Occasionally, Android Authority receives a question from a
reader. We answer as many as we can, and sometimes we think a public
answer might actually be better than replying in private.
Here’s a slightly edited question we received by email from Steve (not his real name), over the holidays:
My “definition” of security is trying to stay as far away as possible from Google and Apple — I despise both companies’ invasion of privacy by tracking the phones, searches, data, etc. The idea of the information from every phone that goes to these companies is abhorrent to me. I have used BlackBerry to try to avoid that. Do you know if the new Blackberry/Android products still “report” to Google like the other Android phones?
Gaining a more complete understanding of how your personal data
and privacy mix with Android is well worth exploring, so here we go.
Android has been installed on more than two billion devices
around the world, mostly smartphones. That’s incredible reach. They’re
not all listening to us and reporting back to Google, though they’re not
exactly secure (more on that, shortly).
Android, or the Android Open Source Project (AOSP), is led by
Google, which maintains and further develops the codebase, as an
open-source software project. Google markets its maintenance and
progression of the project as part of their belief that everyone can and
should have access to the internet.
Android is open—except for all the good parts
It is altruistic, but it is also business. The way Google makes
money is from having people on the web and on mobile, clicking its ads.
This accounts for approximately 90 percent of parent company Alphabet’s
revenue.
AOSP means anyone — you, me, the next great smartphone company —
can download the Android source code, fork it, mod it, and utilize it.
The Google’s approach is very different to Apple, which sells iOS on
devices as an exclusive, locked-down ecosystem.
Many feel Android has slowly become more of a “Look but don’t touch” shared-source platform, rather than truly open source. As Ars Technica nicely put it more than four years ago: “Android is open — except for all the good parts.”
Further complicating matters, Google actually offers two distinct
flavors of Android. There’s AOSP, which is bare bones: no Google, no
Google Play Store, no apps inbuilt. This is the one that you, me, or a
company building a new connected device will utilize. However, AOSP
almost certainly won’t be used on a mass-produced smartphone, except
possibly in China, where Google hasn’t always been legal, and where
familiarity is more with Chinese apps. The other reason is smartphone
manufacturers use a different, “full” Android experience, which makes Google money, and the one that provides a truly viable user platform.
There's Android open-source, and then there's 'full' Android with everything Google included
The “full” Android we know and use daily on our phones has the
Google Mobile Services (GMS) platform built on top of Android. It’s sold
to most OEMs — companies like Samsung, HTC, LG, Huawei, and now
Essential and Razer, among others. GMS is not open source. It’s quite
far from AOSP, and bundles the apps and services we know and love with
it. All that bundling has caused problems — the European Union objected to Google’s use of this full Android package to “preserve and strengthen its dominance in general internet search.”
Addressing the question we received directly, new BlackBerry
devices do come with GMS installed, and Google’s apps do report back to
HQ, with caveats. An Android device won’t report your details back to
Google unless you let it happen, by adding your Google account details
and using Google apps.
Google’s not the only one receiving data on you— your phone
carrier gets it too. Location data (by cellphone tower triangulation),
logs of your calls for billing, and all your SMS message still go to
your carrier. The Mobile Device Privacy Act offered some improvements
here by limiting pre-installed tracking apps, but lots of your data is
still sent.
Still, there are ways to use Android without directly involving Google in your life.
Using Android without Google
We’ve published interesting and perhaps more extreme cases in the
past involving a completely de-Googled device, including a look at this
Samsung Note 4
in China. It ran the AOSP flavor of Android, but everything was more or
less replaced by Baidu — and sending data to Chinese companies instead
of Google. The author thought the phone was odd, and didn’t feel as
comfortable trusting Chinese apps as much as you do with Google, or
Apple. Given China’s general privacy stance, that’s understandable.
We’ve also examined alternatives to Google apps,
with notable winners like HERE WeGo and Citymapper for Maps, Firefox
and Opera for browsing, Blue Mail for email, and Signal for (secure)
third-party messaging.
Escaping Google is a matter of both effort, and what you're willing to forego
Even if you use all those, there’s still a chance Google will
receive your data. If it doesn’t, Facebook will probably get it, given
its incredible reach
across popular apps and hooks into websites. Eventually, stopping the
flow of your data becomes a matter of deciding which services and
conveniences you’re willing forego.
If you’re using the Google Play Store to get apps — and you
normally would, as it’s the safest way to go — your installs and
uninstalls will be tracked. The Play Store also tracks location data,
user acquisition data, and does Android “vitals” monitoring, which
monitors for things like excessive background Wi-Fi scans for apps.
It’s not strictly personal, identifiable information, but many
apps use cookies to enable services like Google Analytics to monitor
both usage and user data. This data helps app makers figure out what’s
popular, what’s working, and what isn’t.
For example, Citymapper states the following in their Privacy Policy:
Some of the cookies used by our App are set by us, and some are set by third parties who are delivering services on our behalf. For example, we use Google Analytics to track what users do on the App so we can improve the design and functionality.
On the web, Google somewhat curiously offers an Analytics opt-out
plugin for most browsers, allowing you to prevent your data being used
by Google Analytics. But that’s only on the web and not part of apps at
this stage, meaning you’ll need to pick and choose your apps carefully,
and very few offer as much transparency as Citymapper.
Step further down the line, and hosting becomes an issue. The
Google Cloud Platform (GCP) hosts websites, apps, and acts as
infrastructure for storing and hosting data, and more. It’s not quite at
the scale of Amazon Web Services (AWS) which serves more than 35
percent of web traffic via their cloud server infrastructure, according
to Synergy.
While nothing substantial exists in the U.S., both GCP and AWS follow
some strict European Union directives around with data protection. If
you’d like that in the U.S., you’ll need to lobby the FCC — and we’ve seen how well that goes.
How to really, really escape Google on Android
So, you want to escape Google? It’s possible, but you’re going to
have trouble with normal web browsing. Using a more secure browser like
Firefox Focus is a good place to start. Always using a VPN should go
without saying. Quit searching with Google and use DuckDuckGo, which
doesn’t collect any information about the user, and doesn’t track IPs or
other information.
F-Droid
offers an alternative to the Google Play store, providing a catalogue of
only free and open-source applications. Many of them are replacements
for Google apps, via a repository which also searches for updates. It’s
not super popular, but it’s been around many years.
Going even further, another option is to use Tor, which was
specifically designed for anonymous communication (and comes with an Edward Snowden recommendation!).
It’s best known as a web browser, but there are Project Tor apps for
Android. Our man Joe Hindy discusses this and more in his recent best Android security apps roundup.
Another popular method of erasing the junk and bloat and anything
else hidden away on your Android device is to install a different OS — LineageOS (based on the old CyanogenOS) is a stock Android experience, but it’s far more locked down than your typical device OS.
You might even consider Mission Improbable,
a “hardened” Android OS created by Tor developers and the open source
community to show how Android can be made more secure. If you’re running
Pixel or Nexus devices, and have familiarity with Linux, this is a top
option for ultimate security.
If you use a Google Account without enabling or turning off
certain history, your location is tracked, search history is built, and
even your voice commands sent to your Google Assistant are stored.
You’ll either be creeped out or delighted by looking at your (amazingly
complete) location history in Google here.
At some point the conveniences you know and love might become worth giving over some of your data. Certainly, Google hope this is true.
If you keep off those apps, and don’t utilize a Google account,
what you’re left with isn’t that much different if you’ve been with
BlackBerry in the past — though even BlackBerry receives some user data
from phones, and in much the same way as Google .
Cutting back further — and remaining connected — would require a
dumbphone, or adopting a different lifestyle altogether. Just being
connected guarantees some tracking of your personal data by so many
different methods. At some point the conveniences you know and love
might become worth giving over at least some of your data. Google
certainly hopes this is true.
We suggest taking a look into better protecting your privacy on your device if you haven’t considered it before.
No comments:
Post a Comment