Douglas J. Leith at Trinity College Dublin has published one research report where he shows how Apple’s IOS and Google’s Android connect to servers at each company even when you have chosen not to log in to Icloud / Google and have declined all questions about sharing data with the companies.
The survey was performed by installing a fake root certificate on a Pixel 2 with Android 10 and an Iphone 8 with iOS 13.6.1 (jailbroken to circumvent certificate checking). Both phones were connected to a computer set as a wifi access point, on which he ran the program mitmproxy which acts as a so-called “man in the middle” and intercepts all encrypted traffic between the devices and Apple / Google’s servers.
A newer Iphone with iOS 14 could not be used in the test because there is no way to jailbreak these. Without jailbreak, iOS cannot be fooled by a man-in-the-middle attack.
Douglas J. Leith controlled the traffic from the phones to the servers:
- When they are first started and activated.
- When a SIM card is removed or inserted.
- When it is at rest.
- In the settings app.
- When the location service is switched on and off.
- When you log in to the App Store / Play Store.
The results show that both systems send a lot of information to their respective creators. Everything from imei code and phone number to location and telemetry data. When the phones are idle, both connect approximately every 4.5 minutes.
A big difference between the two systems is that Android sends almost twenty times more data to Google than iOS sends to Apple, the researcher claims. Google says in another statement Ars Technica that this is wrong and a misunderstanding:
“The survey basically shows how smart phones work. Modern cars regularly send basic data about the vehicle’s components, safety status and service intervals to car manufacturers, and mobile phones work in a similar way. This report clarifies this communication, which keeps iOS or Android safe. updated, that services work as intended, and that the phone is secure. “
A spokesman for Apple tells Ars Technica that the report contains misunderstandings, that Apple is clear about what is being collected, and that Apple uses technologies that prevent the company from using location services to track users.
The report raises interesting questions, not least about how in detail the technology companies should be expected to describe all connections that take place from products with hundreds of functions and services that all require internet connections to work.
We have read the report and note that Douglas J. Leith does not appear to have made any effort to check what different services are actually doing and why they may need to send the information being sent. An example from iOS is a connection to https://lcdn-locator.apple.com/lcdn/locate from a process called “AssetCacheLocatorService”.
It is a process used to ensure that iOS (and Mac OS and other Apple systems) download system and software updates from a local cache server if any are available on the network you are connected to. If this does not work, each device must download updates individually over the Internet, which becomes both slow and inefficient as soon as more than a few devices share the same connection.
This is just one example we found and there may be more, both on iOS and Android, where the report does not go on what is actually sent to the manufacturers and why.
The report has been published directly and not in any scientific journal, and has therefore not been peer-reviewed. However, this does not in itself mean that the research is not thoroughly carried out, and as with all research that shows something new, there is a need for confirmatory studies.