Study of colleges regarding LineageOS still sending data

The German webpage Tarnkappe recently published an article about a study of two colleges from Scotland and Ireland: Studie zeigt Ausmaß der Android-Datengier

The text may be in German, but it contains an English table and references this English PDF file: https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf

LineageOS sends less data, but still some. I’m wondering if those particular pieces have already been “fixed” by iodé?

1 Like

@oRKywork

Thanks for sharing this information. I had a brief look at the paper “Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets” published by the authors Haoyu Liu, Paul Patras, Douglas J. Leith.

As written in this paper, the authors investigated a

Google Pixel 2/Android 10 with LineageOS build 17.1-20210316, opengapps 10.0-nano-20210314.

Furthermore, I found the following statements in the paper:

Apart from Google’s GApps, no third-party system apps on the LineageOS handset were observed to perform data collection.

On LineageOS it is necessary to install GApps to use the Google Play store, but this is not necessary with /e/OS (which uses the open-source MicroG re-implementation of Google Play Services and the Google Play app).

The volume of data uploaded by Google varies across the handsets. It is zero for /e/OS, since it uses the MicroG open source re-implementation of Google GApps.

These differences are likely related to different configurations of Google GApps e.g. on LineageOS the so-called nano version of GApps was installed (other options includes micro, mini, full, stock19).

Please correct me, if my conclusion is wrong, but since iodé also uses MicroG rather than GApps, should iodé not be as discreet as /e/?

Regards
Tom

I believe you are right. I was a bit presumptuous. Without Gapps there doesn’t seem to be any danger.

Nothing to do with the OS:
I am still shocked as to what extend regular apps are throwing your stuff around. I’ve been observing and blocking that on my phone for a while now. Even stuff like stock trading apps is integrating libraries from Google, Facebook, etc…
Even if the app developer has no evil motives and just wants some usage analytics, he practically looses all control after integrating any of those libraries.

Hi,
As Tom said, I doubt LineageOS sends data while the handset is idle if gapps are not installed by the user, or if microG is installed instead.
The iodé blocker interface lets you see what data is being transmitted and to whom, so you could experiment as well using the interface (or any other firewall tool).
We also changed default settings in the system to prevent data leaks to Google (more information here).
It would have been interesting to have had iodéOS reviewed as well!

Yes, that would have been interesting. But to keep a sense of proportion: The general awareness of iodéOS compared to LineageOS and /e/OS extremely low. That is why other respectable soft forks of LineageOS were not tested. Nevertheless, the result of the study is both shocking and sobering.

By the way: Which internet time server (NTP) does iodéOS contact? Google Public NTP?