Data collection / privacy on Android OS variants

[JPL13]

Article entitled "Study reveals Android phones constantly snoop on their users" over on BleepingComputer:

• https://www.bleepingcomputer.com/ne...droid-phones-constantly-snoop-on-their-users/

The key issue being that users don't have any controls within Android to turn off these data collection routines. I suppose one could try to limit this via something like Pi-hole, but black-listing a bunch of Google domains would likely break some key functionality in one's Android phone.

From the article ...

As the summary table indicates, sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, and Facebook.

 

[hallux]

What this also tells us is that the Pixel devices share the LEAST...

 

[ian87w]

What this also tells us is that the Pixel devices share the LEAST...

Well, of course. It only goes to Google because Google is the maker. Meanwhile, the rest of OEMs have data going to both the OEM AND Google.

 

[ian87w]

Article entitled "Study reveals Android phones constantly snoop on their users" over on BleepingComputer:

• https://www.bleepingcomputer.com/ne...droid-phones-constantly-snoop-on-their-users/

The key issue being that users don't have any controls within Android to turn off these data collection routines. I suppose one could try to limit this via something like Pi-hole, but black-listing a bunch of Google domains would likely break some key functionality in one's Android phone.

From the article ...

This article kinda confirms my concern about Android. It's not Google specifically per se, but the fact that the OS allows so many app data being exposed to 3rd parties. It's the reason I use iPhones for my banking apps, despite Android still being my primary phone. So many hooks in the OS from other parties like Microsoft and Facebook, even if you don't use their services.

Although Google argues that many of the data are "standard" for smartphones and necessary (I can understand device info data being critical for updates, for example), it's the other parties that I'm concerned about, and the fact that they have those data collectors and telemetries in my device.

 

[hallux]

It's the reason I use iPhones for my banking apps,

Is your bank inserting ads in their app? I'd be finding another bank if so. There should be ZERO cross from a banking app to any info shared through advertising ID. Additionally - the information about your account(s) should be no more than information to display and shouldn't cross to any of the categories in the left column. The most likely place that info MIGHT leak is in one of the bottom two, and if you stick with a Pixel there's minimal risk.

The LAST thing a bank wants is for information about your accounts from their app to somehow make it to one of those sources, and I imagine there are fairly strict protocols in place for banking app design to ensure they're not sharing where it shouldn't be shared. Shoot - my banking apps won't even let me screenshot!

EDIT: I want to add, these seem like more of a scare tactic ("Android is so insecure, OMG, the sky is falling, don't use Android"). That table says nothing about what particular data is shared with the particular places it's shared with. I'd wager that 99% of the data being shared is unique IDs that are not tied to a specific person, but purely used to identify a unique device for licensing reasons. Shoot - your BANK uses your device ID, how else do you think they identify that you're not logging in from a new or already-trusted device?

 

[ian87w]

Is your bank inserting ads in their app? I'd be finding another bank if so. There should be ZERO cross from a banking app to any info shared through advertising ID. Additionally - the information about your account(s) should be no more than information to display and shouldn't cross to any of the categories in the left column. The most likely place that info MIGHT leak is in one of the bottom two, and if you stick with a Pixel there's minimal risk.

The LAST thing a bank wants is for information about your accounts from their app to somehow make it to one of those sources, and I imagine there are fairly strict protocols in place for banking app design to ensure they're not sharing where it shouldn't be shared. Shoot - my banking apps won't even let me screenshot!

On Android, an app can access your SMS, which can contain OTPs from the bank. Also, as shown in this article, Android apps can see what other apps are installed in your phone, which also means your banking apps. Add on the fact that apps can have access to phone and contacts. Plus, many apps simply won’t work if you don’t give permissions to those things. Combinations of those data is a potential risk, and I’m just not willing to risk it, especially knowing that many app developments are outsourced to countries like Russia, China or India. As a consumer, I have different trust levels for my banking apps and my social media apps. As much as I love Android, I have to give it to Apple for certain level of my trust.

 

[hallux]

On Android, an app can access your SMS, which can contain OTPs from the bank

Unless I'm installing an app for texting I'm not giving SMS permissions to an app. I don't even have Facebook messenger on my phone BECAUSE of its intrusion into texting! Also - I think Google/Android have gotten more strict on apps requesting permissions that are unrelated to the function of the app (you shouldn't be able to put a crossword puzzle app on the Play Store that requests SMS permissions for example). I just spot-checked some of the apps on my phone, NONE had requested access to SMS, some had requested phone (for which I had not approved the permission one some). I am VERY particular about what goes on my devices, I scrutinize the requested permissions and deny what I feel isn't needed for the way I intend to use the app.

The point is - someone who is aware of what they are doing CAN safely utilize the OS with minimal risk. Someone who is going to install anything and everything and randomly tap on pop-ups, may be better off with iOS or no phone at all.

Oh, and for the love of GOD, avoid Cheetah Mobile AT ALL COSTS! I even paid for a file manager app (before Google added one prominently in Android) because the previous one I was using got rolled into the CM circus tent...

 

[ian87w]

Unless I'm installing an app for texting I'm not giving SMS permissions to an app. I don't even have Facebook messenger on my phone BECAUSE of its intrusion into texting! Also - I think Google/Android have gotten more strict on apps requesting permissions that are unrelated to the function of the app (you shouldn't be able to put a crossword puzzle app on the Play Store that requests SMS permissions for example). I just spot-checked some of the apps on my phone, NONE had requested access to SMS, some had requested phone (for which I had not approved the permission one some). I am VERY particular about what goes on my devices, I scrutinize the requested permissions and deny what I feel isn't needed for the way I intend to use the app.

The point is - someone who is aware of what they are doing CAN safely utilize the OS with minimal risk. Someone who is going to install anything and everything and randomly tap on pop-ups, may be better off with iOS or no phone at all.

Oh, and for the love of GOD, avoid Cheetah Mobile AT ALL COSTS! I even paid for a file manager app (before Google added one prominently in Android) because the previous one I was using got rolled into the CM circus tent...

Well, poorly coded apps with weird permissions unfortunately are many, and some of them are necessities in my country (eg apps by the government institutions, eWallet apps, etc). And permissions can actually be overridden by the app. Plus many apps on Android just refuse to function if you deny one of the permissions. Not saying Android cannot be secure, but as a user, I just don’t want to risk it. A smartphone is supposed to help me, not me babysitting it.

I still like Android for its versatility. But when it comes to my banking needs, I’d rather use iOS.

 

[mi7chy]

These are the least of your worries compared to Apple vulnerabilities exploited in the wild that allow zero click root taking full control of iPhone/iPad/MacOS/Watch. It's littered with these including another one found actively exploited in the wild in 15.0.1 that's why I don't use iMessage and only use only iPad for non-banking/non-essentials.

https://citizenlab.ca/2021/09/force...sage-zero-click-exploit-captured-in-the-wild/

 

[GrumpyCoder]

Article entitled "Study reveals Android phones constantly snoop on their users" over on BleepingComputer:

I'm confused. I've not read the paper yet, but doesn't the Article state this is the case for /e/ OS and LineageOS? How does that transfer to "Android phones" in general? That would mean every Android is running one of the two OS, which I'm pretty sure is not the case... ?!?

 

[5105973]

I’m a little late to this discussion and very non-technical, so forgive my ignorance and help an old gal out…when I was setting up my new iPhone 13 Pro from scratch and recently went to download apps from the App Store and can now see their privacy policies and what they do, I still see that a lot of the apps I thought were “safe” have hooks of some kind into Facebook feeding them data. The one I really hate is they got access to my contacts. That’s other people’s information and not mine to give away. I did not realize I was.

And some still don’t have privacy policies in place but instead have a notification page saying if they issue an update, Apple will require them to post a policy page. Yet they’re up there and there aren’t in some cases better alternatives and since I’ve had them for years I downloaded them again.

So how is Apple/iOS giving me any more privacy? I just ended up having to do without several apps because of their connection to Facebook and interestingly enough, Google. But others I had to take, because I need them and there’s no way of setting granular stops on the data flow to FB or Google.

Not that I’m seriously worried about it for myself. I own a Samsung phone. They happily informed me just using my S21 Ultra signs me up for sharing everything about myself with their partners. I’m forever locking things down but my notifications still look like the Las Vegas strip. Blinky blinky buy me! Deals! Deals!

My life consists of mainly staying home cleaning up after cats and kids. My life is more than halfway through the life expectancy for an American non-white female. So I don’t care for myself anymore. I regularly buy pet food, cat litter, smartphones and smartphone accessories, socks and underwear, and cleaning supplies and toys. Woo. Have at it, marketers. Enjoy the data, Uncle Sam: thanks to my Samsung you now know I will not be attempting to plan an insurrection while wearing yoga pants…but don’t rule out L.L. Bean winter wear

So yeah, I’m a known quantity and it’s hopeless.

But I am trying to help the next generation craft a more private digital life and have less of a digital dossier. I’m really not sure either platform isn’t full of pitfalls and compromises.

 

[JPL13]

I’m really not sure either platform isn’t full of pitfalls and compromises.

That's a fair point.

It's incredibly unfortunate that some of the more effective ways to maintain privacy -- such as Pi-hole -- require a fair bit of technical know-how and as such are out of reach for most people.

 

[ian87w]

I’m a little late to this discussion and very non-technical, so forgive my ignorance and help an old gal out…when I was setting up my new iPhone 13 Pro from scratch and recently went to download apps from the App Store and can now see their privacy policies and what they do, I still see that a lot of the apps I thought were “safe” have hooks of some kind into Facebook feeding them data. The one I really hate is they got access to my contacts. That’s other people’s information and not mine to give away. I did not realize I was.

And some still don’t have privacy policies in place but instead have a notification page saying if they issue an update, Apple will require them to post a policy page. Yet they’re up there and there aren’t in some cases better alternatives and since I’ve had them for years I downloaded them again.

So how is Apple/iOS giving me any more privacy? I just ended up having to do without several apps because of their connection to Facebook and interestingly enough, Google. But others I had to take, because I need them and there’s no way of setting granular stops on the data flow to FB or Google.

Not that I’m seriously worried about it for myself. I own a Samsung phone. They happily informed me just using my S21 Ultra signs me up for sharing everything about myself with their partners. I’m forever locking things down but my notifications still look like the Las Vegas strip. Blinky blinky buy me! Deals! Deals!

My life consists of mainly staying home cleaning up after cats and kids. My life is more than halfway through the life expectancy for an American non-white female. So I don’t care for myself anymore. I regularly buy pet food, cat litter, smartphones and smartphone accessories, socks and underwear, and cleaning supplies and toys. Woo. Have at it, marketers. Enjoy the data, Uncle Sam: thanks to my Samsung you now know I will not be attempting to plan an insurrection while wearing yoga pants…but don’t rule out L.L. Bean winter wear

So yeah, I’m a known quantity and it’s hopeless.

But I am trying to help the next generation craft a more private digital life and have less of a digital dossier. I’m really not sure either platform isn’t full of pitfalls and compromises.

For me, it's about my own sanity. As a regular consumer, I don't have time micromanaging my tools. There are bigger things in life that require my attention. As such, I have to "trust" those making my tools. At face value (ignoring the mass scanning system on iOS15), the trust value of Apple for me is higher, considering Apple's willingness to limit what iOS exposes to 3rd party apps.

That doesn't mean Android is not useful. As a tool, they're a more useful tool for me than iPhone. However, the companies involved have less trust value for me.

And it's not about ads. It's also about identity and other data. Many apps on Android can easily suck up all your phone contents, even if you denied the permission. Many apps development are outsourced to China/India, even official ones from governments. I'm just not taking any chances when a phone becomes literally the extension of our lives, containing not only our personal data, but also actual identity and financial information.

Eg. on my S21. Even on a fresh one out of the box without any new apps installed, there's already Facebook services embedded in the phone that can only be disabled and cannot be uninstalled. I mean come on. Obviously it's worse on the Chinese phones.

 

[5105973]

For me, it's about my own sanity. As a regular consumer, I don't have time micromanaging my tools. There are bigger things in life that require my attention. As such, I have to "trust" those making my tools. At face value (ignoring the mass scanning system on iOS15), the trust value of Apple for me is higher, considering Apple's willingness to limit what iOS exposes to 3rd party apps.

That doesn't mean Android is not useful. As a tool, they're a more useful tool for me than iPhone. However, the companies involved have less trust value for me.

And it's not about ads. It's also about identity and other data. Many apps on Android can easily suck up all your phone contents, even if you denied the permission. Many apps development are outsourced to China/India, even official ones from governments. I'm just not taking any chances when a phone becomes literally the extension of our lives, containing not only our personal data, but also actual identity and financial information.

Eg. on my S21. Even on a fresh one out of the box without any new apps installed, there's already Facebook services embedded in the phone that can only be disabled and cannot be uninstalled. I mean come on. Obviously it's worse on the Chinese phones.

Samsung is NOT the choice if you want to keep your data to yourself. They’re all about merching. I’m getting a Pixel 6 Pro today…or at least I hope to. I’m going to see what up with them.

Well like I was saying there are apps on the Apple App Store that still will suck up your data. There’s no granular lock out of permission for some of the things they insist they will take. But at least now it is all disclosed…unless they are older apps and not going to be updated. It’s the updated version that will have to provide the privacy nutrition label. Apple isn’t going around making existing apps retroactively compliant to the new rules. At least as far as I know.

And plenty of Apps on the App Store have English names but are made by foreign developers. My husband in one of his previous jobs tried to get such a developer who had produced a copy of his company’s app off the App Store. The developer was fronting a Chinese company with a name designed to mimic his company’s name and presence. Apple let it sail right on in.

Not that there’s anything wrong with foreign developers in general. But I don’t know if the App Store really provides an automatic safeguard against some of the more concerning Chinese developers with ties to the mainland government surveillance system.

 

[mclld]

What is the best browser to use on android? I am wanting to get away from Chrome and Google for search. I use Safari on my MacBook and it is fine but not on Android

 

[JPL13]

What is the best browser to use on android? I am wanting to get away from Chrome and Google for search. I use Safari on my MacBook and it is fine but not on Android

Depends on what "best" means to you, but at a minimum you'd want to consider:

1. Firefox
2. Firefox Focus (you'd probably want to pair this with Firefox instead of using as your main browser)
3. DuckDuckGo

The last two are not feature-rich but might work for you. On my iPhone I use Firefox as my main browser which is OK, but not much feature parity with the web version. But I also have Firefox Focus and have it set as my default browser. That way any links I click in email on my phone will open in Firefox Focus.

 

[eltoslightfoot]

On Android, an app can access your SMS, which can contain OTPs from the bank. Also, as shown in this article, Android apps can see what other apps are installed in your phone, which also means your banking apps. Add on the fact that apps can have access to phone and contacts. Plus, many apps simply won’t work if you don’t give permissions to those things. Combinations of those data is a potential risk, and I’m just not willing to risk it, especially knowing that many app developments are outsourced to countries like Russia, China or India. As a consumer, I have different trust levels for my banking apps and my social media apps. As much as I love Android, I have to give it to Apple for certain level of my trust.

Check to see if that is true in Android 12. I can give out very granular permissions.

 

[hallux]

@JPL13 @ian87w you may be interested in this -

 

[ian87w]

What is the best browser to use on android? I am wanting to get away from Chrome and Google for search. I use Safari on my MacBook and it is fine but not on Android

I use Brave on all my devices nowadays. Was on Firefox, but it doesn't play well with Samsung Dex. Brave is a great choice as it is still based on Chromium, so you can still use Chrome plugins that you need. And it's built-in ad blocker just save me time from having to install an ad-blocker.

DuckduckGo is my secondary browser. It works fine, with the focus of privacy.

As for search, unfortunately, Google is still king, especially for local/regional searches.

 

[ian87w]

@JPL13 @ian87w you may be interested in this -

👍
yeah, and imagine my disbelief seeing so many people here supporting the mass scanning system on iOS15.

But we are already deep in the rabbit hole.

Take example, my country. The pandemic accelerate the digitalization era, where now we have government-endorsed tracking app where you must put in your real ID and information and be tracked wherever you go, in the name of controlling the pandemic. Of course, our government doesn't use Apple's/Google's contact tracing APIs. And we have private companies "partnering up" to make things more "convenient." GoJek, the "Uber" of Indonesia, has partnered up and you can use their app to replace the government's contact tracing app. Oh how convenient, as GoJek also provides eWallet service and have merged with one of the largest eCommerce marketplace in the country where you can pay your bills various government taxes with. So basically this one company knows where you are at all times, how and when you move around, what you buy offline and online, and your income level through your bills and various taxes you paid. Even Facebook will drool to get that kind of information.

 

[mclld]

That is terrifying

 

[eltoslightfoot]

Yes, that really is terrifying.