Don't buy Android phones from China, researchers warn, because they come pre-installed with apps that transfer sensitive data to third-party domains without permission or notification.
A study by Haoyu Liu (University of Edinburgh), Douglas Leith (Trinity College Dublin) and Paul Patras (University of Edinburgh) shows that personal data leaks pose a serious risk to mobile phone users in China, even when traveling abroad in China. Countries with strict privacy laws.
In an article titled "Android Privacy Under a Magnifying Glass – A Story from the East," researchers from three universities analyzed Android apps installed on phones from three popular Chinese smartphone manufacturers: OnePlus, Xiaomi, and Oppo Realme.
The researchers specifically analyzed data sent by the operating system and system applications to exclude user-installed programs. They believe that users have skipped analysis and customization, don't use cloud storage or additional third-party services, and haven't created an account on the platform run by the developer of the Android distribution. A sensible policy, but it doesn't seem to be helping much.
The pre-installed app bundle includes the AOSP Android package, manufacturer code, and third-party software. Every Android phone running Chinese firmware has more than 30 third-party packages installed, the document said.
These include Chinese input apps like Baidu Input, IflyTek Input and Sogou Input on Xiaomi Redmi Note 11. The OnePlus 9R and Realme Q3 Pro run Baidu Map and the AMap suite continuously in the background as the main navigation app. Also, several news, video streaming and online shopping apps are based on Chinese firmware.
Within this limited framework, the researchers found that Android phones from three vendors "send disturbing amounts of personal information (PII) not only to the device vendor, but also to service providers Baidu and Chinese mobile operators."
The tested phones did this when those network operators did not provide service; either the SIM card was missing or the SIM card was connected to a different network operator.
"The data we review includes persistent device identifiers (IMEI, MAC address, etc.), location identifiers (GPS coordinates, mobile network cell ID, etc.), user profiles (phone number, app usage pattern, app telemetry ) and include social media (calls/SMS/time history, contact phone number, etc.),” the researchers noted in their paper.
"Collectively, this information poses a serious threat to user anonymity and mass tracking, especially in China, where every phone number is registered with a citizen ID."
For example, the researchers said the Redmi phone sends mail requests to the URL "tracking.miui.com/track/v4" when the settings, notes, voice recorder and pre-installed apps on the phone are opened and used. , Messages and Camera. . Sent even if users don't choose to "send usage and diagnostic data" at device startup
Publish https://tracking.miui.com/track/v4
{"imsis": "[b2d5c6783e3fa6eef38ff1fc7dedfb10,]",...,
{"pkg": "com.xiaomi.smarthome","action". "
first_launch", "suitable": 1666816796000, ...},
{"pkg": "com.android.settings","ts". 1666818456958,"
duration': 1424, ...},
{"pkg": "com.miui.securityinputmethod", "ts".
1666818463544, "duration": 4706, ... },
{"pkg": "com.miui.notes","ts". 1666818784908,"stat".
"app_start",...}...}
Data collection on these devices does not change when the devices leave China, although jurisdictions outside of China have stronger data protection systems, the researchers said. Experts say this means phone service providers and third parties can track Chinese travelers and students abroad and learn about their overseas contacts.
Another finding of the researchers is that Chinese Android distributions have three to four times more third-party apps pre-installed than other countries' Android stocks. And these apps get 8 to 10 times more third-party app permissions than Android distributions outside of China.
"Overall, our findings paint a troubling picture of the state of user privacy in the world's largest Android market and highlight the need for tougher privacy controls to increase public trust in technology companies, many of which are partially state-owned," the statement concluded. the researchers. .
The Register has reached out to OnePlus, Xiaomi and Oppo Realme for comment, but we have not heard back. ®
.png "admin")
Post a Comment
Post a Comment