New study reveals iPhones aren't as private as you think

New report reveals iPhones aren't as individual as you call up

(Image credit: Tom's Guide)

Google's Android operating system is a privacy nightmare, a new study of cellphone data collection finds. Nonetheless it turns out Apple tree's iOS is a privacy nightmare besides.

"Both iOS and Google Android share data with Apple/Google on boilerplate every four.5 [minutes]," a enquiry newspaper published last week by Trinity College in Dublin says. "The 'essential' information collection is all-encompassing, and likely at odds with reasonable user expectations."

The all-time Android antivirus apps to go along your phone make clean
Why Apple iPhones don't need antivirus software
Plus: Windows 11 review - our verdict is in

Much of this data drove takes place afterward the phone is start turned on, earlier the user logs into an Apple tree or Google account, and fifty-fifty when all optional data-sharing settings are disabled.

"Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this," the newspaper adds. "Nonetheless, Google collects a notably larger volume of handset information than Apple."

Quantity vs. quality

The study, led past Douglas J. Leith of Trinity'southward School of Informatics & Statistics, plant that Android phones send roughly xx times as much data to Google servers as iPhones ship to Apple tree servers.

"During the first 10 minutes of startup, the [Google] Pixel handset sends around 1MB of data ... to Google compared with the iPhone sending around 42KB of data to Apple," the paper said.

"When the handsets are sitting idle, the Pixel sends roughly 1MB of information to Google every 12 hours compared with the iPhone sending 52KB to Apple."

All the same, the researchers' iPhone transmitted more kinds of information, including device location, the device's local Internet Protocol (IP) accost and the Wi-Fi network identifiers — the MAC addresses — of other devices on the local network, including abode Wi-Fi routers.

The Android phone did not send back those types of data. The implication is that Apple might exist collecting more than data about nearby devices than Google does.

"It takes only one device to tag the dwelling gateway [Wi-Fi router] MAC address with its GPS location and thereafter the location of all other devices reporting that MAC address to Apple is revealed," the study found.

The "sharing of these Wi-Fi MAC addresses" lets Apple, the paper said, build a "social graph" or human relationship map of all Apple devices on a local network, indicating how users of those devices "in the aforementioned household, role, shop [or] buffet" might know and acquaintance with each other.

Phones tin't stay tranquility, even when you're not using them

Both the iPhone and Android phone called habitation to Apple tree and Google servers every 4 or 5 minutes while the phones were left idle and unused for several days. The phones were powered on and plugged in, but the users had not yet logged into Apple or Google accounts.

Even when the iPhone user stayed logged out of their Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple'south analytics servers while the iPhone was idle. Information technology also sent information near nearby devices sharing the same Wi-Fi network.

When location services were enabled on the iPhone, its latitude and longitude were transmitted to Apple servers.

On Android, information is sent to Google Play servers every 10 to twenty minutes even when the user is non logged in. Certain Google apps as well send information, including Chrome, Docs, Messaging, Search and YouTube, although only YouTube sends unique device identifiers.

Fifty-fifty when the iPhone user stayed logged out of their Apple business relationship, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple'due south analytics servers while the iPhone was idle. It also sent data nigh nearby devices sharing the same Wi-Fi network.

Leith and his colleagues ignored what kind of data apps send back to servers, because many studies have been done on that already. Instead, the report focused on what kinds of data the core operating systems sent dorsum to Apple or Google servers.

"Much less attention has been paid to the information sharing by the handset operating organisation with the mobile Bone developer," the paper said. "To the all-time of our knowledge, at that place has been no previous systematic work reporting measurements of the content of messages sent between iOS and its associated backend servers."

The researchers studied network traffic from both types of phones during six scenarios: during initial startup subsequently a factory reset; when a SIM card was added or removed; during a prolonged idle country; during viewing of the settings screen; when enabling or disabling location services; and when logging into the App Shop or the Google Play store.

Researchers essentially staged a man-in-the-middle attack on the phones, setting up a laptop to serve every bit a Wi-Fi hotspot while disabling cellular connections on the phones.

Traffic from the phones ran through the laptop, which decrypted logged and analyzed data, then re-encrypted the data and sent information technology on its way to the destination servers.

A Google Pixel 2 and an Apple iPhone 8 side-by-side. — Researchers tested privacy using a Pixel 2 (left) and iPhone viii (right). (Image credit: Future/Shaun Lucas)

The phones used in the testing were an Apple tree iPhone 8 running iOS 13.6.1 and a Google Pixel two running Android 10. Both were jailbroken or rooted so that the researchers could add together new HTTPS server certificates matching those on the man-in-the-center laptop, permitting decryption of traffic.

The researchers said they were motivated to conduct this written report because of the COVID-19 contact-tracing apps that had attracted a lot of publicity in Europe, especially in the Uk and Ireland, in the past year. They establish that in the long run, there wasn't much difference between Android and iOS in terms of gathering user data.

"On an iPhone running a COVID contact-tracing app the information collection by Apple iOS is remarkably like to that by Google Play Services on Android phones," the paper said. "Users appear to have no option to disable this data collection past iOS."

Researchers get 'silence' from Apple

The Trinity College researchers reached out to both Apple and Google to notify them of the findings and seek comment.

"To date Apple have responded only with silence," the study paper said. "We sent iii emails to Apple'due south Manager of User Privacy, who declined even to acknowledge receipt of an electronic mail, and also posted an information asking at the Apple tree Privacy Enquiries contact page ... but have had no response."

Google did respond with what the researcher characterized as "a number of comments and clarifications," all incorporated into the written report, and said it "intend[ed] to publish public documentation on the telemetry data" it collected.

"This research outlines how smartphones work," a Google spokesperson told Tom's Guide post-obit our query. "Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways."

"This report details those communications, which assist ensure that iOS or Android software is upward to date, services are working as intended, and that the telephone is secure and running efficiently," the spokesperson added.

Co-ordinate to Google, the researchers' estimates of the volume of data sent by iOS devices to Apple tree servers does not business relationship for data sent from Apple servers back to iOS devices.

An Apple tree spokesperson told Tom's Guide that it, too, had bug with the written report, noting that the researchers seemed to get several sources of data confused. The spokesperson added that users' personal data was notwithstanding protected and could not be traced back to specific individuals.

So what tin you practise virtually this data drove?

"Currently at that place are few, if whatsoever, realistic options for preventing this information sharing," especially on iPhones, Leith concluded.

Android phones — or at least the Pixel that the researchers worked with — tin can be started with network connections disabled.

If the user then disables Google Play Services and the Google Play and YouTube apps before connecting to the network, "this prevented the vast bulk of the data sharing with Google," the paper said.

Those suddenly not-Google Android phones would demand to use other app stores, much as Amazon Fire tablets or Huawei phones do. (Connecting to Amazon or Huawei raises other privacy issues.)

But iPhone users are stuck, because their devices need a network connection to be activated.

If users "cull to use an iPhone," the report observed, "so they appear to have no options to prevent the data sharing that nosotros find."

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting effectually in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upward in random Goggle box news spots and even moderated a panel give-and-take at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.