Some of the most basic Android apps might be spying on you more than you’d think

Read Time:2 Minute, 40 Second

Google is constantly making improvements to the Play Store to prevent Android apps from spying on users but a new report claims that the company’s own apps have been collecting and sending user data back to the search giant.

In a new research paper, computer science professor at Trinity College Dublin, Douglas Leith has revealed that both Google Messages and Google Dialer have been sending data about user communications to the Google Play Services Clearcut logger service and to Google’s Firebase Analytics service.

While the data sent by Google Messages includes a hash of the message text that makes it possible to link the sender and receiver in a text message, the data sent by Google Dialer includes the time and duration of phone calls as well as the phone numbers themselves.

What’s particularly troubling about this is the fact that there are currently over three billion Android smartphones in use today and devices from Huawei, Samsung, Xiaomi and other smartphone makers often ship with Google Messages and Google Dialer pre-installed.

No opt-out notice

As part of his research into the matter, Leith made a Google Takeout request for his Google Account data associated with both Google Messages and Google Dialer. While Google did send over this data, the telemetry data observed by Leith wasn’t included.

These days most apps collect some data on their users but they also give them a way to opt-out to remain in compliance with GDPR, CCPA and other data protection laws. With Google’s own apps that come pre-installed on many Android smartphones, there is currently no ability to opt-out of data collection.

At the same time, the pre-installed versions of both apps lack app-specific privacy policies which explain what data gets collected. Although Google requires app-specific privacy policies from third-party apps, it’s own apps don’t need to meet this same requirement.

While Google Play Services collects some data for security and fraud prevention purposes and to maintain Google Play Services APIs and Google’s core services, the company does not provide details or explain why it collects message content data or data on callers and call recipients.

After sharing his findings with Google back in November of last year, Leith has participated in several conversations with the company’s director of Google Messages about making changes to the company’s pre-installed messaging app. In an email to The Register, he provided details on the changes the company has planned and how they may not do much when it comes to data collected by the search giant, saying:

“In particular, they say they will introduce a toggle within the Messages app to allow users to opt out of data collection but that this opt out will not cover data that Google considers to be ‘essential’ i.e. they will continue to collect some data even when users opt out. In my tests I had already opted out of Google data collection by disabling the Google ‘Usage and diagnostics’ option in the handset Settings, and so the data I reported on was already judged to be somehow essential by Google. I think we’ll have to wait and see.”