In the research paper “What Data Do The Google Dialer and Messages Apps On Android Send to Google?”, Trinity College professor Douglas J. Leith claims that the Google applications Messages and Dialer are sending data to Google without user consent.
Both applications are installed on over a billion Android devices each. Google Messages is the default messaging application that many manufacturers and mobile phone companies ship as the default application for messaging on their devices. The same is true for Dialer, as it is the default phone application on many Android devices.
The researcher analyzed the data that the Google Messages and Google Dialer applications sent to Google on Android handsets. According to the research paper, linked here the following data is sent when the Messages application sends or receives messages
When an SMS message is sent/received the Google Messages app sends a message to Google servers recording this event, the time when the message was sent/received and a truncated SHA256 hash of the message text. The latter hash acts to uniquely identify the text message. The message sender’s phone number is also sent to Google, so by combining data from handsets exchanging messages the phone numbers of both are revealed
Google Messages submits data about the event, including the time messages were received or sent, a truncated hash of the message text, and the sender’s phone number, to Google. The hash may identify the message according to the researcher, and if Google Messages is used on both handsets, Google gets both phone numbers involved in the conversation.
Google Dialer sends similar logs to Google. The data includes the time and the call duration according to the research paper.
When a phone call is made/received the Google Dialer app similarly logs this event to Google servers together with the time and the call duration.
The data that is sent to Google “is tagged with the handset Android ID” according to the researcher. The ID is linked to Google user accounts and thus the identify of the user.
Additionally, both applications submit data about user interactions within the applications. Nature and timings of interactions, e.g., viewing an app screen, searching contacts, or browsing an SMS conversation, are also submitted to Google according to the paper.
If “See caller and spam ID” is enabled, which it is by default, Google Dialer sends the phone number of each incoming call and the time of the call to Google as well.
The applications have no opt-out that prevents the data from being submitted to Google.
The data is sent to Google via the Google Play Services Clearcut logger service and Google/Firebase Analytics according to the researcher.
The Google Messages and Dialer apps send data to Google via two channels: (i) the Google Play Services Clearcut logger service and (ii) Google/Firebase Analytics. Recent Android measurement studies have noted the large volume of data sent by Google Play Services to Google servers on most Android handsets. A substantial component of this data is sent by the Clearcut logger service within Google Play Services. However, the data transmission is largely opaque, being binary encoded with little public documentation.
The Register received confirmation by Google that the “paper’s representations [..] are accurate”. Additional details, including information about the test setup and code, are available in the research paper.
Android users may switch to different applications that may take over the tasks of the default applications. For instance, Simple Dialer: Phone Calls, as a replacement for the Google Dialer application, and Simple SMS Messenger. as a replacement for Google Messages.
Now You: which dialer and messaging apps do you use?