Android (Operating System)

Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.

“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews.

[…]

Key takeaways

• Private information was repeatedly sent in the background, including the user’s email address, phone number, location, app list, and other telemetry and statistics.
• The phone constantly requests new “experiments and configurations,” tries accessing the staging environment, and connects to device management and policy enforcement endpoints, suggesting Google’s remote control capabilities.
• The Pixel device connected to services that were not used, nor explicit consent was given, such as Face Grouping endpoints, causing privacy and ownership concerns.
• The calculator app, in some conditions, leaks calculations history to unauthenticated users with physical access.

Google intended its Web Environment Integrity API, announced on a developer mailing list in May, to serve as a way to limit online fraud and abuse without enabling privacy problems like cross-site tracking or browser fingerprinting.

[…] 

To do this, the system would need to check, via attestation, whether the visitor's software and hardware stack met certain criteria and thus was authentic. That's great until it's abused to turn away visitors who have a setup a website owner isn't happy with – such as running a content blocker or video downloader.

Technical types saw this immediately, and became concerned that Google wanted to create a form of digital rights/restriction management (DRM) for the web. One benefit could be that ad fraud might be easier to prevent; but the risk is that the API could be used to limit web freedom, by giving websites or third-parties a say in the browser and software stack used by visitors.

Apple incidentally has already shipped its own attestation scheme called Private Access Tokens, which while it presents some of the same concerns is arguably less worrisome than Google's proposal because Safari's overall share of the web browser market across all devices is far lower than Chrome's.