Android Messages and Dialer apps sent data to Google without consent
In a paper published by Douglas J Leith of Trinity College Dublin, it is claimed that the Messages and Dialer apps found in Android have been sending data back to Google. The paper, entitled "What Data Do The Google Dialer and Messages Apps On Android Send to Google?" says that data is sent without user knowledge or consent.
In what could be a breach of GDPR legislation, it is claimed that there is also no way to opt out of the data sharing. Among the data said to be shared with Google are phone numbers, call duration, hashes of messages and more.
- Google finally gives Android users a privacy feature iOS has had for months
- After tests, Microsoft has decided to add the 'System requirements not met' watermark to Windows 11
- Screenshots leaked by Lapsus$ strongly suggest Microsoft has been hacked
With the Messages and Dialer apps installed on billions of handsets around the world, the impact of the findings are extremely wide-reaching. While some may be slightly heartened by the fact that it is only a hash of message text that is shared with Google, it is not impossible to reverse the hashing and access the messages.
Leith, the computer science professor behind the paper, told the Register:
I'm told by colleagues that yes, in principle this is likely to be possible. The hash includes an hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match -- feasible I think for short messages given modern compute power.
Summarizing the findings, the paper concludes by saying:
We find that these apps tell Google when message/phone calls are made/received. The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange, and by Google Dialer the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google. In addition, the timing and duration of user interactions with the apps are sent to Google. There is no opt out from this data collection. The data is sent via two channels, the Google Play Services (i) Clearcut logger and (ii) Google/Firebase Analytics. This study is therefore one of the first to cast light on the actual telemetry data sent by Google Play Services, which to date has largely been opaque.
There is some good news. Leith approached Google with his paper late last year and the company has agreed to make various changes including providing users with more information and changing the way telemetry data is collected. A spokesperson for Google said:
We welcome partnerships -- and feedback -- from academics and researchers, including those at Trinity College. We've worked constructively with that team to address their comments, and will continue to do so."
You can read through the full paper here.