Surprise! China's top Android phones collect way more info

Don't buy an Android phone in China, boffins have warned, as they come crammed with preinstalled apps transmitting privacy-sensitive data to third-party domains without consent or notice.

The research, conducted by Haoyu Liu (University of Edinburgh), Douglas Leith (Trinity College Dublin), and Paul Patras (University of Edinburgh), suggests that private information leakage poses a serious tracking risk to mobile phone customers in China, even when they travel abroad in countries with stronger privacy laws.

In a paper titled "Android OS Privacy Under the Loupe – A Tale from the East," the trio of university boffins analyzed the Android system apps installed on the mobile handsets of three popular smartphone vendors in China: OnePlus, Xiaomi and Oppo Realme.

The researchers looked specifically at the information transmitted by the operating system and system apps, in order to exclude user-installed software. They assume users have opted out of analytics and personalization, do not use any cloud storage or optional third-party services, and have not created an account on any platform run by the developer of the Android distribution. A sensible policy, but it doesn't seem to help much.

The pre-installed set of apps consists of Android AOSP packages, vendor code and third-party software. There are more than 30 third-party packages in each of the Android handsets with Chinese firmware, the paper says.

These include Chinese input apps like Baidu Input, IflyTek Input and Sogou Input on the Xiaomi Redmi Note 11. On the OnePlus 9R and Realme Q3 Pro, there's Baidu Map as a foreground navigation app and the AMap package, which runs continuously in the background. And there are also various news, video streaming, and online shopping apps bundled into the Chinese firmware.

• Inflation to kill growth prospects for smartphone sales
• To cut off all nearby phones with these Chinese chips, this is the bug to exploit
• White House pushes for total ban on US exports to Huawei
• Should open source sniff the geopolitical wind and ban itself in China and Russia?

Within this limited scope, the researchers found that Android handsets from the three named vendors "send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators."

The tested phones did so even when these network operators were not providing service – no SIM card was present or the SIM card was associated with a different network operator.

"The data we observe being transmitted includes persistent device identifiers (IMEI, MAC address, etc.), location identifiers (GPS coordinates, mobile network cell ID, etc.), user profiles (phone number, app usage patterns, app telemetry), and social connections (call/SMS history/time, contact phone numbers, etc.)," the researchers state in their paper.

"Combined, this information poses serious risks of user deanonymization and extensive tracking, particularly since in China every phone number is registered under a citizen ID."

As an example, the researchers claim that the Redmi phone sends post requests to the URL "tracking.miui.com/track/v4" whenever the preinstalled Settings, Note, Recorder, Phone, Message and Camera apps are opened and used, Data is sent even if users opt out of "Send Usage and Diagnostic Data" during device startup.

POST https://tracking.miui.com/track/v4
{ "imsis": "[b2d5c6783e3fa6eef38ff1fc7dedfb10,]",..,
{"pkg": "com.xiaomi.smarthome","action": "
first_launch", "fit": 1666816796000, ...},
{"pkg": "com.android.settings","ts": 1666818456958,"
duration": 1424, ...},
{"pkg": "com.miui.securityinputmethod","ts":
1666818463544,"duration": 4706, ... },
{"pkg": "com.miui.notes","ts": 1666818784908,"stat":
"app_start",...}...}

The data collection from these devices doesn't change when the devices exit China, the researchers say, even though jurisdictions beyond the Middle Kingdom enforce more robust data protection regimes. And the boffins argue that this means the cited phone vendors and some third-parties can track Chinese travelers and students abroad and learn something about their foreign contacts.

Another of the researchers' findings is that there are three to four times more pre-installed third-party apps on Chinese Android distributions than there are on basic Android from other nations. And these apps get eight to 10 times as many permissions for third-party apps compared to Android distributions from outside China.

"Overall, our findings paint a troubling picture of the state of user data privacy in the world’s largest Android market, and highlight the urgent need for tighter privacy controls to increase the ordinary people’s trust in technology companies, many of which are partially state-owned," the researchers conclude.

The Register asked OnePlus, Xiaomi and Oppo Realme to comment but we've not heard back. ®