The privacy of mobile apps has been extensively studied, but much less attention has been paid to the privacy of the mobile OS itself. A mobile OS may communicate with servers to check for updates, send telemetry and so on. We undertake an in-depth analysis of the data sent by six variants of the Android OS, namely those developed by Samsung, Xiaomi, Huawei, Realme, LineageOS and /e/OS. We find that even when minimally configured and the handset is idle these vendorcustomized Android variants transmit substantial amounts of information to the OS developer and also to third-parties (Google, Microsoft, LinkedIn, Facebook etc) that have pre-installed system apps. While occasional communication with OS servers is to be expected, the observed data transmission goes well beyond this and raises a number of privacy concerns. There is no opt out from this data collection. [...] we find that sending persistent identifiers in connections is ubiquitous. Table I lists the main identifiers sent in connections on each handset. Some of these identifiers are long-lived, e.g. the IMEI (which is typically engraved on the SIM slot), hardware serial number and, on Huawei handsets, the device RSA cert [22]. These identifiers persist across factory resets of the device and are effectively permanent and indelible. Others, such as the Google Advertising Id and VAID, are user-resettable either manually or by a factory reset of the phone. But in practice that means they rarely change and act as strong device identifiers. Further, as we discuss in more detail below, most of these resettable identifiers can be relinked back to the device since long-lived identifiers are sent alongside them. [...] Additionally, Samsung, Xiaomi, Realme, Huawei, Heytap and Google also collect details of all apps installed on a handset. This is potentially more sensitive information since the set of apps installed is more likely to be unique to one handset, or a small number of handsets, and so act as a device fingerprint (especially when combined with device hardware/system configuration data). It is not clear why this data collection is needed [...] Samsung and Xiaomi both log data that can reveal user interactions occurring on a handset. Third-party system apps by Google and Microsoft also carry our event logging that can reveal user interactions. Heytap, Daily Motion and the mobile operator log events related to operation of their specific app. [...] The events logged include, for example, every opening and closing of an app window (“activities” in Android parlance) plus the duration a window is open. Since all window events appear to be logged, this can easily reveal detailed information on user handset usage. [...] Microsoft’s Swiftkey keyboard (used on the Huawei handset) also carries out extensive event logging [...] In particular, when the keyboard is used within an app then the app name, number of characters entered and an event timestamp are sent. In this way use, for example, of the searchbar, contacts and messaging apps is logged and so can easily reveal detailed information on user handset usage. [...] Several Samsung system apps use Google Analytics to log user interaction events, including windows/activities viewed plus duration and timestamp. [...] Google Play Services and the Google Play store collect large volumes of data from all of the handsets (see Figure 2). This has also been observed in other recent studies, which also note the opaque nature of this data collection (no documentation, binary encoded payloads, obfuscated code). From our discussions with Google we understand that they plan to publish documentation on this data collection/telemetry, but to date that has not happened. [...] In response to privacy concerns, identifiers used to track user behaviour are now often resettable [23]. For example, the Google Advertising Identifier (GAID) can be reset via the Settings app on an Android handset. The idea is that by resetting such an identifier a person effectively unlinks themselves from the data collected about them in the past and starts afresh. However, this aim is largely subverted as the data collected allows relinking of the new identifier to the same physical user/handset. We find that data collection allowing the potential for relinking is commonplace. [...] We find that typically multiple parties collect data from a handset. For example, on a Samsung handset Samsung, Google and Microsoft/LinkedIn all collect data. That raises the question of whether the data collected separately by these parties can be linked together (and of course combined with data from other sources). While we are not in a position to know whether such linking actually takes place, by inspection of the identifiers jointly collected by the parties we can see whether the potential exists for data linking [...] Continua con maggiori dettagli su: https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf Giacomo