Google collects and stores significant amounts of user data on Android devices, even when users haven’t opened any Google apps.
The study by Professor D.J. Leith from Trinity College Dublin, documents for the first time how pre-installed Google apps silently track users without seeking consent or providing any opt-out options.
The research examined cookies, identifiers, and other data stored on Android handsets by Google Play Services, the Google Play Store, and other pre-installed Google apps.
Measurements were conducted using a Google Pixel 7 running Android 14 with the latest available builds of Google Play Services and Google Play Store apps.
The findings by the SCSS analysts revealed that Google servers send and store multiple tracking identifiers on handsets immediately after factory reset, before users ever interact with any Google app.
These identifiers include advertising analytics cookies, links to track advertisement views and clicks, and persistent device identifiers that can uniquely identify both the device and user.
Most concerning is that no consent is sought from users before storing any of this data, and there are currently no options to prevent this tracking.
This behavior potentially violates EU data privacy regulations, particularly the e-Privacy Directive and possibly GDPR.
Tracking Mechanisms Revealed
Several specific tracking technologies were identified in this study. The Google Android ID, a persistent device identifier, is stored in multiple locations including shared_prefs/Checkin.xml and transmitted in numerous connections to Google servers.
This identifier persists until a factory reset and is linked to the user’s Google account upon login.
DSID advertising analytics cookies are sent by googleads.g.doubleclick.net and stored in the Google Play Services data folder.
When a user searches within the Google Play Store, “sponsored” results contain tracking links that inform Google when clicked, which shows the connections fetching search results with embedded ad tracking links.
.webp){kind=tracking}
The research also documented Google’s use of NID cookies across multiple apps, server tokens for A/B testing, and various authorization tokens that effectively log users into numerous Google services silently.
.webp)
Connections to Firebase Analytics servers were also observed transmitting user interaction data.
“Users currently have little control over the data that apps store on an Android handset,” notes Professor Leith in the study. “The main mitigations are to disable Google Play Services or the Google Play Store app, but these are not practical options for most users.”
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free