A group of computer scientists, two from the University of Edinburgh, and a third from Trinity College, has found that phones purchased by customers in China are riddled with software that continuously sends user data to third parties without the permission or even knowledge of the phone’s users. Haoyu Liu, Douglas Leith and Paul Patras have summarized their findings in a paper posted on the arXiv preprint server.
In the U.S. and many other countries, phone users take their privacy seriously—the maker of the phone, its operating system or installed apps are all expected to maintain a strict level of security. That security does not appear to be the norm for vendors in China. In this new effort, the researchers purchased a number of phones in China and tested how well they protect private user information.
The testing involved phones made by companies such as OnePlus, Oppo Realme and Xiamoi, which are all popular in China. They tested not only the installed apps, but the underlying operating system, a modified version of Android. Their overall goal was to determine the type and amount of personally identifiable information (PII) being sent from the phones to third parties.
The research team found that the phones were rife with applications sending user data to a variety of third parties, all without permission. During testing, they set phones to opt out of sending any sort of data to providers or any other third parties, and did not connect to cloud applications. Still, applications sent data to the makers of the phone, network operators and also to the makers of apps. Data included physical information such as the user’s phone number, its MAC address and ongoing geolocation data. It also included more personal data, such as contact lists and text metadata.
The researchers suggest that the phones sent enough information so that those on the receiving end would know who was using a phone, where it was and what the user was doing. They also found that there was no way to opt out of such privacy breaches and that the breaches continued even if the user took their phone outside of China.