iPhone and Android are the most popular mobile operating systems in the world. Yet, both of them treat user privacy very differently.
We did an in-depth privacy comparison, and here’s what we found:
1. Apple collected data despite users asking them not to.
2. Apple closed off competitors to ramp up its advertising business.
3. Apple and Google responded to a whopping 85% of government requests.
4. Android’s lax enforcement of privacy policies with third-party manufacturers and app developers.
5. Android and iPhone app developers selling user data to government agencies and other interested parties without user consent leading to unauthorized data collection.
6. Android and Apple collect location data despite users turning it off.
To stay safe, we recommend users take their privacy into their own hands and use a VPN like NordVPN to hide their IP address (used by both Apple and Google to determine user location if GPS is turned off).
Continue reading the article below for a firm privacy review of Android and iPhone.
As iPhone and Android continue to monopolize the smartphone market, users are concerned about the privacy of their data. Just how much of your information does Google and Apple collect about you? What do they do with it? These are questions bugging millions of smartphone users.
Google earns 80 percent of its revenue from ads and heavily relies on user data to better target these ads. Apple, on the other hand, uses a closed architecture system, but they have a few questionable practices too.
Here’s a detailed look at how each of these platforms manage user privacy.
How iPhone Treats User Privacy
According to Apple, “Privacy is built in from the beginning, from the moment you open your new device to every time you use an app.” So much so that the core of Apple’s marketing and advertising is centered around privacy.
From high-flying billboards plastered with “Privacy is King” and “What happens on your iPhone, stays on your iPhone” to entire ad campaigns that follow a privacy-centric theme (remember the “Privacy. That’s iPhone” ad campaign?).
But is all this true? Does Apple follow through with its strong privacy sentiments? In search of an answer, we ran tests on an iPhone, dug deep into Apple’s privacy policy, past and ongoing privacy lawsuits, and independent research from reputable sources. Here’s what we found:
We carefully researched Apple’s privacy policy to determine how privacy-friendly your iOS device is. Does Apple collect any of your iPhone data? If it does, what data does it collect? What is it used for? More importantly, does it collect user data without their consent? We provide all the answers.
iPhone’s closed system architecture
The closed nature of iPhones means that the operating system (iOS) is proprietary software owned by Apple. This means the source code is not available to the public.
The closed nature of iOS prevents hackers from analyzing the source code for vulnerabilities they can exploit or third-party manufacturers from modifying it and using it on their devices.
Furthermore, iOS implements the secure sandbox architecture for apps. A “sandbox” is a “space” that an app is installed and operates in. This limits an app to only the system resources, files, and directories it needs to operate and nothing more.
Permissions for GPS, camera, microphone, files, and so on are set by the user during app installation and on iPhone’s system settings.
The sandbox architecture is a fantastic security and privacy feature that prohibits insecure apps from affecting other apps, limits hacker access, and restricts apps’ access to resources.
Third-party apps and permissions
In 2021, Apple implemented a controversial but long-awaited privacy feature called App Tracking Transparency (ATT). This privacy-landmark feature mandates apps to first seek consent from users before tracking their activity across apps and websites.
Meaning, if you ask an app not to track, the app developer can’t access the system advertising identifier (IDFA) which is used to track your behavior online so as to target you with ads based on this behavior.
The launch of App Tracking Transparency caused an uproar from apps such as Facebook who took out full-page newspaper ads to oppose it.
However, shifting to users, Flurry Analytics reported that 85 percent of worldwide users clicked ‘ask app not to track’ when prompted, with the proportion rising to 94 percent in the US.
Apple App Store privacy
In their privacy policy, Apple confirms that it collects your IP address, information about your browsing habits, purchases, searches, and downloads.
According to the company’s privacy policy:
“To improve the experience in the App Store and other Apple online stores, we collect information about your usage of the stores, including when you open or close the App Store, what content you search for, the content you view and download, and your interactions with App Store push notifications and badges as well as messages from the App Store within apps.”
“We also collect information about your device such as the type of device, the version of your operating system, and the amount of free space on your device. We may use this information to assess whether requested content can be downloaded, to understand general trends in use of device storage, and whether your device is connected by Wi-Fi or cellular.”
Furthermore, when you download an app from the App Store, identifiers such as your device’s hardware ID and IP address are logged by Apple, along with your Apple ID.
You can turn off personalization features in the App Store, Apple Books, iTunes Store, Apple TV, Podcasts, and for subscriptions from Apple by turning off Personalized Recommendations for your Apple ID.
Apple ID and iCloud privacy
Apple states, “An Apple ID is the personal account you use to access Apple services like iCloud, the App Store and other Apple online stores, iMessage, and FaceTime, and to access your content across all your devices and the web.” It’s similar to a Gmail email address for accessing Android and other Google services.
If you use iCloud, certain data stored on your device will be automatically sent to and stored by Apple. This allows you to access your data on all your iCloud-enabled devices or computers (“devices”) automatically. This data includes:
- Contacts
- Calendars
- Reminders
- Bookmarks
- Safari tabs
- Health data
- Home data
- Notes
- Freeform
- Photos
- Documents
- Wallet data
- Keychain and passwords
- Device and account settings
- Data from third-party apps that use iCloud
Apple claims, “iCloud Backup can help you restore your data in case you need to replace your device or restore it.”
For certain iCloud information, Apple uses end-to-end encryption, meaning no one besides you can access this information – not even Apple. There are two types of iCloud data protection:
- Standard Data Protection: Default iCloud security setting. Your iCloud data is encrypted, the encryption keys are secured in Apple data centers to help with data recovery, and only 14 categories are end-to-end encrypted, excluding categories such as Photos, Notes, Safari Bookmarks, Siri Shortcuts, and more.
- Advanced Data Protection: Introduced in iOS 16.2; most of your iCloud data (23 categories), only excluding iCloud Mail, Contacts, and Calendar will be end-to-end encrypted. Meaning, your trusted devices retain sole access to your iCloud Data.
However, you have to opt-in to this feature by going to Settings > tap your Apple ID > tap iCloud > iCloud Backup > Scroll down to Advanced Data Protection and tap on it.
Analytics data
Based on our analysis, Apple may provide partners and developers a subset of analytics data and information that may be relevant to them and statistics on how you use their app, product, or services.
On your iPhone, you can choose not to share this data by going to Settings > Privacy & Security > Analytics & Improvements, and turning off “Share With App Developers.” Once this is turned off, Crash Data and app usage statistics will no longer be shared with Apple or third-party developers.
Location data
Location Services allows Apple, third-party apps, and websites to gather and use information based on your iPhone’s location so as to provide location-based services.
For example, Location Services comes in handy when using ride-sharing apps to be picked from and go to certain locations or when searching for a vegan restaurant near you.
Apple says, “Location Services uses GPS and Bluetooth (where those are available) along with crowd-sourced Wi-Fi hotspots and cell tower locations to determine your device’s approximate location.”
Crowdflow.net aggregated data from 1000 iPhone logs in an attempt to create a map of Wi-Fi hotspots. Here’s an example of Wi-Fi networks in Germany.
Apple maintains a database of crowd-sourced Wi-Fi hotspots like this globally. According to Apple, all this Location Data that’s transmitted from your iPhone is collected by the company anonymously.
Face ID and Touch ID
Touch ID and Face ID (Apple’s facial recognition system)are biometric authentication methods used on iPhones to unlock the device and make purchases.
Apple stated that “The probability that a random person in the population could look at your iPhone or iPad Pro and unlock it using Face ID is less than 1 in 1,000,000.” Apple utilizes the TrueDepth camera and an infrared image of the face to form an image of your face.
Furthermore, due to COVID-19, Apple added a feature that allows Face ID while wearing a mask. With that said, there have been issues with Face ID such as twins and closely related relatives being able to unlock each other’s phones. Also, Face ID with a mask increases the probability of false positives.
Although discontinued, Touch ID “creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your device.”
According to Apple, the probability of a random person unlocking your device using Touch ID on the first try is 1 in 50,000. However, security researchers have found that Touch ID could be fooled using 3D-printed fingerprints.
In regards to the privacy and security of your Face ID and Touch ID data, Apple assures users that the biometric data does not leave their device, and is never backed up to iCloud or anywhere else.
Instead, it’s encrypted, stored on the device, and protected with a key available only to the Secure Enclave. Furthermore, disabling Face ID on your device also deletes the Face ID data, including mathematical representations of your face, from your device.
Siri privacy
Siri Data (the data Siri collects about you) is linked to a random identifier and not your Apple ID, email address, or other data Apple may have on you. Meaning, your Siri Data cannot be linked back to you, according to Apple.
With that said, Siri sends all your voice inputs to Siri servers for processing. This also includes transcripts of your interactions. When you use Siri and Dictation, your device will send other Siri data, such as contact names, nicknames such as “Dad”, music and podcasts you enjoy, names of apps installed on your iPhone and shortcuts added through Siri, and much more.
It’s good to note that Siri dictation such as dictating notes or composing messages are stored on your phone. However, dictating in a search box and other dictations are sent to and processed on Apple servers.
Siri Data and requests are not used to build a marketing profile or shared with third-parties. According to Apple, they are only used to improve Siri and how it serves you.
Health data privacy
The Health app can consolidate data from your iOS device, Apple Watch and other devices, health records, and apps you use so you can have a more comprehensive view of your health information in one convenient place.
You control which data is stored in the Health app and which data is shared with third-party apps and people you trust.
When your device is locked using a Passcode, Face ID, or Touch ID – all of your health and fitness data in the Health app — other than your Medical ID — is encrypted and inaccessible by default.
If you are using iOS 12 or later and turn on two-factor authentication, Apple will not be able to read your health and activity data synced to iCloud since it will be end-to-end encrypted.
Your iPhone allows you to share your health data with third-party apps that you trust. However, Apple expects you to review the privacy policy of each app that you grant access to your Health data to learn why it needs your data and how it will use it.
Maps privacy
Maps on iPhone collects information such as the time of your request, device model and software version, input language, device location, search terms and features you use, the places you view, and your interactions with notifications from Maps, and much more.
Apple says, this information is not tied to your Apple ID and it’s strictly used to improve upon services. Apple also doesn’t store your precise location instead they convert the exact location to less precise locations within 24 hours. This makes it difficult for them to identify you based on your location.
Furthermore, according to Apple, “Maps keeps your personal data in sync across all your devices using end‑to-end encryption. Your Significant Locations and collections are encrypted end‑to‑end so Apple cannot read them. And when you share your ETA with other Maps users, Apple can’t see your location.”
In relation to sharing Maps data with third parties, Apple maintains that it shares “movement data, Point of Interest (POI) data, and aggregated user analytics with our partners.
Data is shared only if certain minimum thresholds are met, in order to prevent these partners from correlating this information back to any specific Maps user.”
Apple also claims that:
Data that is sent to Apple may be processed and stored by trusted third-party service providers.
However, the company does not specify exactly what kind of Maps data they allow to be processed and stored by the third-parties.
Gaps in iPhones’ Privacy Enforcement
Despite Apple’s reputation for being a champion of user privacy, we’ve discovered gaps in iPhones’ privacy enforcement that leave users vulnerable to data breaches and other privacy violations.
These gaps range from security vulnerabilities in Apple’s software and hardware to third-party app developers’ lax privacy practices and the lack of transparency in Apple’s data collection and storage policies.
One of the biggest gaps in iPhones’ privacy enforcement is the lack of transparency in Apple’s data collection and storage policies. Apple collects a vast amount of data from its users, including location data, analytics data, and app usage, among others.
While Apple claims to use this data only to improve its products and services, there is little transparency in how this data is collected, processed, and shared with third parties.
Below we take an in-depth look at the gaps in iPhones’ privacy enforcement.
iPhone’s closed system architecture: privacy nightmare?
Apple’s closed system is lauded to be an advantage to privacy and security, but is it?
In a 2021 article, The Washington Post revealed how the nature of iOS makes it vulnerable to attacks. The article detailed how Pegasus spyware – developed by Israeli cyber-arms company, NSO Group – was successfully used to infiltrate iPhones belonging to journalists, human-rights activists, and public office officials.
The Washington Post reported out of the 34 iPhones tested by Amnesty International Lab — 23 showed signs of a successful Pegasus infection and 11 showed signs of attempted infection.
Once the Pegasus mobile spyware infects an iPhone, it can access all features and data just like the owner, effectively monitoring your phone.
Furthermore, due to the tight control Apple has over the hardware and software running on its devices, the company sometimes restricts access to companies offering competing services. By doing this, Apple ensures users stick to their services such as App Store, Apple Pay, Apple Music, Apple Books, and Apple weather.
For example, in 2021, the European Union (E.U.) charged Apple on grounds that Apple undercut competitors whose services competed with Apple Pay such as PayPal.
The EU claimed that Apple restricted access to the hardware and software in its devices that enable communication with payment terminals in stores, known as Near Field Communications (NFC).
Data collected without user consent
Apple says it only collects data that users have consented to help the company improve services and user experience. But according to security researcher Mysk, this is not the case.
Tommy Mysk found that despite users disallowing Apple from collecting their data for analytics, the company still went against their request and collected their data. Mysk filed a lawsuit against Apple for these practices.
Furthermore, in January 2023, CNIL – the French data protection watchdog – found that iOS 14.6 automatically read identifiers on the user’s iPhone that enabled Apple to personalize ads on the App Store.
The processing occurred without Apple obtaining proper consent from users. CNIL imposed a sanction of €8 million on Apple.
How does Apple manage third-party data requests?
Apple claims that privacy is at the center of everything it does. However, if we are to take a closer look at how it responds to data requests from authorities and other third parties, we quickly find this couldn’t be further from the truth.
For example, Apple’s transparency report revealed that the company responds on average to 85% of data requests (from all countries) from law enforcement.
To make it worse, a New York Times article found out that Apple uses a third-party company as a proxy to comply with China’s data requests on Chinese citizens. In other words, this allows Apple to say, “Hey, we are not handing over customer data to the Chinese government.” Well, at least not directly.
In the same article, the New York Times noted that Apple hands over data of oppressed groups such as the Uyghurs to the Chinese government. It also knowingly permits apps in the app store that encourages their oppression.
App Store privacy concerns
Apple maintains a monopoly on the Apple App Store. iPhone users cannot sideload apps or install apps from third-party sources. According to the company, the main reason for this is to maintain a high level of security and privacy for users.
Security researcher Bruce Schneier says in his blog that Apple’s claims about risks to privacy and security are both false and disingenuous, and motivated by their own self-interest and not the public interest.
Case in point: Tommy Mysk filed another lawsuit against Apple’s privacy infringements and found that Apple collects an insurmountable amount of data (without consent) on how users interact with the App Store.
App Store data they collect includes what apps users searched for, apps they tapped on, how they found an app, how long they looked at a given app’s page, and what ads they saw, among other App Store related data.
However, that’s not all. Together with this data, it sent details that included type of phone, screen resolution, keyboard languages and more — information that could be used in device fingerprinting.
Telemetry data collected without consent
“Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google (PDF)” by J. Leith revealed that Apple and Google transmit telemetry despite the user opting out of it.
He noted that during the first ten minutes of startup, the iPhone sends around 42KB of data (Google collects about 20 times more). In general, he noted that the operating systems connect to their back-end servers on average every 4.5 minutes, whether they’re in use or not. The data collected during these times include:
- The devices’ IMEI
- Hardware serial number
- SIM serial number
- Phone number
- Device IDs
- Location
- Telemetry
- Cookies
- Local IP Address
- Device Wi-Fi MAC address
- Nearby Wi-Fi MAC
Furthermore, Leith noted, “Although Siri is not enabled on the handset, connections are made to server smoot.apple.com by the parsed process associated with Siri. When a URL is typed in Safari, corresponding telemetry logging the URL is sent to smoot.apple.com. Again, this occurs despite the fact that Apple telemetry is disabled in the device settings.”
He further noted there are no workaround options to prevent an iPhone from sharing data with Apple. When Leith contacted Apple about his findings, he got no response.
Is your iCloud data safe?
iCloud privacy has been a source of controversy for Apple which lauds itself as a “privacy-friendly platform” but then turns around and responds to an average of 85% of data requests worldwide from law enforcement.
To protect your data against this, in December 2022, Apple rolled out the highly anticipated Advanced Data Protection iCloud feature that offers end-to-end encryption for iCloud in the US with plans to roll out the feature worldwide in iOS 16.3.
It’s good to note that users must opt-in to iCloud’s Advanced Data Protection to enable end-to-end encryption for their iCloud backups since it’s not enabled by default.
Third-party trackers on iPhone
App Tracking Transparency gives users the option to opt-out of third-party tracking. However, former Apple engineers turned privacy activists who developed the privacy app Lockdown for iOS, conducted tests that revealed that:
App Tracking Transparency made no difference in the total number of active third-party trackers, and had a minimal impact on the total number of third-party tracking connection attempts. We further confirmed that detailed personal or device data was being sent to trackers in almost all cases.
Armed with an iPhone running iOS 16, we downloaded the latest version of Lockdown from the App Store and proceeded to run our tests. We closed all running apps, launched Lockdown, and turned on its Firewall. The Firewall denies access to a list of popular trackers on its “Block List.”
With the firewall fired up, we were ready to run an app and monitor the domains (if any) that appear on the blocked log despite requesting the app not to track them. We chose Bolt, a popular ride-sharing app, as our test subject.
Seconds after starting the app, the “Block Log” on Lockdown was populated with 33 entries, with an overwhelming majority of the entries pointing to a single domain: graph.facebook.com – a popular Facebook tracker.
We are not sure why the app made so many connections to the Facebook domain considering we didn’t sign up using Facebook or connected the app to Facebook in any other way. Another domain that regularly occurred on the block log is: play.googleapis.com.
Is your data used for advertising?
Apple’s main source of income has been selling devices such as iPhone, iPad, MacBooks, and Apple watches. However, after dealing a blow to advertisers like Facebook and Google with App Tracking Transparency, Apple seems to be quietly ramping up its efforts to increase revenue through advertising. This is despite Tim Cook assuring users in 2018 that the company voted against monetizing users.
According to the Financial Times, “Apple’s advertising business has grown from a few hundred million in the late 2010s to $5 billion in 2022.” The research group, Evercore ISI, expects Apple’s ad business to grow to $30 billion in the next three years.
Apple implemented the App Tracking Transparency feature that allowed users to opt out of tracking by advertisers. The move was applauded by privacy groups and pro-privacy users alike.
On the other hand, the move caused an uproar from app developers such as Facebook and overall cost these apps over $10 billion in advertising revenue in a year.
However, upon taking a closer look, we found the move wasn’t geared towards preserving the privacy of users but rather to increase Apple’s monopoly and revenue.
Since introducing App Tracking Transparency, Mashable reported Apple’s ad revenue skyrocketed. Apple went from capturing 17% of sponsored ads in the App Store to a mind-blowing 58%.
The reason advertisers backed down from Facebook and Google is because they no longer had access to crucial data and so moved to Apple.
The EU penalized Apple in 2021 for unfair business practices that required users to consent to third-party tracking, in contrast to an option in iOS called “personalized advertising” that, according to the EU, allows Apple to track users and is enabled by default.
As mentioned earlier, coupled with personal information, the company tracks all taps users make on the App Store and time spent looking at app pages so as to better target ads.
Additionally, Apple has recently doubled advertising space for app developers in the App Store with plans to add more. All this puts Apple in a fantastic position to greatly benefit from sponsored ads.
Is Siri data private?
According to Apple, your Siri Data is associated with a random identifier instead of your Apple ID or email address. This means the Siri Data collected by Apple is not personally identifiable.
This is more privacy-friendly compared to Google or Amazon which tie your voice assistant data to your account.
However, in 2019 the Guardian published a shocking report that detailed how Apple’s contractors listened to Siri recordings. These recordings were mostly recorded accidentally and included confidential information such as medical information, business deals, and sexual encounters.
An anonymous whistleblower working for the company confessed to the Guardian that there were no specific procedures to deal with sensitive recordings.
Even more worrying is that the whistleblower revealed that since the majority of the recordings were accidental, “If there were someone [among the reviewers] with nefarious intentions, it wouldn’t be hard to identify [people on the recordings].”
How Google Treats User Privacy
Alphabet – which owns Android – is the largest media company in the world. Unlike Apple which earns the majority of its revenue from selling devices, Google’s primary source of income is selling advertisements.
To do this, Google offers free services such as Android, Google Search, Gmail, YouTube, Google Maps, and much more in exchange for user data that the company uses to target ads. The more detailed the user data collected, the better Google is at targeting ads hence increasing conversions.
Google’s privacy policy for Android devices covers a wide range of data collection practices, including device information, location data, and browsing history. The policy explains how this data is used to improve Google’s products and services and to provide personalized experiences for users.
It also outlines how Google shares this data with third-party app developers and partners. It also details how it provides users with tools to control their data and privacy settings. Below we take a look at Android’s privacy policy and its developments.
Android Privacy Sandbox
At the time of this writing, Android just announced that the highly anticipated Android Privacy Sandbox is moving into Beta and is slowly being rolled out to Android 13 so users and developers can start testing the technology. Android is conducting a major overhaul on how it collects data for advertising.
The main goal of Android Privacy Sandbox is to create API’s that limit user data sharing and reduce the potential for undisclosed data collection.
However, it’s important to note that developers will continue using their own first-party data without any restrictions. This first-party data refers to data collected from the developer’s app.
Advertising
Google is “experimenting with new ways of supporting the delivery and measurement of digital advertising in ways that better protect people’s privacy online via Chrome’s [and Android’s] Privacy Sandbox initiative.”
With the Android Privacy Sandbox technology, Google is planning to phase out cross-app identifiers like Advertising ID and limit data sharing with third parties. To determine the ads users will see, the Privacy Sandbox will rely on features such as “Topics” and “FLEDGE.”
- Topics: Also known as “Interest-based advertising” refers to ads based on user interest that’s derived from the apps the user has engaged with in the past.
- FLEDGE: Show ads based on “custom audiences” defined by app developers and the previous interactions within their app.
This is in stark contrast to how ads are currently served on Android. How does Google currently determine the ads you see? Google uses different criteria to target ads.
- It may base ads on your past and current location by using your IP address to approximate your location.
- Based on the current page you’re looking at. For instance, if you’re looking at a page about baking, you might see ads about baking.
- Ads may also be based on app activity, web activity, and ads based on your activity on another device.
- You might see ads based on the data you’ve shared with third-party apps and businesses.
Google Play Store
In an effort to improve user privacy, Google introduced stricter requirements for Google Play Store apps in June 2022. Each app is required to have a privacy policy that outlines how it accesses, collects, uses, and shares user data.
Furthermore, Google introduced the Google Data Safety Form that mandates apps to describe their data privacy and security practices. The information filled by developers in the Data Safety Form is displayed to users before they download the app.
Google Maps
Google Maps allows users to search for and view maps, obtain directions, and view satellite imagery of locations around the world. Google Maps may collect and process personal data to provide users with these services. Here’s the user data Google collects according to its privacy policy.
- User-provided information: Google may collect personal data that users provide directly to Google when they use Google Maps, such as search queries, location data, and user feedback.
- Device information: Google may collect information about users’ devices, such as their IP address, device type, and browser type.
- Usage information: Google may collect information about how users interact with Google Maps, such as the pages they visit and the features they use.
- Location information: Google may collect information about users’ location when they use Google Maps, either through GPS or other location technologies.
Google may use the personal data collected in connection with Google Maps for various purposes such as providing and improving Google Maps, personalizing ads, analytics and research, and improving safety and security.
Google may share personal data collected in connection with Google Maps with various third parties, including:
- Service providers: Google may share personal data with third-party service providers who help Google provide and improve Google Maps.
- Affiliates and subsidiaries: Google may share personal data with its affiliates and subsidiaries for business purposes.
- Legal and regulatory authorities: Google may share personal data with legal and regulatory authorities if required to do so by law.
- Safety and security: Google may use personal data to ensure the safety and security of users of Google Maps.
Location
Knowing your location can help Google in providing better directions, displaying places of interest near you, notify you if a service establishment is busy, and so on. Google can determine your location in several ways discussed below:
- Using your IP address: Your IP address can be used to determine your location.
- From your past activity: If you search for “bakeries in Paris”, for instance, Google will assume that you’re in Paris and will display bakeries located in Paris and other areas of interest.
- From your labeled places: Labelled places such as home or work can influence the results Google provides you.
- Google Location Accuracy: Aims to provide a more accurate device location and generally improve location accuracy. It utilizes GPS that’s equipped on your phone, nearby Wi-Fi, mobile networks, and device sensors.
Gaps in Android’s Privacy Policy
There are three major factors that pose a risk to user privacy when it comes to the Android operating system:
- Google relies on user data to target ads which comprise of 80 percent of its revenue.
- Android is open-source and licensed to independent smartphone manufacturers who can modify it as they see fit.
Let’s take a closer look at how these and other factors affect user privacy on Android.
Android’s open-source architecture
Android is the most popular operating system powering over 2.5 billion devices. These Android devices comprise smartphones, digital cameras, watches, tablets, and even fridges!
One of the main reasons Android is so popular is because it’s open-source, meaning it’s not proprietary hence it’s publicly available for download, use, and modification by anyone for free.
Furthermore, manufacturers can customize the operating system however they like to suit their devices. For example, smartphone manufacturers can customize Android by adding unique features and pre-installed apps to increase its value to users and make it stand out from other manufacturers.
Third-party manufacturer’s privacy concerns
Alphabet, the parent company of Google and Android, works with trusted partners to deliver Android to users. Android’s website contains a list of “certified partners” (we couldn’t help but notice that some listed partners lacked basic security (SSL) on their websites).
These are partners Google has vetted and certified to run Android on their devices such as mobile phones and tablets.
These manufacturers are divided into two:
- Original Equipment Manufacturers (OEM): OEM companies such as Samsung, Xiaomi, and Huawei develop and manufacture smartphones based on their own specifications and retain ownership rights of the smartphones.
- Original Design Manufacturers (ODM): ODM manufacturers design and develop smartphones according to their specifications but sell them to third parties who then deal with branding, marketing, and selling the smartphones to the masses.
In the “On the data privacy practices of Android OEMs” research paper published in January 2023 by Doug Leith, he noted that OEM manufacturers such as Samsung and Oppo customize Android before installing it in handsets.
The customizations are proprietary and closed, with little public documentation. As a result, little is known about the data privacy practices of these OEMs.
After running tests and procedures on different Android devices manufactured by different OEMs, the paper went on to conclude:
We find that all of the OEMs make undue use of long-lived hardware identifiers such as the hardware serial number, handset IMEI and so fail to follow best privacy practice. Hardware identifiers are also linked to the handset user’s real identity when they sign in to an OEM account on the handset. All of the OEMs collect the list of apps installed in a handset. This is a privacy concern since the list of installed apps can be used to profile user traits and preferences. All of the OEMs collect analytics/telemetry data, raising obvious privacy concerns.
Furthermore, having bought and tested the smartphones in Europe, they concluded they were in clear violation of the GDPR guidelines.
We also tested and determined that Android OS and APIs can be used to access every URL on a mobile device, which can prove to be a serious breach of user trust and privacy, especially if phones are being resold.
Google Play Protect
Google Play Protect constantly checks your apps and devices for harmful apps or behavior. It also checks your device for potentially harmful apps from other sources.
Google Play Protect ensures there are no malicious apps installed on your Android phone, either from the app store or third-party sources.
For users to be able to install Google apps on their Android devices such as the official YouTube App, Gmail, Google Maps, and other apps on the Play Store, their devices must be Google Play Protect certified. To earn this certificate, the devices must go through a security check by the Android team.
The Android team at Google certifies these devices to ensure they are secure and ready to run apps from Google and the Play Store.
However, in 2021, Privacy International ran tests on TECNO’s (a Chinese mobile phone manufacturer with 47% market share in East Africa) Y2 mobile phone. What they found was appalling!
The TECNO Y2 was running an obsolete version of Android (released 7 years prior) that contained numerous critical vulnerabilities and insecure apps. This is even though the phone was Google Play Protect certified and was one of TECNO’s latest models at the time.
In another case, during the BlackHatUSA conference in 2019, former Android senior reverse engineer and tech lead, Maddie Stone, revealed that following an analysis by Google of apps that come pre-loaded on Android phones (and often impossible to remove), most of them abused user privacy.
Ad-tracking on Android
Advertising is the bread and butter of Alphabet (parent company of Google), earning the company a staggering $224 billion in 2022. That’s a whopping 65 percent increase in ad revenue from 2020!
| Google Advertising Revenue Breakdown | 2022 |
|---|---|
| Google Search & Other | $ 162.45 B |
| Google Network Members | $ 32.78 B |
| YouTube Ads | $ 29.24 B |
The user data Google collects from its free services is critical for it to target ads adequately. For example, on Android, the keywords users search for on Play Store, Google Search, and YouTube are sold to the highest bidder in real-time who offer services that correspond to those keywords.
Furthermore, Android Advertising ID (AAID) or Google Advertising ID (GAID) is a unique, user-resettable, device-wide, per-profile ID that enables third-party tracking on mobile devices and is used for advertising.
Every mobile device has this unique advertising identifier. Ever noticed when you search for a product/service, let’s say cheap flights on Google, just to later stumble upon an ad on Instagram offering the same service down to the specific flight(s) you searched for? That’s the job of AAID.
AdId tracks you across different apps, what you do on these apps, how long you’re on them, and everything in between. It possibly ties all this data together to create an advertising profile about you, your habits, behaviors, movements, and so much more.
In a December 2021 paper titled “Are iPhones Really Better for Privacy?”, the researchers noted that:
Potential access to the AdId was more widespread among Android apps than iOS ones. Among the studied apps, 86.1% of Android apps could access the AdId, 42.7% on iOS, allowing them to track individuals across apps easily.
According to Google, all this is poised to change with the rollout of Android Privacy Sandbox in Android 13 that will phase out AdId completely.
Google Play Store privacy concerns
Google is in charge of the Google Play Store. It’s responsible for vetting all apps posted in the Play Store to ensure they uphold privacy and security standards as per its policies.
Google earns a 30% commission on all earnings on the app store, whether through app sales or donations. In 2021, Google grossed $48 billion in global revenue from Play Store apps alone.
Besides sales commissions, Google also earns revenue from advertising on the Play Store. Developers can bid on certain keywords that best represent their app and in turn, their app will be among the top search results for that keyword.
Additionally, Google runs ad networks such as AdMob that serve ads within apps, splitting the earnings with developers.
To boost user privacy and conform to GDPR standards, Google introduced the data privacy section in the Play Store. It mandates developers to provide accurate declarations for the data collected by their apps by filling out a Google Data Safety Form.
These declarations should outline the information an app collects from users, what it does with it, whether it shares it with third parties, and so on.
| Poor | Needs Improvement | OK | Not Graded |
|---|---|---|---|
| YouTube | Google Play Games | UC Browser – Safe, Fast, Private | |
| Messenger | Google Chrome: Fast Secure | Subway Surfers | |
| Samsung Push Services | Google Maps | Candy Crush Saga | |
| Snapchat | Gmail | ||
| Facebook Lite | WhatsApp Messenger | ||
| Free Fire | |||
| TikTok | |||
| Spotify | |||
| Truecaller: Caller ID & Block |
The Mozilla Foundation found shortfalls in the Data Safety Form itself. For instance, the form didn’t require apps to report data sharing with “service providers” and contained ambiguous definitions for “data collection” and “data sharing”, giving developers room to mislead users.
Google Maps privacy concerns
Google Maps is the most popular digital maps service in the world with over one billion users a month. Some of the main reasons why Google Maps is so popular is because it’s intuitive to use, and offers better directions compared to competitors.
However, for Google Maps to be as exceptionally detail-oriented as it is, the app needs a lot of user data. According to Google, Google Maps users contribute more than 20 million pieces of information daily.
This data is tied to what users search for on Google Search. For instance, the majority of users are not aware of different Google privacy settings that they must tweak.
When turned on, Web & App Activity saves information like searches and other things you do on Google products and services, like Maps and Play. Your location, language, IP address, referrer, whether you use a browser or an app, and more are tracked and stored.
Besides the places you’ve searched for, Maps also keeps a record of everywhere you’ve been such as shops you’ve visited, restaurants you’ve eaten from, and so on in your “Location History.”
All this data is tied to your account which is not so straightforward to log out of. And if you manage to log out of your Google account you won’t be able to save your frequently visited places or other places you’re interested in visiting in the future.
Furthermore, Google responds to over 80-85 percent of data requests from law enforcement, and “Location Services” literally saves everywhere you go with your device even when you’re not using Google services.
According to Google:
Ads can be served based on your general location. This can include location derived from the device’s IP address.
Even when you disable Location Services and Web & App Activity, Google still tracks your location using your IP address. Google collects and uses your IP address to determine your location and serve you ads based on this location. To prevent this and keep your IP address hidden, we recommend using a reputable VPN. It will mask your IP address hence prevent location tracking among other privacy features.
Location Tracking on iPhone and Android
Location tracking on smartphones has been one of the biggest privacy concerns among users. Case in point: in March 2023, the FBI director admitted in a Senate hearing that the FBI purchased US location data rather than obtaining a warrant.
On a similar note, in 2020, the Department of Homeland Security was reported to have purchased the location data of millions of Americans from a private marketing firms.
In relation to this, in 2020, The Wall Street Journal reported that “The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement.”
In the past, hackers and security researchers such as Samy Kamkar were able to hack Google’s internet access point database and access the home addresses of users despite Google claiming the data is not personally identifiable.
How to Improve Your Data Privacy
There’s no doubt that data is crucial for improving digital services that we rely upon every day. However, as demonstrated in this article, personal information is being collected, stored, and shared on a massive scale by Apple and Google, raising concerns about privacy and security.
Improving your data privacy is crucial in protecting yourself from tracking, data breaches, identity theft, and other privacy violations. By taking proactive steps to secure your personal information, you can minimize the risks associated with data sharing and ensure that your online activities remain private and secure.
Use a VPN
Both Google and Android have made significant moves towards protecting user privacy. Taking a closer look, however, quickly reveals these privacy initiatives are not what they are purported to be. For instance:
| Privacy Initiative | Privacy Initiative Concerns |
|---|---|
| App Tracking Transparency (iPhone) | Apple allows users to block third-party tracking, but upon taking a closer look, it’s clear Apple was blocking out competitors to promote its advertising business which grew tenfold from 2016 to 2021. |
| Google Data Safety Forms (Android) | Google requires developers to fill out a data safety form detailing how data collected from users will be handled. In a 2023 study, Mozilla found the data filled out by the majority of the top 40 apps on the App Store such as Facebook and Twitter were not in line with their privacy policies, thus misleading users. |
| Android Privacy Sandbox | Google hasn’t released any information around this yet, but we don’t expect the company to make massive changes to its $200 billion ad model. |
- Fast and large worldwide network of VPN servers
- Perfect for privacy and streaming
- Trusted by many, with over 14 million users
An industry-leading VPN such as NordVPN – which in early 2023 passed its third and most comprehensive independent audit ascertaining, among other things, its no-logs policy – will anonymize your connection using cutting-edge encryption and mask your IP address.
This will significantly reduce location tracking, data collection, cyberstalking, and other privacy risks.
Conclusion
From all the research, studies we have read, and tests we have run, we’ve unfortunately concluded that neither iPhone nor Android is mindful of user privacy to the extent that they should be.
In this case, privacy means that user data is not collected, processed, and stored on a massive scale on remote servers and shared with third-parties users didn’t consent to.
There’s no doubt that data is crucial for improving services, but the amount of data currently being collected by Google and Apple is extensive. it’s not hard for these companies to cross-reference the different data points and come up with a complete picture of who you are and what your life is like.
For example, using your IP address, IMEI number, and account information, Google can figure out who you are. Moreover, by cross-referencing with your GPS data, they can quickly learn where your home is, where you work, and other important locations you visit.
Furthermore, by collecting data from an internet access point such as your home Wi-Fi, they can figure out who your loved ones are, how many members there are in your family and so on based on the devices connected to that Wi-Fi. This collection and cross-referencing of data can reveal a lot!
It’s upon users to demand for change and defend their right to privacy by using privacy tools such as a VPN to hide their IP address and mask their activities online.
Despite users owning these devices through purchase, they are confronted with the fact that these devices still belong to the manufacturers, and to their dismay, they are increasingly benefitting from the (private) data we store on them.
As seen in this article, despite users opting out from different tracking features, iPhone, Android, and third-party apps still go ahead and collect data such as analytics, location, and so on.
If you’d like answers to some of the most common questions about iPhone vs. Android, check out the FAQ section below!
Privacy on Android and iPhone evolves dramatically and depends on a variety of factors. Generally, Apple has implemented stronger privacy measures and has a more closed ecosystem.
Apple also gives users more control over their data and transparency. While Android allows for more customization and additional steps to increase privacy, Google’s primary focus is advertising which means it collects more data to target ads. However, Apple has also started dipping its feet in sponsored ads.
To a certain extent, yes. For instance, Apple maintains strict standards over the App Store by ensuring app developers safeguard user data and privacy.
However, iPhones have also been found to collect data without user consent, Apple also responds to over 85% of data requests, and third-party apps have collected and sold user data.
No. Google relies on advertising as its main source of revenue while Apple relies on selling devices such as iPhones, iPads, Apple Watch, and so on as its main source of revenue.
However, Apple is ramping up its efforts in advertising which means it will require more user data to target ads successfully. Case in point: Apple grew its advertising business tenfold from 2016 to 2021.
Android is generally considered less privacy-friendly than iPhone due to Google’s focus on advertising and data collection. However, Android allows for more customization, which means you can take steps to increase privacy.
How? By adjusting settings and using privacy apps and custom ROMs that are geared toward privacy. You can read our full iPhone vs. Android: Privacy Review article to learn more.
