Android Messages and Dialer apps allegedly sent data to Google without consent
In the research paper "What Data Do The Google Dialer and Messages Apps On Android Send to Google?", Trinity College professor Douglas J. Leith claims that the Google applications Messages and Dialer are sending data to Google without user consent.
Both applications are installed on over a billion Android devices each. Google Messages is the default messaging application that many manufacturers and mobile phone companies ship as the default application for messaging on their devices. The same is true for Dialer, as it is the default phone application on many Android devices.
The paper notes that Google does not provide specific privacy policies for the two applications in question, even though Google requires that third-party developers do provide privacy policies. The applications link to Google's generic consumer privacy policy only.
The researcher analyzed the data that the Google Messages and Google Dialer applications sent to Google on Android handsets. According to the research paper, linked here the following data is sent when the Messages application sends or receives messages
When an SMS message is sent/received the Google Messages app sends a message to Google servers recording this event, the time when the message was sent/received and a truncated SHA256 hash of the message text. The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed
Google Messages submits data about the event, including the time messages were received or sent, a truncated hash of the message text, and the sender's phone number, to Google. The hash may identify the message according to the researcher, and if Google Messages is used on both handsets, Google gets both phone numbers involved in the conversation.
Google Dialer sends similar logs to Google. The data includes the time and the call duration according to the research paper.
When a phone call is made/received the Google Dialer app similarly logs this event to Google servers together with the time and the call duration.
The data that is sent to Google "is tagged with the handset Android ID" according to the researcher. The ID is linked to Google user accounts and thus the identify of the user.
Additionally, both applications submit data about user interactions within the applications. Nature and timings of interactions, e.g., viewing an app screen, searching contacts, or browsing an SMS conversation, are also submitted to Google according to the paper.
If "See caller and spam ID" is enabled, which it is by default, Google Dialer sends the phone number of each incoming call and the time of the call to Google as well.
The applications have no opt-out that prevents the data from being submitted to Google.
The data is sent to Google via the Google Play Services Clearcut logger service and Google/Firebase Analytics according to the researcher.
The Google Messages and Dialer apps send data to Google via two channels: (i) the Google Play Services Clearcut logger service and (ii) Google/Firebase Analytics. Recent Android measurement studies have noted the large volume of data sent by Google Play Services to Google servers on most Android handsets. A substantial component of this data is sent by the Clearcut logger service within Google Play Services. However, the data transmission is largely opaque, being binary encoded with little public documentation.
The Register received confirmation by Google that the "paper's representations [..] are accurate". Additional details, including information about the test setup and code, are available in the research paper.
Android users may switch to different applications that may take over the tasks of the default applications. For instance, Simple Dialer: Phone Calls, as a replacement for the Google Dialer application, and Simple SMS Messenger. as a replacement for Google Messages.
Now You: which dialer and messaging apps do you use?
Not that surprised.
Oh, he is the same author of “Web Browser Privacy: What Do Browsers Say When They Phone Home?” , paper that I read some times ago also posted by someone here.
Simple Dialer and Simple SMS Messenger works well. They are among the first apps I installed.
are you talking about the simple orange icons apps? there is something i don’t like about the apps, maybe the locked options, i am not sure; but like with the simple keyboard i use the other simple keyboard.
As a far I know the only locked option is the choice of icon colors. Instead the interesting option of the related app ‘Simple Contacts’ is: ‘Show private contacts to Simple Dialer, Simple SMS and Simple Calendar’. Outside this ‘package’ option there there is no short of alternatives.
I dont’ use ‘Simple Keyboard’ or the other app, honestly I am waiting for something like ‘Simple voice typing’ like this project I periodically monitor: https://github.com/ccoreilly/LocalSTT
Check Dicio too, available on F-Droid. Haven’t tried it yet, probably never will, but its an assistant.
@Yash
Yep. There is the new Dicio app and I have tried it. Interesting project, I also monitor it in case of future developments towards Kõnele or LocalSTT. I also took a look at a FlorisBoard’s feature request related to STT.
Shocked “pikachu” face…google doing something to a user without users consent??? nah…this is racist news and Russian propaganda
I can’t stop crying.
Massive breach of DMCA for those in Europe.
I’ve been using a Messenger alternative, QKSMS, and I’ve been looking into alternate dialers, like Koler. Yes, I could use the Simple Apps but I’d rather not be so limited to one source / app ecosystem.
You named them already, simple dialer and simple sms from f-droid. The only thing to be aware of is sometime the apps dont show the name of the person but just the phone number. This was resolved by reinstalling them. Not sure if i installed in the wrong sequence or if i missed allowing a permission somewhere, but reinstallation solved the issue. I am super happy with them.
Go ahead and install LineageOS without GSF. GrapheneOS is only available for Pixels.
If that is too extreme, atleast replace all OEM apps and all Google Apps bar Play services, System Webview and Maps. And don’t use Google login in your Android.
In addition to the simple dialer and simple sms apps from f-droid, you can use the NetGuard app which allows you to restrict system services such as the Google Play service from having network access.
*I think* you can do the almost same thing with the ExpressVPN app: Set ‘split tunneling’ (“only allow selected apps to use the VPN”) then, in Android settings, set “Block connections without VPN”.
Now, there’s a warning message in the ExpressVPN app that states, “If ‘Block connections without VPN’ is enabled in Android Settings, split tunneling will not work” — but this is precisely what we want — as it appears that the only apps that have any network access at all now are the selected apps (Bromite, a QR code reader, and F-Droid, in my case.) Though this is not how split tunneling is designed to be used, I can confirm this does prevent unselected installed apps from accessing the network altogether, though I wonder if this also actually prevents system apps (and Google’s telemetry) from accessing the network……
I might mention, too, that one cannot use NetGuard and a VPN app together due to the limitations of the Android system.
That’s a good point, I’m trying that now. Seems to work. The nice thing about NetGuard is it’s basically a one-click setup. With the VPN split tunneling, I’m going to have to figure out the system apps that I can cut off and still have the device working by going through them one at a time. For anyone not already using a VPN with split tunneling, I’d say that NetGuard is the way to go.
Tried Simple SMS Messenger but for some reason it mis-displays the dates of many conversations (all seemingly having taken place on the same date in April 2021). Maybe a problem reading the SMS database correctly?
Another alternative (for the more courageous among us) would be to use Signal for SMS/MMS messaging. Though I think I can no longer import existing texts into Signal without a weird hack.
QKSMS, available on F-Droid. Works better than Simple SMS IMO.
Isn’t QKSMS abandonware at this point? Hasn’t been updated in ages.
Google up to their usual unethical shenanigans.
If this suprised you, your too ignorant to own a cell phone.
From the makers of Chrome comes… SPYWARE! Foisted upon all unsuspecting users.
What a surprise!
I wrote a very thorough comment on youtube for great alternatives to many apps and services for android phones and how to remove and/or null said apps and surprise surprise my comment was immediately deleted by youtube and not the channel itself.
You just can’t trust google and a lot of people seem to think we should just roll over and let google have their way with the internet and completely submit to their will… sounds like a recipe for disaster to me.
Google being unethical… why I never! Perish the thought!
Use CalyxOS or GrapheneOS. Problem solved!
Use CalyxOS or GrapheneOS. Problem solved! Has been flawless for me the last couple years now. Would never go back to stock.
Not if you need banking apps.
Why does everyone need a banking app? I keep all my financials on mobile browser only locked down Firefox or Tor. The only issue I run into is Mobile Deposits. And don’t forget about Progressive Web Apps. Some items I use the developer signs everything so it can all be validated but there is never an apk or anything to be installed. Simply PWA. One guy, CMU grad go figure, has PWA app that can now run as your photo gallery, note taking, media player,etc.
Oh, and completely 100% open source, all servers in EU, and green energy. Even built in shortcuts so Mac and Windows users can use their same keys for bold and all and the markdown encoding is just done WYSIWYG. There are many many more of these for a lot of good reasons. Like Uber has built PWA because with developing markets, the PWA is so small that the app PWA version can launch within 5 seconds on a 2G network. Not a typo, 2G. That is one thing Google will not get credit for though. While it was a market share item, Google has pushed developers to make phones and apps work on devices that someone in developing world on 2G/3G connection can use. It never gets the like Apple, Samsung, etc. but if you look at tradeshows for what is being brought into developing markets (and often kept away from the rest so they can remind you each year that the phone you bought last year is way outdated) , you will see a lot of good and a lot of scary.
This is one mess Google really did try to stay out of and did provide a method to get themselves out of the loop. The mechanism to get them out of it is in a whitepaper not directly related to this but if you look into their open source VPN documentation for keying infrastructure and how to pass the key/credential between independent parties, like one person as the A combo and other has the B, they never know each others, and cannot validate access without each other. There is a reason for this.
With losses of GDPR, their push for manufacturers and developers to make phones affordable in to people without much money and only 2G connections, 3G at best.
They started pushing in 2016. Messages was not a popular idea because it would be one more item in any anti-trust items later on. They would have to deal with a lot carriers in a lot of countries. They would be seen as big brother. Meanwhile Apple is claiming iPhone is privacy while it has been known for years that the encryption key to iMessages is stored in iCloud backups which Apple does have access to as court orders have shown as have other state actors. They wanted the carriers to do it themselves but there were issues over identity, encryption, etc. In 2019/2020 Google finally said ‘enough’, we will just push it ourselves. Back in 2016 when they started, was also when Facebook pushed out devices, false info spread, etc. and you had Burma start with the Rohingya genocides.
It became apparent there was never going to be encryption over SMS without Google themselves stepping in. Hopes for carriers was done, never could agree. Large platforms like WhatsApp had been bought out. Niche players had bands of users but nothing that could be used quick and easy from a ‘dumb’ phone.
No idea how this is going to play out. No one wants Google in charge of it including Google. They do not need this money and it it will only cause them trouble. They left themselves a way out in some of the white papers, I know the VPN ones you can look up. Not going much more into other ones in case they were related to some review or something or I would provide more but the VPN ones I know are out there and provide a decent picture off how Google can hand off the service.
Now the question, to who? Apple controls their own hardware and software and can’t keep their stuff locked down well at all. Government entity than you bring in questions of politics and judicial powers, etc. I have been watching this saga for 6+ years now and honestly feel like Google wants it in court and says here you go, you figure out how to manage encryption with 100s of parities fighting over how to do it and they just leave the room.
Thoughts? There is no right or wrong answer, no matter what way you go you are picking the lesser of 2 evils at some point in this line and Google is not the one who wants to be in this one.
Thanks for sharing. This is really helpful.
I also further wonder and suspect that the Phone Manufacturer may be Spying on those Calls and Text Messages by modifying those apps or some part/s of Android.
Likewise for your Cell Service Provider company, especially if the Phone is “Branded”. Sold by the given provider company. With some of their apps built in.
I really hate the lack of Privacy that has come to be.
Between the near complete control of the corporations. Both legal and functional.
And the apathy and lack of knowledge of the majority of the people.
I miss the days when anti-virus on your computer was a new thing and about all you needed. Or thought you did anyway.
Thank you so much for sharing this amazing piece of information. You’re doing really amazing job Keep it up
While it was a market share item, Google has pushed developers to make phones and apps work on devices that someone in the developing world on 2G/3G connection can use. It never gets the like Apple, Samsung, etc. but if you look at tradeshows for what is being brought into developing markets (and often kept away from the rest so they can remind you each year that the phone you bought last year is way outdated), you will see a lot of good and a lot of scary.
Nice article! It is helpful because sometimes we get unnecessary notifications. It will be helpful for people who want to turn on or off the notification in their androids.
I face the same problem. Please give me proper solution to resolve this thanks
Thanks for sharing. This is really useful!
It is important for app developers to ensure that their apps are transparent about the data they collect and how it is used. If users are not consenting to their data being shared or collected, it could be a violation of their privacy rights. It is recommended that users regularly review their privacy settings and be cautious about granting permissions to apps that collect or share their personal information. Additionally, it is important for app developers to prioritize user privacy and be transparent about how they use and protect user data.
Great Information, if this is true, it would be a serious concern as users should have control over their data and privacy.
It is important for app developers to ensure that their apps are transparent about the data they collect and how it is used. If users are not consenting to their data being shared or collected, it could be a violation of their privacy rights. It is recommended that users regularly review their privacy settings and be cautious about granting permissions to apps that collect or share their personal information. Additionally, it is important for app developers to prioritize user privacy and be transparent about how they use and protect user data.