Wednesday, December 20, 2023

Measuring the Data iOS and Android Send to Apple and Google

Douglas J. Leith (2021 PDF, via John Opdenakker, ArsTechnica)

We investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. We find that even when minimally configured and the handset is idle both iOS and Google Android share data with Apple/Google on average every 4.5 mins. The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this. When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.


During the first 10 minutes of startup the Pixel handset sends around 1MB of data is sent to Google compared with the iPhone sending around 42KB of data to Apple.


The high frequency of network connections made by both iOS and Google Android (on average every 4.5 minutes) therefore potentially allow tracking by Apple and Google of device location over time.

Hopefully they aren’t logging.

Thomas Germain (January 2023, via Hacker News):

France’s data protection authority, CNIL, fined Apple €8 million (about $8.5 million) Wednesday for illegally harvesting iPhone owners’ data for targeted ads without proper consent.


Apple failed to “obtain the consent of French iPhone users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals,” the CNIL said in a statement. The CNIL’s fine calls out the search ads in Apple’s App Store, specifically.


With iPhones running iOS 14.6 and below, Apple’s Personalized Advertising privacy setting was turned on by default, leaving users to seek out the control on their own if they wanted to protect their information. That violates EU privacy law, according to the CNIL. It doesn’t cross the Europe’s GDPR, though; the violation falls under the more obscure ePrivacy Directive of 2002.


6 Comments RSS · Twitter · Mastodon

iOS sending local MAC addresses is probably FindMy doing it’s thing.

The difference between Apple and Google is: at least for now, Apple is not selling the data, whereas Google does sell it to ~30 third party companies, including Microsoft, Facebook and the other usual suspects.

@Udo Do you have more info on Google selling this data?

Why isn’t Samsung studied here? Pixel phones have a tiny marketshare compared with Samsung. Sure -- a Samsung device includes the Google tracking described here, but also Samsung’s own data collection. They are a handset maker. What data are they collecting and sharing with 3rd parties?

@Udo @Michael The EFF has an older article on how Google shares, monetizes, and exploits their users’ data. Almost four years old now.

Leave a Comment