This is how a study becomes a joke: Gizmodo reported that a material was created as a result of the collaboration of British and Irish university researchers, which came to the conclusion that smartphones with Chinese software of Chinese origin and sold in China collect and transmit data without the knowledge of the users. Although the conclusion of the research is that this type of background activity, which is not visible to the user (and therefore does not even ask for his consent), can be seen on the devices of the brands participating in the study (OnePlus, Redmi, Realme) to a much more limited extent on devices marketed outside of China, but however, the news spread in the tech press as if every version of every device from the listed manufacturers was doing something like this.
Of course, this also makes the matter worrisome, and adds another aspect to our knowledge of the Chinese “surveillance state”. In the research, three products from three brands were examined: a Redmi Note 11 with MIUI 12.5 based on Android 11, a Realme Q3 Pro also with Android 11 and Realme UI 2.0, and a OnePlus 9R with Android 11 and Color OS 12 was on the list, and their other common feature was that they ran Chinese ROMs, that is, they are devices specifically intended for the Chinese market and distributed in China.
The researchers simulated data collection and transmission by creating a network environment that made the devices believe they were operating in China, and set the localization and phone language to Chinese. Decoding the data transmission revealed that Chinese and global ROM devices send different types of data to a different location, but the authors of the study did not find any evidence that this would change based on GPS information when using the devices, that is, a Chinese localized software phone it transmits much more personal data even if its owner uses it outside of China. This is somewhat spicy in light of the fact that these devices also transmit geolocation data, from which the researchers drew the conclusion that wherever Chinese software devices are used, they send a significant amount of personal information to various Chinese servers. The study finds that if we compare the activities of this kind between Chinese and global software versions, the former send three to four times more data “home” with much more sensitive information. It is worth knowing that Google’s services are not available in China, so these phones do not have the search giant’s software, so the authors of the research did not take into account how much data a software intended for the global market sends to Google’s servers.
It’s important to mention that factory apps don’t ask users for permission to do this kind of activity, and all Android phones transmit data that basically hides information about the device. This is essential for OTA software updates, for example, but device manufacturers and Google themselves collect data for diagnostic purposes, but this does not include personal information and identifiable customer activities. Certain data are also required for basic operation (SIM number, IMEI), and with the consent of users, cloud services belonging to different manufacturers also require customers to create an account in order to access the manufacturers’ additional services. However, they comply with the generally accepted GDPR guidelines.
The authors performed the same activities with the three phones participating in the research, including connecting to a WiFi network without a SIM and with a SIM inserted, making calls, sending messages, opening various applications and a full reset. The researchers found that external applications pre-installed in Chinese software (such as Tencent apps, Youku, Baidu Maps) forward personal data without asking for permission, mainly due to the fact that they are pre-installed, bypassing the user’s notification and authorization option .
After deciphering the data sent by the phones, the authors of the study found a number of interesting facts. While devices equipped with global ROMs typically sent only the IMEI number, Chinese software phones also transferred a host of other device information to Chinese servers, including display size or chipset type, and the IMEI number was also shared by China Unicom and China It is also sent for Mobile, despite the fact that no such SIM was inserted into the phones. There is also a serious difference in the handling of location data, with global software only the country code belonging to the SIM is transmitted (Redmi also transmits the SSID of the WiFi network used), but in the case of Chinese ROMs, complete location data is transferred to backend servers, plus the already mentioned to the servers of two Chinese mobile operators.
What is really worrying is the handling of personal data. In the case of the Chinese software version, for example, Redmi simply notified the home servers about the opening of various applications, but all three mobiles also transfer the information about how long calls the user initiated, and the operator’s servers also receive the SIM card number. In China, phone numbers are linked to personal identification, which means you can clearly identify who it is and what they did with the phone. The devices collect and send what number we called, how long we spoke to the person, with whom and how many messages we exchanged. The researchers find that it is even possible to build relationship networks from this data. In the case of Global ROM, these data do not leave the device, the devices only send anonymous diagnostics.
The authors of the study come to the conclusion that the level of data leakage in the case of phones equipped with Chinese software is dangerous. At the same time, they also state that the level of communication and its content are not a concern for products officially sold on the international market with the global ROM. Nevertheless, this research also draws attention to the fact that it is worthwhile to be careful when ordering phones with Chinese localization, for example, this study does not examine a case of how much of these data transmission solutions remain after replacing the ROM on Chinese mobile phones originally intended for the domestic market. In addition to all of this, the research highlights again that in China the following and monitoring of citizens takes place at a completely different level than what the European consumer is used to. Gizmodo notes at the end of the article that the manufacturers involved have not responded to the study’s findings. However, since domestic Chinese models and software are primarily affected, there is a high probability that they will not.