State of mobile operating systems privacy in early 2019

Courtesy of Chris Velazco from Engadget

With CES just around the corner Apple’s latest banner seems like nothing more than a marketing stunt. Still, it rekindles a discussion about mobile privacy, which perfectly suits the research I’ve been doing during the past couple of weeks. So, is it true that iOS provides more privacy to its users than Android? Why is it so? Should you consider privacy as a deciding factor when buying a new phone? Trying to be as precise as possible the post ended up being quite long, so make yourself a nice cup of coffee and read on — I promise it will be worth it.

I think I have to start with a quick disclaimer, though. I‘ve’ been working with digital analytics and marketing technology pretty much since the beginning of my professional career, for the past 8 years. I think that everyone knows by now that the whole industry has been quite a mess (especially when it comes to adtech companies, but that’s probably a topic for another post), so I really hoped that GDPR implemented in EU this year will force the companies to actually start taking privacy issues seriously. While lots of companies (for example most of our clients at FELD M — that’s awesome!) actually did a great job with, eg. proper consent management in the web, no one seems to care about what’s going on on mobile, where lots of data is actually critical. Let’s take an in-depth look into that together.

To understand how user data can be accessed one has to firstly understand how many access levels are available. I’ve therefore divided the post into the following parts:

• Device IDs and targeting options
• OS APIs
• Advertising networks and Data Management Platforms
• Manufacturer data access

References are available at the very bottom of the post. Please check them out if you are curious about the technical and legal details.

Device IDs and targeting options

Starting with the basics we have to take a look at how can advertisers, marketing platforms and app developers identify and target the users or their devices. Of course, the only way to reliably do it is to use a unique identifier and this is where the first major differences start showing up.

Android’s current standard is to use a user resettable Advertising ID linked to your Google account. That basically means that Google and the developers know all the devices you’ve logged into with the same Google account. So far so good, it’s considered a best practice and not that big of a privacy issue as you can always either use another account or simply reset your profile. Real problems with Android start when you start looking at what else can apps access, though. Unfortunately, there is a plethora of hardware identifiers they can use instead:

• Android ID (SSAID) that only resets on device’s factory reset,
• IMEI or IMSI number that is not resettable at all (even on factory reset),
• MAC address that is never resettable as well.

To be honest, when I first found it out I was horrified. What’s the point of having a resettable ID when you are still providing three different ways of device identification (two of which users cannot reset unless they buy a whole new device)? That’s a huge violation of best practices and, possibly, some privacy laws including GDPR. Admittedly, Google Play Store policy prohibits linking Advertising ID to any hardware identifiers above without user’s permission, but it’s not treated as a system permission (so you are not getting a popup where you have to explicitly grant the app) and therefore can be handled by a small note in the app’s privacy policy. Who of you have read privacy policy of the last app you have installed? I know I haven’t!

iOS, on the other hand, is another story. Its Advertising ID (similar to Google’s) is easily resettable as well and other than that there is not much that an app can do. Unique Device ID (UDID) is not accessible since iOS 7.0, which was released more than 5 years ago (!) and is currently only used for enterprise device management through Apple Mobile Device Management. MAC address is unavailable since iOS 7.0 too and IMEI has never been accessible whatsoever. The only identifier available for app developers is a Universally Unique Identifier (UUID) that they can generate and share across their own apps to identify the same user device (yes, it’s not even cross-device). That’s a tremendous difference!

Even though I dislike some of recent Apple decisions I have to admit that that itself shows their seriousness and consistency when it comes to user data privacy. This also has very serious implications on the actual uses of data mentioned below.

OS APIs

While device identifiers let every interested party to identify the device or the user, such data is not particularly worthwhile without additional dimensions. These can be provided by different OS APIs that allow apps (and various SDKs used there) to communicate with the system and between themselves.

Unfortunately, the access provided by its APIs is another huge downside of Android. It is virtually limitless and apps can easily, without a need to request any permissions, access such information as:

• List of all other apps installed on device and their permissions — one of the most popular ways of user interest segmentation,
• Enabled accessibility options — I don’t know any examples of it actually happening, but I can come up with multiple ways to discriminate people with disabilities here,
• Device locking method — that might not be a huge privacy invasion per se, but can be a security vulnerability.

On the contrary, iOS provides neither any of the above, nor any other way to access the system or other apps data. The only thing that developers can do is to use the UUID mentioned above, but, as stated before, it only works for their own apps.

Advertising networks and Data Management Platforms

Now, we already know what data can be accessed, but how is it actually used? In the end, that’s when the fun begins! Keeping it short, not counting any malicious agents or other intruders (I’m not a security expert!) everything is passed to different advertising networks and their data management platforms (DMPs). What does everything mean? It is not really being disclosed, but my safe guess would be that in many cases it actually is everything that can be accessed (as proved by multiple news last year, eg. about Facebook). In addition, in case you didn’t know it, different networks’ SDKs very often provide possibility to send various events linked to particular interactions with the app — a click on a banner, how long did you spend playing particular level of the game, etc. When anonymized, data like this is only used in the aggregated form, eg. for UX optimization. When sent along all the information about you and your device, they help a lot to build a profile of you.

That’s exactly what happens with the data arriving to its recipient. It is used to include you in some of thousands interest and demographic segments, add you to the device graphs, share all of it with their partners and so on, so that ultimately these vendors (ranging from advertising giants, such as Google, Facebook and Twitter to lots of smaller companies, such as Unity, AppLovin, Vungle, Tapjoy or Cosmose) can sell ads for more. Remember the saying “when you are not paying for a product, you are a product”? That’s exactly the case here.

Of course, the situation with the web advertising is quite similar. Nevertheless, I think it’s safe to say that the amount of data that can be accessed from Android makes it a totally different story, unfortunately for the worse.

Manufacturer data access

Last, but not least let’s talk about what data is collected and used by your phone’s manufacturer itself. It already is a common knowledge that in some cases smartphone data can be shared with different nations’ governmental agencies directly by either Google or Apple, but what about using it for extra profit?

Well, Android is obviously made by Google, the biggest advertising network on the planet. It of course is open source and everything, but virtually all of the current Android devices (sans, I believe, Amazon’s tablets and some niche, privacy-focused phones) are coming with Google Play Services preinstalled. With them you are not only getting a way to use Google’s Play Store, Maps, Gmail integrations, etc. but are giving Google a way to track whatever they’d like, even though they should not.

Additionally, different Android-based device manufacturers can add whatever they want to the system, very often without notifying the users about it. For example, Xiaomi has been displaying extra ads in their MIUI for a while already, without even giving the users option to opt out. I’d like to think that’s the only example of such a user data use (it surely is the most visible one), but I highly doubt so.

The only advertising option on iOS provided directly by Apple I found is their Search Ads. It is a simple, exclusively keyword-based advertising option for developers to promote their apps when users enter a specific keyword in the App Store. I therefore wouldn’t really call it a user monetization, but a simple traffic monetization instead.

Summary

I’ve always been aware of a fact that Android is “less private” than iOS, but after learning what exactly does it mean I was devastated. Being quite a technology geek I’ve always appreciated a new, shiny phone or tablet, switching between Android and iOS quite often. Now, I believe that Google’s, for lack of a better word, sloppiness in implementation of privacy features is inexcusable (not mentioning other user monetization practices) and, even though I don’t particularly like its hardware, I’ll be staying with iPhone for now.

All in all, it’s for the people to decide with their wallets. Let your decide wisely.

References

• [Advertising ID — Play Console Help] (https://support.google.com/googleplay/android-developer/answer/6048248?hl=en)
• [Best practices for unique identifiers | Android Developers](https://developer.android.com/training/articles/user-data-ids)
• [Settings.Secure | Android Developers](https://developer.android.com/reference/android/provider/Settings.Secure.html#ANDROID_ID)
• [identifierForVendor — UIDevice | Apple Developer Documentation](https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor)
• [advertisingIdentifier — ASIdentifierManager | Apple Developer Documentation](https://developer.apple.com/documentation/adsupport/asidentifiermanager/1614151-advertisingidentifier)
• [Advertising & Privacy — Apple Support](https://support.apple.com/en-us/HT205223)
• [iOS 7.0](https://developer.apple.com/library/archive/releasenotes/General/WhatsNewIniOS/Articles/iOS7.html#//apple_ref/doc/uid/TP40013162-SW1)
• [Permissions overview | Android Developers](https://developer.android.com/guide/topics/permissions/overview)
• [PackageManager | Android Developers](https://developer.android.com/reference/android/content/pm/PackageManager)
• [Protecting the User’s Privacy | Apple Developer Documentation](https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy)
• [EU-U.S. Privacy Shield | User Data | Privacy, Security, and Deception — Developer Policy Center](https://play.google.com/about/privacy-security-deception/privacy-shield/)
• [How to Stop Google From Tracking Your Location | WIRED](https://www.wired.com/story/google-location-tracking-turn-off/)
• ([Xiaomi is slyly pushing ads all over MIUI and there’s no way out — Android Authority](https://www.androidauthority.com/xiaomi-miui-ads-906902/))