Android Messages and Dialer apps allegedly sent data to Google without consent
In the research paper "What Data Do The Google Dialer and Messages Apps On Android Send to Google?", Trinity College professor Douglas J. Leith claims that the Google applications Messages and Dialer are sending data to Google without user consent.
Both applications are installed on over a billion Android devices each. Google Messages is the default messaging application that many manufacturers and mobile phone companies ship as the default application for messaging on their devices. The same is true for Dialer, as it is the default phone application on many Android devices.
The paper notes that Google does not provide specific privacy policies for the two applications in question, even though Google requires that third-party developers do provide privacy policies. The applications link to Google's generic consumer privacy policy only.
The researcher analyzed the data that the Google Messages and Google Dialer applications sent to Google on Android handsets. According to the research paper, linked here the following data is sent when the Messages application sends or receives messages
When an SMS message is sent/received the Google Messages app sends a message to Google servers recording this event, the time when the message was sent/received and a truncated SHA256 hash of the message text. The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed
Google Messages submits data about the event, including the time messages were received or sent, a truncated hash of the message text, and the sender's phone number, to Google. The hash may identify the message according to the researcher, and if Google Messages is used on both handsets, Google gets both phone numbers involved in the conversation.
Google Dialer sends similar logs to Google. The data includes the time and the call duration according to the research paper.
When a phone call is made/received the Google Dialer app similarly logs this event to Google servers together with the time and the call duration.
The data that is sent to Google "is tagged with the handset Android ID" according to the researcher. The ID is linked to Google user accounts and thus the identify of the user.
Additionally, both applications submit data about user interactions within the applications. Nature and timings of interactions, e.g., viewing an app screen, searching contacts, or browsing an SMS conversation, are also submitted to Google according to the paper.
If "See caller and spam ID" is enabled, which it is by default, Google Dialer sends the phone number of each incoming call and the time of the call to Google as well.
The applications have no opt-out that prevents the data from being submitted to Google.
The data is sent to Google via the Google Play Services Clearcut logger service and Google/Firebase Analytics according to the researcher.
The Google Messages and Dialer apps send data to Google via two channels: (i) the Google Play Services Clearcut logger service and (ii) Google/Firebase Analytics. Recent Android measurement studies have noted the large volume of data sent by Google Play Services to Google servers on most Android handsets. A substantial component of this data is sent by the Clearcut logger service within Google Play Services. However, the data transmission is largely opaque, being binary encoded with little public documentation.
The Register received confirmation by Google that the "paper's representations [..] are accurate". Additional details, including information about the test setup and code, are available in the research paper.
Android users may switch to different applications that may take over the tasks of the default applications. For instance, Simple Dialer: Phone Calls, as a replacement for the Google Dialer application, and Simple SMS Messenger. as a replacement for Google Messages.
Now You: which dialer and messaging apps do you use?
Thanks for the tip Martin.
It is for these kinds of posts that I follow GHacks.
What’s up with the generic comment, are you a bot?
2G?
Where on the planet is that still in use? I was forced to give up using my RAZRV3 years ago because 2G was phased out by AT&T.
Everywhere 3G has been turned off and you don’t have LTE coverage, and believe me there are many developed countries where this is the case and if it weren’t for 2G you wouldn’t even be able to make a phone call.
Maybe I missed it, but I don’t believe tha term “2G” is in the article. Perhaps you are referring to “AGM G2”??
@Martin
Your website has gone insane.
When I the post button I then saw my comment posted on a different article page. When I opened this article again, it is here.
@Tachy @Martin Brinkmann
” Your website has gone insane. ”
Same here. Has happened several times.
@Tachy,
@Martin P.,
For over two weeks now,
I’ve been seeing “Comments” posted by subscribers appearing in different, unrelated articles.
https://www.ghacks.net/windows-11-update-stuck-fixed-for-good/#comment-4572991
https://www.ghacks.net/windows-11-update-stuck-fixed-for-good/#comment-4572951
For the time being,
it would be better to specify the “article name and URL” at the beginning of the post.
@tachy a lot of non-phone devices with a sim in them rely on 2G, at least here in europe.
Usually things reporting usage or errors/alarms on something remote that does not get day to day inspection in person. They are out there in vast numbers doing important work. Reliable, good range. The low datarate is no problem at all in those cases.
3G is gone or on its last legs everywhere, but this stuff still has too much use to cancel.
Anyhow, interesting that they would put that in. I can see the point if you suspect a hostile 2G environment (amateur eavesdroppers with laptop, ranging up to professional grade MITM fake towers while “strangely” not getting the stronger crypto voip 4G because it is being jammed, and back down to something as old ‘stingray’ devices fallen into the wrong hands).
But does this also mean that they have handled and rolled out a fix for that nasty 4G ‘pwn by broadcast’ problem you reported earlier this year? I had 4G disabled due to that, on the off chance that some of the local criminals would buy some cheap chinese gear, download a working exploit and probe every phone in range all over town in the hope of getting into phones of the police.
>”While most may never be attacked in stingrays, it is still recommended to disable 2G cellular connections, especially since it does not have any downsides.”
The downside would be losing connectivity. I spend a lot of time way out in the countryside where there’s often no service or almost none. My network allows 2G, and I need it sometimes. I have an option on the phone to disable 2G, I may do that when I’m in the city and I have good 5G connectivity, but not out in the country.
I would imagine that the stingray exploits, like most of the bad things in this world, are probably things you will run into in the crowded big cities.
I stopped using it in a mobile (Wi-Fi line) environment, so I’m almost ignorant of the actual situation,
But the recent reality in Japan makes me realize that “the infrastructure of the web is nothing more than a papier-mâché fiction”.
https://www.ghacks.net/2023/08/17/google-chrome-to-enable-https-first-by-default-for-all-users/#comment-4572402
It is already beyond the scope of what an individual can do.
What we should be aware of is the reality that “governments and those in power want to control the world through the Web”, and efforts to counter (resist and prevent) such ambitions are necessary.
Why do you want people to disable the privacy features? Hmmmmm?
Now You: do you plan to keep the Ads privacy features enabled?
I’d like to tell you, but apparently if you make a post critical of Google, you get censored. * [Editor: removed, just try to bring your opinion across without attacking anyone]
@Martin
You website is still psychotic. Comments attach to random stories.
@Martin please do fix the comments, it’s completely insane commenting here! :[
@Martin
The comments are seriously messed up on gHacks now. These comments are mixed with the article at the below URL.
https://www.ghacks.net/2023/08/18/android-how-to-disable-2g-cellular-connections-to-improve-security/
And comments on other articles are from as far back as 2010.
What does this article has anything to do with all the comments on this article? LOL I think this Websuite is ran by ChatGPT. every article is messed up. Some older comments from 2015 shown up in recant articles, LOL
The picture captioned “Clearing the Android Auto’s cache might resolve the issue” is from Apple Carplay ;)
How about other things that matter:
Drop survival?
Screen toughness?
Degree of water and dust protection?