With the Messages and Dialer apps installed on billions of handsets around the world, the impact of the findings are extremely wide-reaching. While some may be slightly heartened by the fact that it is only a hash of message text that is shared with Google, it is not impossible to reverse the hashing and access the messages. Leith, the computer science professor behind the paper, told the Register:
According to a paper published by Douglas J Leith of Trinity College Dublin, the Android Messages and Dialer apps have been sending data back to Google. According to the paper, “What Data Do the Google Dialer and Messages Apps on Android Send to Google?” data is sent without the user’s knowledge or consent. It is also claimed that there is no way to opt out of the data sharing, which could be a violation of GDPR legislation. Phone numbers, call duration, message hashes, and other information are said to be shared with Google.
There is some good news. Leith approached Google with his paper late last year and the company has agreed to make various changes including providing users with more information and changing the way telemetry data is collected. A spokesperson for Google said: We welcome partnerships — and feedback — from academics and researchers, including those at Trinity College. We’ve worked constructively with that team to address their comments, and will continue to do so.”
I’m told by colleagues that yes, in principle this is likely to be possible. The hash includes an hourly timestamp, so it would involve generating hashes for all combinations of timestamps and target messages and comparing these against the observed hash for a match — feasible I think for short messages given modern compute power. We find that these apps tell Google when message/phone calls are made/received. The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange, and by Google Dialer the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google. In addition, the timing and duration of user interactions with the apps are sent to Google. There is no opt out from this data collection. The data is sent via two channels, the Google Play Services (i) Clearcut logger and (ii) Google/Firebase Analytics. This study is therefore one of the first to cast light on the actual telemetry data sent by Google Play Services, which to date has largely been opaque.