Android phones track you even when you opt out, new research reveals

android 12 lock screen
(Image credit: Tom's Guide)

There's no escape from tracking on Android phones. Even if you disable what you can, built-in apps will still be transmitting data to the companies that make your phone and its apps, a new study has revealed.

The study, by Haoyu Liu and Paul Patras at the University of Edinburgh and Douglas J. Leith of Trinity College, Dublin, examined Samsung, Xiaomi, Huawei and Realme phones and their respective Android skins, plus devices running LineageOS and /e/, two open-source Android operating systems.

"I think we have completely missed the massive and ongoing data collection by our phones, for which there is no opt out," Leith said in a statement released by Trinity College. "We've been too focused on web cookies and on badly-behaved apps."

The researchers intercepted the data from the phones during normal use to examine what precisely was being sent. Picturing a "privacy-conscious but busy/non-technical user", the researchers disabled tracking when the phone prompted them to, but otherwise left the settings as their default.

To nobody's surprise, the built-in apps on the Samsung, Xiaomi, Huawei and Realme phones sent large amounts of data to the OS' developers, plus third parties including Google, with the Google Mobile Services and Google Play Store apps being the biggest sources of data.

Other companies being sent data included Facebook, Microsoft (in the form of the SwiftKey keyboard or OneDrive cloud storage) and LinkedIn, depending on which pre-installed "system apps" were present on the device.

These built-in apps can't be deleted because they reside on read-only memory (ROM), and can be given permissions that can't normally be accessed by normal apps. Many of these are basic Google apps, but some, as mentioned above, come from the phone maker or through third-party agreements with other companies.

As for the alternate operating systems, LineageOS didn't collect data for itself but still sent information to Google via its system apps. /e/ sent only very limited data back to its developers, showing that it's entirely possible to make Android work without major data harvesting. 

However /e/ is a significantly reworked version of Android designed specifically not to track its users, and offers a very different experience from stock Android without many of the apps a normal user is used to.

If you're curious about exactly what was sent by each OS, the researchers summarized it in the table below. The data is extensive in most cases, including information about your device, which apps you're using and for how long. 

The study concludes that "the observed data transmission goes well beyond [expected communication rates with OS servers] and raises a number of privacy concerns." ("Pure" Google builds of Android were not studied, but provided as a reference.)

A table taken from a study into Android data privacy. It shows four different manufacturers' handsets send various amounts of data, with two independent Android-based operating systems sending less data.

(Image credit: Doug Leith/Trinity College, Dublin)

Google seems to stand by its decision to collect the date that it does. A statement from a company spokesperson written in response to BleepingComputer says:

"While we appreciate the work of the researchers, we disagree that this behavior is unexpected — this is how modern smartphones work". 

The statement continues to explain that Google Play Services data is "essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds", while other data like IMEI numbers are needed "to deliver critical updates reliably across Android devices and apps"

Unfortunately users can't really do much if they're bothered about this. As mentioned before, there's no way to opt-out of the system-app data capture. Any IDs you can reset can easily be reidentified by cross-referencing them with IDs you can't reset, such as your phone's IMEI number. 

Installing a custom OS like /e/ is an option, but getting it to work takes more effort than the average person is likely willing to go to. You could always switch to an iPhone, but while Apple emphasizes how important user privacy is, it's still impossible to escape all tracking with iOS.

Indeed, a separate study conducted by Leith this past spring found that the core Android and iOS operating systems themselves (regardless of system apps) transmitted roughly the same amount of user data

Meanwhile, a new Oxford study released last week found that iPhone apps were just as snoopy as Android apps, with 60% of iOS apps sharing data with Google.

Richard Priday
Assistant Phones Editor

Richard is based in London, covering news, reviews and how-tos for phones, tablets, gaming, and whatever else people need advice on. Following on from his MA in Magazine Journalism at the University of Sheffield, he's also written for WIRED U.K., The Register and Creative Bloq. When not at work, he's likely thinking about how to brew the perfect cup of specialty coffee.