New study reveals iPhones aren't as private as you think

ios vs android
(Image credit: Tom's Guide)

Google's Android operating system is a privacy nightmare, a new study of cellphone data collection finds. Yet it turns out Apple's iOS is a privacy nightmare too.

"Both iOS and Google Android share data with Apple/Google on average every 4.5 [minutes]," a research paper published last week by Trinity College in Dublin says. "The 'essential' data collection is extensive, and likely at odds with reasonable user expectations."

Much of this data collection takes place after the phone is first turned on, before the user logs into an Apple or Google account, and even when all optional data-sharing settings are disabled.

"Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this," the paper adds. "However, Google collects a notably larger volume of handset data than Apple."

Quantity vs. quality

The study, led by Douglas J. Leith of Trinity's School of Computer Science & Statistics, found that Android phones send roughly 20 times as much data to Google servers as iPhones send to Apple servers. 

"During the first 10 minutes of startup, the [Google] Pixel handset sends around 1MB of data ... to Google  compared with the iPhone sending around 42KB of data to Apple," the paper said. 

"When the handsets are sitting idle, the Pixel sends roughly 1MB of data to Google every 12 hours compared with the iPhone sending 52KB to Apple."

However, the researchers' iPhone transmitted more kinds of data, including device location, the device's local Internet Protocol (IP) address and the Wi-Fi network identifiers — the MAC addresses — of other devices on the local network, including home Wi-Fi routers. 

The Android phone did not send back those types of data. The implication is that Apple might be collecting more data about nearby devices than Google does.

"It takes only one device to tag the home gateway [Wi-Fi router] MAC address with its GPS location and thereafter the location of all other devices reporting that MAC address to Apple is revealed," the study found. 

The "sharing of these Wi-Fi MAC addresses" lets Apple, the paper said, build a "social graph" or relationship map of all Apple devices on a local network, indicating how users of those devices "in the same household, office, shop [or] cafe" might know and associate with each other.

Phones can't stay quiet, even when you're not using them

Both the iPhone and Android phone called home to Apple and Google servers every 4 or 5 minutes while the phones were left idle and unused for several days. The phones were powered on and plugged in, but the users had not yet logged into Apple or Google accounts.

Even when the iPhone user stayed logged out of their Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple's analytics servers while the iPhone was idle. It also sent information about nearby devices sharing the same Wi-Fi network.

When location services were enabled on the iPhone, its latitude and longitude were transmitted to Apple servers. 

On Android, data is sent to Google Play servers every 10 to 20 minutes even when the user is not logged in. Certain Google apps also send data, including Chrome, Docs, Messaging, Search and YouTube, although only YouTube sends unique device identifiers. 

Even when the iPhone user stayed logged out of their Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple's analytics servers while the iPhone was idle. It also sent information about nearby devices sharing the same Wi-Fi network.

'Remarkably similar' data collection

Leith and his colleagues ignored what kind of data apps send back to servers, because many studies have been done on that already. Instead, the study focused on what kinds of data the core operating systems sent back to Apple or Google servers.

"Much less attention has been paid to the data sharing by the handset operating system with the mobile OS developer," the paper said. "To the best of our knowledge, there has been no previous systematic work reporting measurements of the content of messages sent between iOS and its associated backend servers."

The researchers studied network traffic from both types of phones during six scenarios: during initial startup after a factory reset; when a SIM card was added or removed; during a prolonged idle state; during viewing of the settings screen; when enabling or disabling location services; and when logging into the App Store or the Google Play store.

Researchers essentially staged a man-in-the-middle attack on the phones, setting up a laptop to serve as a Wi-Fi hotspot while disabling cellular connections on the phones. 

Traffic from the phones ran through the laptop, which decrypted logged and analyzed data, then re-encrypted the data and sent it on its way to the destination servers. 

A Google Pixel 2 and an Apple iPhone 8 side-by-side.

Researchers tested privacy using a Pixel 2 (left) and iPhone 8 (right). (Image credit: Future/Shaun Lucas)

The phones used in the testing were an Apple iPhone 8 running iOS 13.6.1 and a Google Pixel 2 running Android 10. Both were jailbroken or rooted so that the researchers could add new HTTPS server certificates matching those on the man-in-the-middle laptop, permitting decryption of traffic.

The researchers said they were motivated to conduct this study because of the COVID-19 contact-tracing apps that had attracted a lot of publicity in Europe, especially in the United Kingdom and Ireland, in the past year. They found that in the long run, there wasn't much difference between Android and iOS in terms of gathering user data.

"On an iPhone running a COVID contact-tracing app the data collection by Apple iOS is remarkably similar to that by Google Play Services on Android phones," the paper said. "Users appear to have no option to disable this data collection by iOS."

Researchers get 'silence' from Apple

The Trinity College researchers reached out to both Apple and Google to notify them of the findings and seek comment.

"To date Apple have responded only with silence," the study paper said. "We sent three emails to Apple's Director of User Privacy, who declined even to acknowledge receipt of an email, and also posted an information request at the Apple Privacy Enquiries contact page ... but have had no response."

Google did respond with what the researcher characterized as "a number of comments and clarifications," all incorporated into the report, and said it "intend[ed] to publish public documentation on the telemetry data" it collected. 

"This research outlines how smartphones work," a Google spokesperson told Tom's Guide following our query. "Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways." 

"This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently," the spokesperson added.

According to Google, the researchers' estimates of the volume of data sent by iOS devices to Apple servers does not account for data sent from Apple servers back to iOS devices.

An Apple spokesperson told Tom's Guide that it, too, had issues with the study, noting that the researchers seemed to get several sources of data confused. The spokesperson added that users' personal data was nevertheless protected and could not be traced back to specific individuals.

So what can you do about this data collection?

"Currently there are few, if any, realistic options for preventing this data sharing," especially on iPhones, Leith concluded. 

Android phones — or at least the Pixel that the researchers worked with — can be started with network connections disabled. 

If the user then disables Google Play Services and the Google Play and YouTube apps before connecting to the network, "this prevented the vast majority of the data sharing with Google," the paper said.

Those suddenly non-Google Android phones would need to use other app stores, much as Amazon Fire tablets or Huawei phones do. (Connecting to Amazon or Huawei raises other privacy issues.)

But iPhone users are stuck, because their devices need a network connection to be activated. 

If users "choose to use an iPhone," the study observed, "then they appear to have no options to prevent the data sharing that we observe."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.