Android messages and dialer apps

Found at: gopher.erb.pw:70/roman/phlog2022/280.txt

Android messages and dialer apps quietly send data to Google

Trinity College Dublin’s Professor Douglas Leith recently released
a report, called “What Data Do The Google Dialer and Messages
Apps on Android Send to Google?” (https://bit.ly/3iCvxa4) Google’s
Messages and Dialer send data to Google’s Firebase Analytics and
Google Play Services Clearcut.
“The data sent by Google Messages includes a hash of the message
text, allowing linking of sender and receiver in a message exchange,”
the paper says. “The data sent by Google Dialer includes the call
time and duration, again allowing linking of the two handsets
engaged in a phone call. Phone numbers are also sent to Google.”
The apps are the default on many Android devices, including those
sold by US carriers T-Mobile and AT&T, and those offered by
OEMs such as Samsung, Xiaomi, and Huawei.
From the Messages app, Google gets a SHA256 hash generated from
the content and timestamp. The hash is hard to decipher, but Leith
believes it can be reversed allowing the content of the message to
be recovered.
“I’m told by colleagues that yes, in principle this is likely to be
possible,” Leith said in an email to The Register
(https://bit.ly/36nWY55). “The hash includes an hourly timestamp,
so it would involve generating hashes for all combinations of
timestamps and target messages and comparing these against the
observed hash for a match – feasible I think for short messages
given modern compute power.”
From the Dialer app, Google logs outgoing and incoming calls,
as well as the time and duration of calls.
Leith’s research paper states that Google Play Services discloses
that it does collect some data for security purposes, to prevent
fraud and other maintenance reasons. However, it does not detail
exactly what is collected from the Dialer and Messages app.
In November, Leith did make his findings known to Google, and
his recommendations. Google has since made some changes. Still,
he is not confident that the data collected from these apps is not
in violation of GDPR, and he is also not confident the changes
made addressed all his concerns.