Android smartphone manufacturers collect user information through pre-installed applications on their devices, even when users decline the data forwarding prompts, according to a research paper published this month.

Researchers from the University of Edinburgh and Trinity College Dublin tested smartphones from four major manufacturers to determine how much data they send back to the vendors.

“While occasional communication with OS servers is to be expected, the observed data transmission goes well beyond this and raises a number of privacy concerns,” researchers said.

The devices tested were from Samsung, Xiaomi, Huawei, and Realme and their vendor-specific operating systems were compared to LineageOS and /e/OS.

For consistency, the experiment assumed the devices were being used for calls and texts only, and researchers did not add any applications to the smartphones.

The study found that vendor-specific Android operating systems send substantial amounts of information to the OS developer and third parties from idle, minimally set up devices.

This data was transmitted despite researchers declining the “Do you want to improve the service by forwarding data” type prompts usually provided during the initial set up of devices.

While the study revealed that most of this information is sent to smartphone vendors, data was also sent to third parties such as Google, Microsoft, and Facebook.

Pre-installed apps from these third parties collect and transmit data even if never accessed on the device.

The researchers noted that Google apps and services — pre-installed on most Android devices — collect a lot more data than other third parties.

All four smartphones running vendor-specific software transmitted telemetry data and persistent identifiers used to identify users even after a phone number change and reset of the device.

The device’s serial number, IMEI code of the radio module, and SIM card number are persistent identifiers.

In addition, Xiaomi telemetry logs the start and end times of calls and other user interactions within the dialer app, and Microsoft’s Swiftkey keyboard (used on Huawei devices) logs interaction with the messaging app when sending a text.

Notably, LineageOS users can disable data transmission by disabling the option to send to developers, while /e/OS transmitted no information.

It is also important to discern this tracking data from the regular transfer of information such as device model and display size, which is the same for many devices.

It does become a privacy concern, however, when manufacturers and third-party developers are tracking specific user data, even when the user opts out of the feature — which seems to be ignored by developers.

The table below summarises data transmission from each Android OS variant.

Samsung Xiaomi Realme Huawei LineageOS /e/OS Google Long-lived device identifiers IMEIs, hardware serial numbers IMEIs, Secure deviceID, MD5 hash of Wi-Fi MAC address IMEI, device ID, guid hardware serial number, device RSA cert — — IMEI, hardware serial number, Wi-Fi MAC address Resettable identifiers relinkable to device Samsung consumer ID, Firebase IDs VAID, Google Ad ID VAID, OAID, device_id, registration, Google Ad ID, Firebase IDs — — — AndroidID, Google Ad ID Third-party system app data collectors Google, Mobile Operator, Microsoft, LinkedIn, Hiya Google, Mobile Operator, Facebook Google, Heytap Google, Daily Motion, Avast, Qihoo 360, Microsoft Google — — Main telemetry collectors (by data volume) Google, Samsung, Microsoft Google, Xiaomi Google, Heytap Google, Microsoft Google — — Loggers of app usage over time Samsung Google, Xiaomi — Google, Microsoft — — — Loggers of apps installed on handset Google, Samsung Google, Xiaomi Google, Realme, Heytap Google, Huawei Google — —

