Recent research conducted by Professor D.J. Leith from Trinity College Dublin has shed light on the extensive data collection practices employed by Google on Android devices. This study reveals that significant amounts of user data are gathered even when users have not actively engaged with any Google applications.
For the first time, the research documents how pre-installed Google apps can silently track users without obtaining their consent or providing any opt-out options. The investigation focused on the various cookies, identifiers, and other data stored on Android devices through Google Play Services, the Google Play Store, and other native Google applications.
Measurements were taken using a Google Pixel 7 operating on Android 14, equipped with the latest versions of Google Play Services and the Google Play Store. The findings from the SCSS analysts indicate that Google servers initiate the storage of multiple tracking identifiers on devices immediately after a factory reset, prior to any user interaction with Google apps.
Among the identifiers collected are advertising analytics cookies, links designed to track advertisement views and clicks, as well as persistent device identifiers that can uniquely identify both the device and its user. Alarmingly, this data collection occurs without seeking user consent, and currently, there are no available options to prevent such tracking.
This behavior raises potential concerns regarding compliance with EU data privacy regulations, particularly the e-Privacy Directive and possibly the General Data Protection Regulation (GDPR).
Tracking Mechanisms Revealed
The study identified several specific tracking technologies utilized by Google. Notably, the Google Android ID, a persistent device identifier, is stored in multiple locations, including shared_prefs/Checkin.xml, and is transmitted during various connections to Google servers. This identifier remains active until a factory reset and is linked to the user’s Google account upon login.
Additionally, DSID advertising analytics cookies are dispatched from googleads.g.doubleclick.net and stored within the Google Play Services data folder. When users conduct searches in the Google Play Store, “sponsored” results incorporate tracking links that notify Google when clicked, revealing the connections that fetch search results embedded with ad tracking links.
The research further documented Google’s use of NID cookies across various applications, server tokens for A/B testing, and multiple authorization tokens that effectively log users into numerous Google services without their explicit knowledge.
Connections to Firebase Analytics servers were also observed transmitting user interaction data. Professor Leith remarked, “Users currently have little control over the data that apps store on an Android handset. The main mitigations are to disable Google Play Services or the Google Play Store app, but these are not practical options for most users.”
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
