Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Android OS Privacy Under the Loupe -- A Tale from the East (2302.01890v1)

Published 3 Feb 2023 in cs.CR

Abstract: China is currently the country with the largest number of Android smartphone users. We use a combination of static and dynamic code analysis techniques to study the data transmitted by the preinstalled system apps on Android smartphones from three of the most popular vendors in China. We find that an alarming number of preinstalled system, vendor and third-party apps are granted dangerous privileges. Through traffic analysis, we find these packages transmit to many third-party domains privacy sensitive information related to the user's device (persistent identifiers), geolocation (GPS coordinates, network-related identifiers), user profile (phone number, app usage) and social relationships (e.g., call history), without consent or even notification. This poses serious deanonymization and tracking risks that extend outside China when the user leaves the country, and calls for a more rigorous enforcement of the recently adopted data privacy legislation.

Citations (1)

Summary

  • The paper reveals that Chinese Android firmware frequently over-privileges pre-installed apps by granting dangerous permissions without user consent.
  • The paper uncovers that devices transmit sensitive PII—including IMEI, location, and social data—without user knowledge via persistent background apps.
  • The paper highlights significant regional privacy differences, urging smartphone vendors and regulators to address data collection practices.

Analysis of Android OS Privacy in China: Key Findings and Implications

This paper offers an extensive examination of the Android OS privacy in the Chinese market, focusing on smartphones from popular vendors such as Xiaomi, Realme, and OnePlus. The research utilizes a combination of static and dynamic analysis techniques to investigate the pre-installed system apps' data transmission behaviors on these devices. The paper reveals several significant findings that have implications for both users and policymakers.

First, the research identifies a vast number of preinstalled applications—especially third-party apps—on the devices intended for the Chinese market. These third-party packages are found to request significantly more permissions compared to their counterparts in the global firmware versions. Notably, these permissions often include so-called "dangerous" permissions that are granted by default, without explicit user consent. This observation indicates a propensity towards over-privileging in Chinese Android distributions, which aligns with previous findings in global firmware studies.

Secondly, the paper uncovers alarming patterns in the collection and transmission of Personally Identifiable Information (PII). These devices regularly transmit sensitive information—such as IMEI, location data (e.g., GPS coordinates, cell location information), user profiles (including phone numbers and usage telemetry), and even social relationship data (call and SMS history)—to various backend servers. These transmissions often occur without user knowledge or explicit consent, facilitated by pre-installed apps that run persistently in the background.

Thirdly, the research highlights the significant regional differences in privacy practices. While the collection of device-specific PII is common across both Chinese and global firmware, the scope of geolocation, user profile, and social relationship data is substantially broader in Chinese Android distributions. The paper notes that these behaviors pose serious risks of user deanonymization and data privacy breaches, potentially affecting users traveling outside China, where stricter data protection laws may apply.

The findings from this paper have critical implications for several stakeholders:

  1. Android Users in China: Users should be aware of the extensive data collection practices associated with the pre-installed apps on their devices. The lack of transparency and user control over these data collection processes suggests a need for increased user vigilance and demand for better data privacy practices from manufacturers.
  2. Smartphone Vendors: The exposure of privacy issues in Chinese firmware prompts smartphone vendors to re-evaluate their data collection policies and practices, especially in ensuring compliance with regional privacy regulations such as China's Personal Information Protection Law.
  3. Policy Makers and Regulators: The research calls on regulatory bodies to enforce more stringent data privacy controls, ensuring that data collection practices do not infringe on user privacy rights. These findings could inform ongoing and future legislation aimed at protecting user privacy in digital contexts.
  4. Future Research: The paper opens avenues for further research into privacy practices across different regions and the development of tools to enhance user awareness and control over personal data collection by mobile devices.

In conclusion, the paper underscores a critical need for enhanced transparency and user control in the data collection practices of Android devices in China. As the digital landscape evolves, such research offers valuable insights into ensuring data privacy and security for a large user base, underscoring the urgency for reform in the practices of smartphone vendors and heightened vigilance among users.

Youtube Logo Streamline Icon: https://streamlinehq.com

HackerNews

  1. Android OS Privacy Under the Loupe (3 points, 1 comment)