iPhone apps no better for privacy than Android, Oxford study finds

A Google Pixel and an iPhone side by side.
(Image credit: Future)

A new survey has reached a startling conclusion: iPhone apps tend to violate your privacy just as often as Android apps do.

"Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied," say the academic paper entitled "Are iPhones Really Better for Privacy?" and presented by researchers from the University of Oxford.

"While it has been argued that the choice of smartphone architecture might protect user privacy, no clear winner between iOS and Android emerges from our analysis," the paper adds. "Data sharing for tracking purposes was common on both platforms."

If this sounds vaguely familiar, it may be because an Irish team earlier this year came to similar conclusions about the privacy of the Android and iOS core operating systems, apps notwithstanding. Meanwhile, an American researcher in 2020 found that the security of iOS apps was roughly equal to that of Android apps.

There's one big caveat regarding the new study: It was conducted before the introduction of iOS 14.5 in April 2021, which made opt-in to tracking and app privacy labels mandatory on iPhones. 

The Oxford team — Konrad Kollnig, Reuben Binns, Max Van Kleek and Nigel Shadbolt, plus independent researcher Anastasia Shuba — promised to "assess the impact of these policy changes in future work," but their research paper covers a lot more than just tracking. 

We've reached out to both Apple and Google for comment and will update this story when we receive a reply.

Tracking is everywhere on iOS and Android

The researchers analyzed the code, permissions and network traffic of 12,000 randomly selected free apps from each platform that had been updated or released in 2018 or later. Each app was run on a real device, either a first-generation iPhone SE running iOS 14.2 or a Google Nexus 5 running Android 7 Nougat.

They found that nearly all (89%) of the Android apps contained at least one tracking library, which was almost always Google Play Services. The numbers weren't much lower on iOS, where 79% of apps had at least one tracking library, most likely Apple's own SKADNetwork, which tracks which ads a user clicks on. 

However, 62% of iOS apps also ran Google's AdMob ad tracking library, followed by 54% of iOS apps (and 58% of Android apps) running Google Firebase. Facebook trackers were in 28% of Android apps and 26% of iOS ones.

In fact, most apps on either platforms — 90% of Android apps and more than 60% of iOS — shared data with tracking companies owned by Google. 

"Tracking by Google... happens widely on iOS where, unlike on Android, a user would not have given consent as part of the device set-up process," the paper said.

Almost all tracking companies observed were based in the U.S. About 9.5% of iOS apps and 5% of Android ones used Chinese-based trackers; 7.5% of iOS apps and 2% of Android ones used Indian trackers. 

Because the researchers used apps from the UK versions of the app stores, the fact that almost all the ad tracking companies were based outside Europe may indicate widespread violations of Europe's (and the UK's) GDPR privacy law, which limits the transmission of user data across borders.

Making ad privacy profitable

The team commended Apple for making it possible for iPhone users to block the temporary advertising IDs that flag your phone to advertisers, as well as being transparent with users about what's going on. (On Android, you can refresh those ad IDs, but not block them, and most Android users don't even know they exist.) 

But the team also saw an ulterior motive on Apple's part.

"Apple's crackdown on Ad ID use could be interpreted as an attempt to divert revenue from Google and other advertising providers, and motivate the use of alternative monetisation models — which are more lucrative for Apple," the Oxford research paper states. 

"Apple has arguably placed a larger emphasis on privacy, seeking to gain a competitive advantage by appealing to privacy-concerned consumers."

Half of Android apps shared Ad IDs over the internet, while only a third of iOS ones did. And nearly all Android apps — a bit more than 85% — sent a phone's model number and device name back to home base. Two-thirds of iOS apps did.

More app permissions, or more choice in opting out?

Android users are asked to grant more permissions to Android apps upon installation than iOS users are, the Oxford researchers noted. But that may be because iOS gives apps a lot of permissions, such as internet access, without offering the user a chance to accept or reject them. 

"Overall, Android has many permissions that have no equivalent on iOS, and thus Android apps can appear to be more privileged than their iOS counterparts," the paper says. "But on closer examination, they are simply asking for permissions to access resources which are not restricted on iOS (e.g. internet access and network state)."

Meanwhile, about half of iOS apps can access a phone's camera and location, while only about a quarter of Android apps can.

Children's apps are a privacy nightmare

If you're not sure whether it's a good idea to give young children smartphones, this study should help settle the matter against it.

"Both platforms have policies to limit data collection and advertising in children's apps," the paper stated. 

"Despite this, access to unique device identifiers, specifically the Ad ID, and the user location was widespread in children's apps. Twenty-seven percent of children's apps on iOS could request the user location, and 4% on Android."

"About 59% of Android apps shared the Ad ID with third-parties over the internet, 25% on iOS," the paper added. "This can be used to build fine-grained profiles about children, putting them at risk."

More privacy means less app revenue

Is this ever going to change? The Oxford researchers hope to analyze the policy changes introduced with iOS 14.5 and later versions of iOS to see if that makes a difference. But they added that there are strong incentives against making smartphones more private.

"Since the platforms take a share of any sales through the app stores (up to 30%)," the Oxford paper says, "both Apple and Google have a natural interest in creating business opportunities for app publishers, and letting them collect data about users to drive such sales."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.