android google
© Reuters / Dado RuvicAndroid mascot pictured in front of Google logo. July 9, 2017
Android OS devices transmit sensitive user data like handset serial numbers and app usage info to manufacturers like Samsung and third parties like Google, Microsoft and Facebook - even after consumers opt out, a new study shows.

According to the study, proprietary variants of Google's Android system developed by popular vendors like Samsung, Xiaomi, Huawei and Realme send "substantial amounts" of information to these manufacturers as well as third party firms whose apps come pre-installed in these devices.

In the study, which was published on Monday, researchers from Trinity College Dublin and the University of Edinburgh found that the data silently collected by these companies was linked to "long-lived identifiers" like the device's IMEI code (the unique number linked to a device's SIM card slot) and other hardware serial numbers. In some cases, the MAC address generated by the user's WiFi network was also transmitted.

As well, the manufacturers and Google reportedly collect a list of all the apps installed on the handset, raising privacy concerns since this is potentially sensitive information that can reveal "user interests and traits," for instance, the use of a mental health application or a political news app.

The study noted that such apps may be unique to a small number of handsets - meaning they could act as a "device fingerprint" when combined with widely-collected hardware configuration data. This data collection occurs even if users enable privacy settings.

Raising concerns about a "data ecosystem" where information collected from a handset by different companies is shared and cross-linked, the researchers found that Samsung, Xiaomi, Realme and Google also collect advertising identifiers - such as Google's Advertising ID - that are "user-resettable."

This "largely undermines" the privacy benefits supposedly enjoyed by Android users pressing the 'reset' button to opt out of personalized ads on their devices - since the new identifier can apparently be "trivially re-linked back to the same device." For example, during a test on a Samsung handset, the researchers found that the device's Google Advertising ID had been stored on Samsung servers.

In addition, pre-installed software like the GApps package - which includes Google Play Services, Google Play store, Google Maps and YouTube, among others - send a "considerable volume" of data back to Google. The study notes that the content of this information is "unclear [and] not publicly documented" with the tech giant confirming that there is "no opt out" from this data collection. Similarly, Facebook and Microsoft apps (like LinkedIn) come pre-installed in most Android devices.

Some device vendors also collect user interactions with the handset with Xiaomi receiving details of all app windows viewed by a consumer, including when and how long they used the app. This level of tracking can reportedly reveal the timing and duration of user phone calls, for instance. Similar usage data is collected by Microsoft using its Swiftkey keyboard on Huawei handsets, which can reveal when the user is writing a text message or using the search bar.

Noting that privacy concerns had been "too focused on web cookies and on badly-behaved apps," study author Doug Leith hoped the report would be a "wake-up call to the public, politicians and regulators" that "meaningful action is urgently needed to give people real control over the data that leaves their phones."

In response, an unnamed Google spokesperson told tech news outlet BleepingComputer that such behavior was not "unexpected" since "this is how modern smartphones work."

"Collection of limited basic information, such as a device's IMEI, is necessary to deliver critical updates reliably across Android devices and apps," Google said.