Douglas J Leith of Trinity College Dublin has published a report investigating the frequency with which iOS and Android connect to the servers of Apple and Google respectively, even when smartphone owners have chosen not to log in and decline to share data whenever given the option.
The survey was performed by installing a fake root certificate on a Pixel 2 with Android 10 and an iPhone 8 with iOS 13.6.1 (jailbroken to circumvent certificate checking). Both phones were connected to a computer set as a Wi-Fi access point, on which Leith ran the program mitmproxy, which acts as a so-called “man in the middle” and intercepts all encrypted traffic between the devices and Apple and Google’s servers.
(A newer iPhone with iOS 14 could not be used in the test because there is no way to jailbreak these. Without jailbreaking, iOS cannot be fooled by a man-in-the-middle attack.)
Leith measured traffic from the phones to the servers:
- When they are first activated.
- When a SIM card is removed or inserted.
- When the device is at rest.
- In the settings app.
- When location services are switched on and off.
- When you log into the App Store or Play Store.
The results show that both systems send a surprising amount of data to their respective creators – everything from IMEI code and phone number to location and telemetry data.
When the phones are idle, both connect approximately every 4.5 minutes. But Android sends almost twenty times as much data to Google than iOS sends to Apple, the researcher claims.
However, Google says in a statement to Ars Technica that this the research’s conclusions reflect a misunderstanding.
“This research largely outlines how smartphones work,” the firm argues. “Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently.”
A spokesperson for Apple, too, told Ars Technica that the report contained misunderstandings. They claimed that Apple is clear about what is being collected, and that the company uses technologies that prevent it from using location services to track users.
The report raises interesting questions, not least about how tech companies can be expected to explain in detail, and seek consent for, the numerous connections that take place from products with hundreds of functions and services that all require an internet connection to work.
We have read the report and note that Leith does not appear to have made any effort to check what different services are actually doing, or why manufacturers may need to send the information.
An example from iOS is a connection to https://lcdn-locator.apple.com/lcdn/locate from a process called AssetCacheLocatorService. This is a process used to ensure that iOS downloads system and software updates from a local cache server if any are available on the network you’re connected to. If this doesn’t work, each device must download updates individually over the internet, which becomes slower and less efficient once more than a few devices share the connection.
This is just one example we found of the report spotting a connection without identifying the reason it happens, and there may be more, both on iOS and Android.
The report has been published directly rather than in a scientific journal, and has therefore not been peer-reviewed. This does not in itself mean the research is not thoroughly carried out but, as with all research that shows something new, there is a need for confirmatory studies.
This article originally appeared on M3. Translation by David Price.