What do iOS and Android have in common? Their apps suck at privacy, boffins say

Apple says, "Privacy is a fundamental human right." Google says, "We build privacy that works for everyone." But neither mega-corp manages to provide much privacy on their mobile devices, according to a study conducted by boffins at the University of Oxford in England and an independent researcher.

In a paper titled, "Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps," researchers Konrad Kollnig, Anastasia Shuba, Reuben Binns, Max Van Kleek, and Nigel Shadbolt examined 24,000 Android and iOS apps available on both platforms in 2020 and concluded that iPhones are not better for privacy, and that Android and iOS apps fail to protect data.

The researchers looked at 12,000 apps from each ecosystem, testing them via static analysis and dynamic analysis, looking at tracking libraries and the companies behind them, checking network traffic for personally identifiable information (PII), and analyzing permissions.

"We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children," the paper says.

In the children's app category, iOS apps exhibited less ad-related tracking than equivalent Android apps, but more frequently (seven times more) offered access to children's location data.

And many of these apps appeared to the researchers to be breaking privacy laws in multiple jurisdictions. "Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law," the paper says.

Specifically, the researchers found lack of user consent for third-party tracking, lack of parental consent sharing PII in kids' apps, tracking libraries not configured to minimize data collection, sending data to countries without adequate data protection, and design decisions by Apple and Google that limit transparency about tracking.

"Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied," the paper says.

Tracking tricks

The researchers said apps from both platforms commonly use tracking libraries, noting that the median number of tracking libraries in an app was three on both platforms. A small number of Android apps (3.73 per cent) contained more than 10 tracking libraries, compared to 3.13 per cent on iOS. And a substantial number of apps on both platforms contained at least one tracking library (88.73 per cent on Android and 79.35 per cent on iOS).

The boffins said some apps use code obfuscation to hide the presence of tracking libraries, but they explained this didn't affect their analysis because while tracking libraries may try to conceal their code, user-facing APIs aren't easily hidden.

"Overall, tracking services are widespread on both ecosystems, but slightly more so on Android, likely in part due to Google’s dual role as a dominant advertising company and platform gatekeeper on Android," the paper says. "However, Google also has a significant presence on iOS, highlighting its dominance in the smartphone ecosystem."

The most common tracking library on Android is Google Play Services (in 87.3 per cent of apps); on iOS, it's Apple's SKAdNetwork library (in 69.6 per cent of apps), which discloses ad interactions to Apple and could potentially be used for building its own ad system.

In terms of data minimization, a requirement of Article 5 of the GDPR, and of user opt-in prior to data collection per UK and EU laws, most developers did not change the default options in their tracking libraries that would have avoided unnecessary data collection.

Potential access to the AdId (advertising identifier) on both platforms – which can be used for tracking individuals across apps – was more common on Android (86.1 per cent of apps) than on iOS (42.7 per cent of apps).

• EU and US seek 'common principles' for data governance and AI
• Bepanted shovel-toting farmer wins privacy payout from France TV
• Australian regulator finds Google dominates adtech, seeks powerup to fight back
• Facebook overpaid FTC fine by up to '$4.9bn' to protect Zuckerberg, lawsuits allege

The researchers observed that platform differences in the use of AdId have to do with platform restrictions. Apple, they said, has required developers to declare AdId usage when submitting apps for review, allows users to block AdId (unlike Google on Android), and since iOS 14.5 has made usage of the identifier explicitly opt-in.

"Apple’s crackdown on AdId use could be interpreted as an attempt to divert revenue from Google and other advertising providers, and motivate the use of alternative monetisation models – which are more lucrative for Apple," the paper says.

In terms of permissions, the researchers found that Android has many permissions not present on iOS, which makes it appear that Android apps have more access when the difference is that iOS doesn't gate certain resources like internet access and network state. And in fact, they found iOS apps tended to have higher levels of risky permissions.

For example, about half of iOS apps had Camera (56.3 per cent) and Location (49.2 per cent) access while only about a third of Android apps had Camera (21.2 per cent) and Location (28 per cent). And iOS apps also could access Calendar and Contacts permission more often than Android apps (25.2 per cent vs. 3.2 per cent for Calendar and 16.1 per cent vs. 6.4 per cent for Contacts).

Location, location, location

Access to location data was also more common in iOS apps for children (27 per cent) than in Android apps for children (4 per cent).

Most of the Android and iOS apps studied (81.44 per cent of Android apps and 68.46 per cent of iOS apps) share data on launch, likely in violation of EU and UK laws requiring prior consent, the researchers said.

More Android apps than iOS apps share AdIds over the internet (55.4 per cent on Android, and 31 per cent on iOS). Similarly, more Android apps (85.1 per cent) than iOS apps (61.4 per cent) share model number and phone name – useful for device fingerprinting – over the internet.

Some Android apps, the researchers observed, also shared other system identifiers like Android ID (18.2 per cent), IMEI (1.3 per cent), Serial number (1.1 per cent) and Wi-Fi Mac Address (0.6 per cent) that aren't available in iOS due to Apple's past deprecation of access to permanent identifiers like UDID and MAC Address. Android apps

Google's parent Alphabet can collect tracking data from 100 per cent of Android apps, the researchers said, while Apple can collect tracking data from more than two-thirds of iOS apps. Data collectors with less reach include Facebook, Unity Technologies, Verizon, and Oracle, among others.

In terms of where that data goes, 93.3 per cent of Android apps and 83.5 per cent of iOS apps can transmit data to a US-based company. Other potential data destinations include China (9.5 per cent of iOS apps and 4.8 per cent of Android apps) and India (7.45 per cent of iOS apps and 2.23 per cent of Android apps), with Russia and Germany as less common destinations.

"While it has been argued that the choice of smartphone architecture might protect user privacy, no clear winner between iOS and Android emerges from our analysis," the paper concludes.

The researchers however allow that Apple may have addressed some of these issues through privacy improvements introduced in iOS 14 and in subsequent updates, and they say they hope to evaluate recent changes in later work.

Neither Apple nor Google responded to requests for comment. ®