A recent report notes that Google Messages and Google Dialer apps for Android devices have been collecting information without users’ consent to send to Google servers, in a breach of data protection laws in Europe and other regions.
Trinity College Dublin researcher Douglas Leith published a paper titled “What Data Do the Google Dialer and Messages Apps on Android Send to Google?” in which he discusses how these phone call and messaging apps communicate with Google Play Services and the Google Firebase Analytics service.
According to Leith, the data sent by Google Messages includes a hash of the text in the message, which allows linking the sender and receiver in an exchange of messages. In addition, the data sent by Google Dialer includes the time and duration of users’ calls, data that also allows linking the two numbers involved in a call.
“Google collects other records such as the timing and duration of interactions between its users without offering a way to decide that their information is not sent to the company’s servers,” the researcher adds.
Google Messages (com.google.android.apps.messaging) is installed on more than a billion Android phones and is included with devices from phone operators such as AT&T and T-Mobile, as well as being pre-installed on Huawei, Samsung and Xiaomi devices. Google Dialer or Phone by Google, (com.google.android.dialer), has a similar scope.
Pre-installed versions of these apps don’t have a privacy policy section to specify what user information will be collected, a move Google requires all third-party developers to adhere to. In addition, when requesting information about the data collected, Google did not confirm that the metrics identified by the researcher are being collected.
While Google Play Services explains that these apps collect user data, it simply points out that it is done for security reasons and for the improvement of some Google services. These arguments do not explain the collection of metadata from messages and phone calls.
The researcher concluded his report by listing some of the measures that Google has committed to implement to change this situation, including:
- Review the app’s onboarding flow to notify users that they are using a Google app
- Stop the collection of the sender’s phone number by the CARRIER_SERVICES log source, the 5 SIM ICCID and a message text hash sent/received by Google Messages
- Stop logging call-related events in Firebase Analytics from Google Dialer and Messages
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
