Google collects 20 times more telemetry from Android devices than Apple from iOS
Academic research published last week looked at the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS.
The research, conducted by Professor Douglas J. Leith from Trinity College at the University of Dublin, analyzed traffic originating from iOS and Android devices heading to Apple and Google servers at various stages of a phone's operation, such as data shared:
- on first startup following a factory reset;
- when a SIM is inserted/removed;
- when a handset lies idle;
- when the settings screen is viewed;
- when location is enabled/disabled;
- when the user logs in to the pre-installed app store.
Prof. Leith said the research took into account that data could be collected by the operating system itself and by default apps provided by the OS makers —such as search (Siri, OkGoogle), cloud storage (iCloud, Google Drive), maps/location services (Apple Maps, Google Maps), photo storage/analytics (ApplePhoto, Google Photos)— and kept the two sources separate, focusing only on the operating systems' telemetry, left in their default states.
The study unearthed some uncomfortable results. For starters, Prof. Leith said that "both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option]."
Furthermore, "this data is sent even when a user is not logged in (indeed even if they have never logged in)," the researcher said.
The table below summarizes the main data points that test handsets sent to Apple and Google servers.
But while the Irish researcher found that Apple tends to collect more information data types from an iOS device, it was Google that collected "a notably larger volume of handset data."
"During the first 10 minutes of startup the Pixel handset sends around 1MB of data is sent to Google compared with the iPhone sending around 42KB of data to Apple," Prof. Leith said.
"When the handsets are sitting idle the Pixel sends roughly 1MB of data to Google every 12 hours compared with the iPhone sending 52KB to Apple i.e., Google collects around 20 times more handset data than Apple."
iOS and Android share data on average every 4.5 minutes
This data collection process takes place every 264 seconds on idle Apple devices and once 255 seconds on Android smartphones — which roughly equates to almost every four and a half minutes even when the handset is not being used.
But in addition to the idle state, the Irish researcher said that both operating systems also share data with their central servers when users are browsing their settings screens.
Furthermore, when a new SIM card is inserted into both iOS and Android devices, SIM details are shared with both Apple and Google almost immediately.
But Prof. Leith said that he also observed a number of pre-installed apps and services also making connections to both Apple and Google servers even before the apps were opened or used.
"In particular, on iOS these include Siri, Safari and iCloud and on Google Android these include the Youtube app, Chrome, Google Docs, Safety hub, Google Messaging, the Clock, and the Google Search bar," Prof. Leith said.
The University of Dublin professor says that this expansive data collection raises at least two major concerns. First, that the telemetry can be used to link physical devices to personal details, data that both companies are most likely exploiting for advertising purposes.
Second, that the telemetry collection process allows the OS makers to track users' location based on the IP address that connects and uploads device telemetry to their servers.
The researcher said that currently, there are very few, if any, realistic options for users to prevent telemetry collection from their devices.
Google disputes paper numbers
The Irish professor said he contacted both companies with his findings. Apple did not respond, while Google sent clarifications, which he incorporated into the paper. Google also told Prof. Leith that they intended to publish public documentation on the telemetry data they collect, but did not provide a date or deadline.
But in an email response on Monday, a Google spokesperson played down the paper's findings, and claimed the researcher found legitimate telemetry data that helps keep devices running smoothly.
This research outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently.Google spokesperson
In addition, according to a Google source familiar with the research paper's review, the Android maker also disputed the paper's methodology, which they claim under-counted iOS' telemetry volume by excluding certain types of traffic, which Google believes resulted in skewed results that found Android devices collecting 20 times more data than iOS.
In a response after this article's publication, Apple echoed its rival's response.
"The report conflates a number of items in relation to different services and misunderstands how personal location data is protected," an Apple spokesperson told The Record. "Apple is not collecting data that can be associated with individuals without a user’s knowledge or consent."
Additional details are available in a research paper titled "Mobile Handset Privacy: Measuring The Data iOSand Android Send to Apple And Google," available as a downloadable PDF document.
Last year, in March 2020, the same professor also published a study analyzing the telemetry collected by web browsers. The study [PDF] found that Brave collected the smallest amount of data, while Microsoft's Edge and the Yandex Browser were at the opposite side of the spectrum.
Article updated on March 30: 16:25 ET with a response from Apple.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.