Messages and Dialer apps for Android are said to have transferred data to Google without permission

Messages and Dialer apps for Android are said to have transferred data to Google without permission

The paper notes that Google does not provide specific privacy policies for the two applications in question, even though Google requires that third-party developers do provide privacy policies. The applications link to Google’s generic consumer privacy policy only. The researcher analyzed the data that the Google Messages and Google Dialer applications sent to Google on Android handsets. According to the research paper, linked here the following data is sent when the Messages application sends or receives messages

According to Trinity College professor Douglas J. Leith’s study article “What Data Do The Google Dialer and Messages Apps for Android Send to Google?” the Google applications Messages and Dialer are transferring data to Google without user authorization. Android-dialer messages data transmission Both apps have nearly a billion Android smartphones installed between them. Many manufacturers and mobile phone carriers distribute Google Messages as the default messaging application on their handsets. Dialer, which is the default phone software on many Android smartphones, is the same way.

Highlights

  • Google Messages submits data about the event, including the time messages were received or sent, a truncated hash of the message text, and the sender’s phone number, to Google. The hash may identify the message according to the researcher, and if Google Messages is used on both handsets, Google gets both phone numbers involved in the conversation. Google Dialer sends similar logs to Google. The data includes the time and the call duration according to the research paper. When a phone call is made/received the Google Dialer app similarly logs this event to Google servers together with the time and the call duration.

  • When an SMS message is sent/received the Google Messages app sends a message to Google servers recording this event, the time when the message was sent/received and a truncated SHA256 hash of the message text. The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed

The applications have no opt-out that prevents the data from being submitted to Google. The data is sent to Google via the Google Play Services Clearcut logger service and Google/Firebase Analytics according to the researcher. The Google Messages and Dialer apps send data to Google via two channels: (i) the Google Play Services Clearcut logger service and (ii) Google/Firebase Analytics. Recent Android measurement studies have noted the large volume of data sent by Google Play Services to Google servers on most Android handsets. A substantial component of this data is sent by the Clearcut logger service within Google Play Services. However, the data transmission is largely opaque, being binary encoded with little public documentation.

The data that is sent to Google “is tagged with the handset Android ID” according to the researcher. The ID is linked to Google user accounts and thus the identify of the user. Additionally, both applications submit data about user interactions within the applications. Nature and timings of interactions, e.g., viewing an app screen, searching contacts, or browsing an SMS conversation, are also submitted to Google according to the paper. If “See caller and spam ID” is enabled, which it is by default, Google Dialer sends the phone number of each incoming call and the time of the call to Google as well.

The Register received confirmation by Google that the “paper’s representations [..] are accurate”. Additional details, including information about the test setup and code, are available in the research paper. Android users may switch to different applications that may take over the tasks of the default applications. For instance, Simple Dialer: Phone Calls, as a replacement for the Google Dialer application, and Simple SMS Messenger. as a replacement for Google Messages.