| LWN is a nice site, but to save you a couple of clicks,
this is the original post by Trinity College Dublin: https://www.tcd.ie/news_events/articles/study-reveals-scale-... And this is the paper it talks about (PDF): https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pd... "Key findings from the study: - With the exception of e/OS, all of the handset manufacturers examined collect a list of all the apps installed on a handset. This is potentially sensitive information since it can reveal user interests, e.g., a mental health app, a Muslim prayer app, a gay dating app, a Republican news app. There is no opt out from this data collection. - The Xiaomi handset sends details of all the app screens viewed by a user to Xiaomi, including when and how long each app is used. This reveals, for example, the timing and duration of phone calls. The effect is akin to the use of cookies to track people’s activity as they move between web pages. This data appears to be sent outside Europe to Singapore. - On the Huawei handset the Swiftkey keyboard sends details of app usage over time to Microsoft. This reveals, for example, when a user is writing a text, using the search bar, searching for contacts. - Samsung, Xiaomi, Realme and Google collect long-lived device identifiers, e.g., the hardware serial number, alongside user-resettable advertising identifiers. This means that when a user resets an advertising identifier the new identifier value can be trivially re-linked back to the same device, potentially undermining the use of user-resettable advertising identifiers. - Third-party system apps, e.g., from Google, Microsoft, LinkedIn and Facebook, are pre-installed on most of the handsets and silently collect data, with no opt out. - There may exist a data ecosystem where data collected from a handset by different companies is shared/linked. Notably, the privacy focused e/OS variant of Android was observed to transmit essentially no data." |
/e/OS is no exception. I looked at the requests made by its "Apps" app. Every time it checks for updates, it tells the server what applications you have installed. These requests are made with a User-Agent header revealing your device model, build ID and Android version. Installed languages are also sent via the Accept-Language header. And there is no option to disable update checks; the closest you can get is to set the interval to monthly.
Contrast that with F-Droid, which downloads the package index in advance (like apt does), so it doesn't need to send the server a list of installed apps in order to check for updates.