability for users to opt out. In the report the head researcher outlines a method to prevent the vast majority of the data sharing but noted that it needs to be tested against other types of handhelds. And from my perspective it’s not easy to pull it off, and it would not stop everything.
Apple and Google do not agree
The head researcher sent his findings to both companies. Google offered some clarifications and expressed its intention to publish documentation on the telemetry data collection soon.
Apple noted that the report gets many things wrong. For instance, the company says that personal data sent to Apple is protected, and the company doesn’t collect data that can be associated with a person without their knowledge or consent. Google calls into question the methods used to determine the telemetry volume on Android and iOS. It claims the study didn’t capture UDP/QUIC traffic, nor did it look at whether the data was compressed or not, which could skew the results.